Dubbed the ‘Snooper’s Charter’, the Investigatory Powers Act 2016 (IPA) is the basis for the electronic surveillance powers of the United Kingdom intelligence community and law enforcement agencies. Two powers granted under the IPA have proved particularly controversial and appear at odds with the incoming General Data Protection Regulations (GDPR).
The IPA compels organisations who transport electronic communications, known as Communications Service Providers (CSPs), to store Internet Connection Records (ICRs) for 12 months. Section 62 of the IPA then allows the authorities access to this ICR data without a warrant; the authorisation of a “designated senior person” is all that is required.
Within the technology sphere, there is no set definition of what constitutes an ICR and instead the National Crime Agency (NCA) and related government bodies have been working with CSPs to understand how their networks work and what data can be captured. ICRs are not intended to provide a full browsing history to reveal what was done on a website, but instead show which websites a device visits up to the first dash in the web address, for instance https://ipharbour.com/. Jonathan Richards, legal director at the NCA in a 2016 interview stated that ICRs are not intended to identify the bank account number, the flights booked, or who someone communicated with on WhatsApp.
Section 176 of the IPA allows authorities to require CSPs to hack, decrypt and retain electronic communications, such as telephone records and emails, if asked by investigators and warranted by the Secretary of State.
However, the Home Office stalled the implementation of both provisions after the European Court of Justice (ECJ) ruled, on 21 December 2016, that “general and indiscriminate” retention of citizens’ personal data breaches Privacy and Electronic Communications Directive 2002 and several Articles of the Charter of Fundamental Rights. While the Court of Appeal considers this decision, their implementation may be further stalled by the GDPR.
Set to replace the Data Protection Act 1998 from 25 May 2018, the GDPR obliges data controllers to be “clear and transparent” by providing data subjects, and those of EU trading partners, with a tranche of legal rights over their data security and privacy. Of these rights that conflict with the IPA are those relating to consent and erasure. Article 4 GDPR requires that data subjects must provide “freely given, specific, informed and unambiguous” consent and Article 16 grants the right of erasure, which is to have any personal data ‘forgotten’ by the controller.
Moreover, these rights rest on an expanded definition of personal data now covering IP addresses, cookies, genetic and biometric data and criminal records.
Article 23 GDPR allows states to derogate from their obligations if they can show that the restriction respects the individual’s fundamental rights and is necessary and proportionate in a democratic society. Necessary aims include national security, defence, criminal investigations and the safeguarding of the ethics of regulated professions; however, it is debatable that exercising powers under the IPA will be deemed proportionate, for three reasons:
- The ECJ’s 2016 ruling declared these sections incompatible with a less stringent directive making a jurisprudential change highly unforeseeable and meaning UK courts will soon have a higher standard with which to check the IPA against in any challenge. After all, the GDPR takes direct effect in UK law, as opposed to a directive which grants the UK broad discretion as to implementation.
- Although the powers of the IPA are secretive, and any infringements likely to occur without the data subject’s knowledge, they are open to challenge. Generally, applicants to the ECJ must show that there is a reasonable likelihood that they are directly affected by any contested measure; however in 2015, in Zakharov v. Russia (As a regulation, UK Courts must enforce the GDPR as if it is a piece of UK legislation whilst considering the ECJ’s jurisprudence.
- Finally, through the GDPR, one intention of the EU is to prevent data nationalism: the driving down of security standards by states competing for digital business. Its efforts are undermined so long as the IPA, albeit for different reasons, entrenches discrepant standards.
Brexit will not grant the UK government a free pass. Not least because the regulation applies to organisations based outside of the union who handle EU citizens’ data but also because the GDPR will take effect in UK law around a year before the proposed date of withdrawal. In addition to the proposed Repeal Bill, Parliament is currently debating the Data Protection Bill which will update current data protection law in line with the GDPR.
Therefore, the rights and restrictions of the GDPR appear here to stay. Given it has markedly strengthened data security laws (of which even potential infringements are actionable) and is backed by significant economic penalties, the incoming GDPR may cause the government to reconsider aspects of the Investigatory Powers Act.