Session 2023-24
Investigatory Powers (Amendment) Bill [HL]
Written evidence submitted by Global Network Initiative (GNI) (IPAB12)
Written Evidence on U.K.’s Investigatory Powers (Amendment) Bill
About GNI
The Global Network Initiative is a multistakeholder initiative that brings together over 95 leading academics, technology companies, civil society organizations, and investors, collaborating around a shared framework for the protection of freedom of expression and privacy in the tech sector. GNI’s analysis is informed by global experiences and perspectives implementing and advocating for rights-respecting approaches in the tech ecosystem.
Contact: Ramsha Jahangir, Global Network Initiative
Email: rjahangir@globalnetworkinitiative.org
Background
GNI expresses deep concern regarding the United Kingdom’s (U.K.) proposed changes to the 2016 Investigatory Powers Act (IPA), as outlined in the Investigatory Powers (Amendment) Bill and requests that the House of Commons Public Bill Committee extend the period for and allow greater debate and deliberation on these changes.
GNI and its members have been engaged in UK surveillance policy for many years and have followed the IPA since it was introduced in 2016. We have previously provided substantive analysis on the U.K.’s primary policy governing the surveillance of electronic communications. While GNI recognizes the importance of protecting national security, we believe some of the government’s proposed changes may significantly interfere with the privacy and safety of users of internet and telecommunications services, both within the U.K. and outside of its borders, which would undermine the IPA as a model for emulation overseas. As the House of Commons considers theBill , GNI encourages the Committee to prioritize amendments that ensure an appropriate and proportionate scope of investigatory powers, inclusion of effective safeguards, sensitivity to jurisdictional reach and potential conflicts of law, as well as privacy and security safeguards.
Our key concerns with the Investigatory Powers (Amendment) Bill are:
1. Risks to privacy and security under Notification Regime
Proposed under Section 20, the new Notification Notice process empowers the UK Home Secretary - without the approval or oversight of a Judicial Commissioner - to legally require "operators that provide lawful access of significant operational value" to proactively inform the Home Office of their intentions to make certain adjustments to certain products or systems. Details as to the types of services and changes requiring notification remain vague. Notices will be issued in secret, without the ability for operators to alert anyone to their contents or existence. Section 17 further mandates that operators refrain from making certain alterations to their services or systems if they have been served with data retention, national security, or technical capability notice. This restriction applies even if the notice is under review and has not yet been fully implemented.
These requirements represent a burdensome and unprecedented assertion of state control over the information and communications technology environment that will impact operators’ ability to operate and innovate freely in a global market. Many of the technologies covered by these requirements are deployed to avoid or mitigate cybersecurity risks, comply with relevant data protection laws and regulations, and ensure smooth and consistent user experiences. The act of having to notify and explain proposed technical changes prior to their implementation is likely to increase risks to cybersecurity, enhance the potential for conflicts of laws, and lead to the degradation of user experiences. Paired with existing powers to give other types of Notice, this could allow the UK government to pre-emptively and indefinitely delay the rollout of new products and services in the UK market. This is a significant change to the current regime with significant consequences, likely to be further amplified as other governments, including authoritarian regimes, seek to mirror the same authority in their domestic legal frameworks, citing U.K. precedent.
Furthermore, the notice regime raises serious concerns regarding the potential for government overreach and infringement of privacy rights. By mandating pre-notification (Notification Notices) for planned changes to services or products, these amendments grant the U.K. Home Office extraordinary awareness and control over tech providers’ operations. Such sweeping powers, unparalleled in their scope, pose a significant threat to future product security and consumer privacy globally. Additionally, the Bill raises the specter that the U.K. government could force operators to continue offering products with known security or privacy flaws, hindering their ability to improve products over time in response to evolving regulation, external threats, and market expectations or decommission obsolete, flawed, or unsecure products and services.
We do not see this as a debate about "encryption" per se - but rather the wider issue of operators’ ability to innovate to advance the data protection, data security, and data minimization efforts expected by users and governments globally.
We encourage the UK government and the Committee to carefully consider the implications and practicality of these provisions and opt instead for other less restrictive, burdensome, and costly approaches to achieving relevant, legitimate national security objectives.
If a notice regime is to be imposed, the Bill should be amended to significantly narrow its application to the U.K. instead of the operation of products overseas, exclude entities that do not control products offered in the U.K., impose sufficient transparency and accountability mechanisms such as proportionality tests that will include the collateral impact on an operator and their freedom to conduct business, subject notification notices to the same 'double lock' authorization process as other notices,, and create exceptions for critical privacy and security-related adjustments.
2. Extraterritorial impact
The UK government asserts that other provisions of the IPA already have extraterritorial application. For instance, under Section 253(8), a technical capability notice "may be given to persons outside the United Kingdom (and may require things to be done, or not to be done, outside the United Kingdom)." Yet the Bill seeks to broaden the extraterritorial reach of the legislation not only via the new Notification Notice but also by revising the definition of "telecommunications operator" to encompass a wider range of individuals or companies engaged in providing telecommunications services in the U.K., including those that manage or offer telecommunications systems situated outside the U.K.’s borders. This would effectively mean that a Technical Capability Notice or National Security Notice issued by the U.K. could impact global product improvements. Alternatively, a provider facing such a notice might be incentivized not to introduce an update or to withdraw its product or service altogether from the U.K. market.
GNI recommends the Committee consider the additional extraterritorial control the UK government seeks – as a result of the broader definition of "telecommunications operator" – over non-U.K. operators and products offered overseas, including those used by citizens whose rights are protected by other governments. The Home Office has acknowledged that the Bill may raise conflicts of law between the U.K. and other countries, including the U.S. and EU. Unlike the IPA itself, there are no mitigations [1] and overseas providers are exposed to an unquantified risk of extraterritorial enforcement by a foreign government. The Notice regime imposes a strict non-disclosure obligation on operators, preventing them from informing anyone, including the public or the US or EU member state governments, about a Notification Notice or Technical Capability Notice. Specifically, operators are prohibited from disclosing the existence or contents of the notice to any third party without the express authorization of the U.K. Secretary of State. This blanket gag provision effectively shields these orders from scrutiny and impedes the ability of other governments to be aware of, review, or intervene in these decisions. It also prevents overseas operators from seeking diplomatic assistance from their domestic government in the event of an overreach of power or a situation where a UK notice puts an overseas provider in breach of legal obligations or orders stemming from another jurisdiction.
By asserting extraterritorial jurisdiction and providing no mitigations against enforcement, the Bill could also provide unintended justification for similar actions by other governments, especially authoritarian regimes, many of which are already pursuing legislation that would hinder operators’ ability to transfer data across borders and protect users from government overreach. The combined effect of broader and more explicit assertions of extraterritorial jurisdiction, paired with threats of enforcement, increase the likelihood of conflicts of laws and further complicate the international legal framework applicable to technology providers at a time when the stated and shared objective of the UK government and other key stakeholders is to protect the open, interoperable, secure, and global internet from threats such as unwarranted surveillance and unnecessary fragmentation. The Committee should keep in mind the new and unmitigated conflicts this regime would pose for operators required to concurrently comply with the Bill and the vastly more complex patchwork of international laws and regulations relating to digital products and services. We urge the House of Commons to consider carefully the broader ramifications of introducing such broadly framed and unilateral extraterritorial powers and enforcement, and to scale back their application, including by forbearing from notices which create conflict of law scenarios. We suggest the U.K. clarify that the conflicts of laws are a consideration when deciding whether or not to give an order.
3. Transparency and accountability
As a member of the Freedom Online Coalition , the U.K. has committed to promoting "transparency and independent, effective domestic oversight related to electronic surveillance." The Bill in its current form misses the opportunity to fulfill the state’s commitment to greater transparency and accountability regarding its surveillance practices. As stated in the FOC guiding principles on government surveillance, governments should ensure the operation of surveillance technologies is governed in a manner that proactively mitigates the risks of misuse and enables appropriate access to judicial or administrative review. The Bill lacks substantive safeguards against government overreach by allowing for the more permissive use of bulk data by U.K. agencies where there is "low or no reasonable expectation of privacy" without judicial authorization. Introducing this vaguely defined category of "bulk personal dataset (BDP)" allows agencies to justify accessing and processing data without proper safeguards, even when individuals have a reasonable expectation of privacy in their personal information.
GNI recommends that governments disclose information about the bulk data demands they make on operators, including the number of warrants, the number of users affected by those demands, the specific legal authority for each of those demands, and what type of content the agencies sought under BDP requests. Operators should also be permitted to disclose the number of notices that they receive, how they respond to them, and the technical changes they are legally bound to install, implement, and comply with. We urge the U.K. government to consider how users can have meaningful redress without transparency about authorized intrusions into their privacy. We recommend the Committee allow operators to permit disclosures to regulatory or judicial authorities in the U.K. and overseas where required as exculpatory evidence, as well as to share relevant information with the public where appropriate. The Committee should also reflect on whether it is appropriate for such disclosures to be subject to political authorization only.
For reasons outlined above and echoed by other stakeholders , we believe the amended Bill is disproportionate, potentially harmful to users, and unworkable, and as such likely to lead to significant impacts on privacy and security in combination with existing powers. We remain very concerned about the global implications of such measures and encourage the Committee to consider the broader and collateral effects of the proposed revision to the U.K.’s Investigatory Powers Act.
7 March 2024
[1] Under the IPA, the UK government forebears from extraterritorial enforcement where overseas companies operate under an international agreement, such bilateral agreements with the US government under the CLOUD Act.