11.Much of the existing framework governing the use of investigatory powers is found in the Regulation of Investigatory Powers Act 2000 (“RIPA”). In addition to RIPA, a number of other pieces of statute apply. These include the Telecommunications Act 1984, the Police and Criminal Evidence Act 1984, the Intelligence Services Act 1994, the Terrorism Act 2000, and the Wireless Telegraphy Act 2006.
12.RIPA does not provide obligations on providers to retain data, only on how such data is acquired and disclosed. Prior to 2001, if service providers retained data which could be accessed under RIPA, it would only be data which they were retaining anyway for their own purposes. In response to the attacks on 11 September 2001 an anti-terrorism law, the Anti-terrorism, Crime and Security Act 2001 (ATCSA) was passed. ATCSA introduced a voluntary code which made it possible for details of every website visited, the transmission of every email and SMS text message sent and every phone call made in the UK to be retained for various periods and made available to authorities on request. This position changed again in 2006 when the mandatory retention of data on communications networks was introduced by the EU Data Retention Directive (Directive 2006/24/EC). The Directive was transposed into UK law by the Data Retention (EC Directive) Regulations 2007 and the Data Retention (EC Directive) Regulations 2009.
13.In June 2012 the coalition Government published the Draft Communications Data Bill. This draft Bill would have replaced RIPA’s provisions on the acquisition of communications data. In addition it would have extended significantly the range of data which service providers were required to store. This data would have included more detailed records of each user’s internet browsing activity (websites visited but not pages within websites), details of messages sent on social media, webmail, voice calls over the internet, and gaming, in addition to emails, SMS text messages and phone calls.
14.A number of bodies would have had access to this data, chiefly: the Police, the Serious and Organised Crime Agency, the intelligence agencies and HM Revenue and Customs. Such access would not have been subject to judicial authorisation. Access was only permitted if the data was required to investigate crime, protect national security or for range of other specified purposes. The Government argued that the Bill was necessary in order for the police and intelligence and security agencies to operate effectively in a fast-changing environment of communications technology, in which an increasing proportion of communications took place over the internet.
15.A Joint Committee on the draft Bill was appointed in June and reported in December 2012. The Committee concluded that the powers to order the retention of data contained in the Bill should be significantly narrowed, and new safeguards against abuse introduced, before these powers could be workable. It also recommended that there should be much better consultation with industry, technical experts, civil liberties groups, public authorities and law enforcement bodies before a new Bill specifying the types of internet data that should be made available to public authorities for investigative purposes was introduced. The Intelligence and Security Committee also published a report raising similar concerns, including that there had been insufficient consultation with Communications Service Providers (CSPs). In the face of an increasingly contentious debate, the draft Bill did not proceed to a Bill proper being introduced.
16.A further area of debate in the Draft Communications Data Bill was over its proposed extension of the scope of powers for local authorities to make potentially intrusive use of communications data. Unlike its predecessor legislation, the Draft Investigatory Powers Bill does not provide new powers to local authorities. It is also worth noting that the Protection of Freedoms Act 2012 has, in the meantime, introduced a tighter regime for the authorisation of access to communications data by local authorities, requiring the approval of a magistrate.
17.In April 2014 the Court of Justice of the European Union (CJEU) produced a ruling, Digital Rights Ireland,2 which found the Data Retention Directive to be invalid because it infringed privacy and data protection rights guaranteed by the EU Charter of Fundamental Rights. The Data Retention Directive, as implemented by secondary legislation in the UK, provided the existing framework requiring the retention of communications data by service providers. The CJEU’s ruling therefore had the effect of removing this framework and compromising the ability of law enforcement agencies to access such data if there was no other legitimate reason for service providers to retain it. In response to the ruling, the Government introduced an expedited Bill, which became the Data Retention and Investigatory Powers Act 2014 (DRIPA).
18.DRIPA was subsequently modified by part 3 of the Counter-Terrorism and Security Act 2015 (CTSA), which gave the Secretary of State the ability to require internet service providers to retain data allowing the authorities to identify the person or device using a particular internet protocol (IP) address at any given time.
19.Section 8 of DRIPA contained a ‘sunset clause’, repealing the Act at the end of 2016. During the Bill’s second reading in the Commons, the period of time, some seventeen months, before the sunset clause took effect was criticised by a number of MPs for being longer than was necessary. In response to this, the Home Secretary explained that the period was necessary to allow for subsequent review, including for a Committee such as this one:
“the reason it has been put at the end of 2016 is that we will have a review by David Anderson which will report before the general election. It is the intention that a Joint Committee of Parliament will look at his work and that of the Intelligence and Security Committee. It will then be necessary to put the required legislation in place. If anyone stops to think about that timetable, it is clear that it could not be completed by the end of this year.”3
20.Section 8 of DRIPA therefore set the terms of the subsequent necessary steps on the path to the introduction of new legislation, at least to provide for data retention.
21.DRIPA has recently been challenged in the UK courts. In November 2015, the Court of Appeal made a reference to the CJEU asking whether the judgment in Digital Rights Ireland was intended to lay down mandatory requirements for national legislation that was introduced to comply with European law in this area. The Court of Appeal also asked the CJEU whether Digital Rights Ireland was intended to extend data rights protection under European law beyond that available under the right to privacy (Article 8) in the European Convention on Human Rights.4 We understand that the CJEU is likely to consider this issue before the Bill completes its passage through both Houses.
22.The Human Rights Act 1998 incorporates the European Convention on Human Rights (ECHR) into UK law. This means that the draft Bill must comply with the Convention, as must all UK legislation. Article 8 of the ECHR which protects private and family life is of particular relevance in assessing the legality of surveillance and investigatory powers. Article 8(2) requires that any State interference with an individual’s right to privacy is both necessary for the furtherance of a legitimate aim such as national security or the prevention and detection of crime, and proportionate. The Home Office view is that the provisions in the draft Bill comply with the Act and resolve “the inevitable tension” between intrusive capabilities and individual rights.5
23.The UK’s Investigatory Powers Tribunal is currently considering cases brought by Privacy International and others relating to the lawfulness of equipment interference and bulk personal datasets. These legal issues are considered further in the following Chapter, in particular in the context of the data retention and bulk provisions in the draft Bill. In both cases, the Government will have to consider whether it has made appropriate adjustments to reflect existing judgments and to proof the Bill against future judgements of both courts.
24.The UK is not alone in considering how to balance privacy rights against the need to give its law enforcement and intelligence and security agencies the tools to combat crime and terrorism in an increasingly digital world. A number of other EU Member States are in the process of reviewing their national regimes in light of the CJEU’s judgment in Digital Rights Ireland. Terrorist attacks during the course of 2015 have also prompted some states to seek to provide more intrusive powers for their law enforcement and security and intelligence agencies. Although we did not take enough evidence on international comparisons to draw firm conclusions, comparisons of the degree of judicial involvement in different jurisdictions are worthwhile in considering the proposals for revised authorisation and oversight arrangements in Chapters 4 and 5.
25.Section 7 of DRIPA required the Government’s independent reviewer of terrorism legislation, David Anderson QC, “to review the operation and regulation of investigatory powers”, including “the effectiveness of existing legislation (including its proportionality) and the case for new or amending legislation”.
26.David Anderson QC published his report, A Question of Trust on 11 June 2015.6 It was wide-ranging and called for an entirely new legislative framework to replace RIPA and DRIPA. The report also made a series of detailed recommendations, which are considered below as they relate to the provisions of the draft Bill. One of the major recommendations was for the creation of a new body, the Independent Surveillance and Intelligence Commission (ISIC), which would authorise all interception warrants and combine the oversight roles currently filled by three separate commissioners.
27.The Intelligence and Security Committee of Parliament (ISC) is the body of parliamentarians with which primary oversight of the security and agencies rests. The ISC was established in 1994 under the Intelligence Services Act, and was reformed under the Justice and Security Act 2013. This legislation made the ISC a statutory committee of Parliament and strengthened its powers. The ISC has significantly greater access to information than an investigative select committee such as this joint committee, including access to primary material held within the Agencies. Its remit has also been expanded to include oversight of intelligence and security operations, and oversight of all intelligence and security activities of Government. In the course of its inquiries, the ISC is able to question Ministers and the security and intelligence agencies to hold them to account for their use of intrusive capabilities.
28.In March 2015, the ISC published its report, Privacy and Security: A modern and transparent legal framework.7 The report concluded that the UK’s intelligence and security agencies did not seek to circumvent the law but that the legal framework was “unnecessarily complicated” and “lacks transparency”. The report called for the consolidation of all current legislation governing the intrusive capabilities of the agencies into a single Act, with all of their capabilities explicitly avowed and the authorisation arrangements for these capabilities set out. The ISC report also paid particular attention to the agencies’ use of bulk powers. These powers are explored in the following Chapter of this report. The ISC report rejected calls for a greater degree of judicial involvement in the authorisation of warrants on the grounds that Ministers were “able to take into account the wider context of each warrant application” and were “democratically accountable for their decisions.”8
29.In July 2015, the Royal United Services Institute (“RUSI”) published its own report, A Democratic Licence to Operate, based on the work of an Independent Surveillance Review panel convened at the request of the then Deputy Prime Minister in March 2014.9 The RUSI report agreed with the ISC and Anderson reports that “the current surveillance powers are needed but that they require a new legislative framework and oversight regime”. The report also called for “a composite approach to the authorisation of warrants, dependent on the purpose for which the warrant is sought and subsequent degree of ministerial input required”.10 Warrants relating to serious crime would need to be authorised by a judicial commissioner, with ministerial authorisation of warrants relating to national security being subject to judicial review.
30.Although they differed on much of the detail, particularly over the authorisation of warrants, it is telling that all three reviews found the current legislative framework provided by RIPA and other legislation to be essentially unfit for purpose and in need of replacement by a single piece of statute. This fundamental recommendation, which was accepted by the Government, had implications for the form of the Draft Investigatory Powers Bill, making it necessarily a wider and more far reaching document than its 2012 predecessor. Producing this document to a timescale which would fit with that already set by DRIPA required the Home Office and others within Government to carry out an exceptionally heavy workload at some pace. At points we have identified problems with the way the draft Bill is written and the timing and degree of the Government’s consultation with stakeholders. These problems were hardly surprising given the sheer scale of the task to which the Government committed itself in the summer of 2015.
31.The Home Office published its draft Bill, alongside a large amount of supporting information, on 4 November 2015. There were statements on the same day in both Houses. Speaking to the House of Commons, the Home Secretary, the Rt Hon Theresa May MP, outlined her view of the security context to the Bill:
“The internet has brought us tremendous opportunities to prosper and interact with others. But a digital society also presents us with challenges. The same benefits enjoyed by us all are being exploited by serious and organised criminals, online fraudsters, and terrorists. The threat is clear. In the past 12 months alone, six significant terrorist plots have been disrupted here in the UK, as well as a number of further plots overseas. The frequency and cost of cyber-attacks is increasing, with 90% of large organisations suffering an information security breach last year. The Child Exploitation and Online Protection Centre estimates that there are 50,000 people in this country downloading indecent images of children.
The task of law enforcement and the security and intelligence agencies has become vastly more demanding in this digital age. It is right, therefore, that those who are charged with protecting us should have the powers they need to do so, but it is the role of Government and Parliament to ensure that there are limits to those powers.”11
32.As well as this Joint Committee, a number of other committees have been actively scrutinising the draft Bill. The Intelligence and Security Committee has been holding hearings to follow up its predecessor Committee’s earlier report. The ISC is expected to publish its report at around the same time as this Committee. The Commons Science and Technology Committee conducted an inquiry into the technical aspects of the report and published its report on 1 February.12 The Joint Committee on Human Rights invited evidence on the draft Bill and, although it has not commented at this stage, the Committee has indicated that it will scrutinise the Bill when it is ultimately introduced. Lastly at our request, and to a tight timescale, the Lords Delegated Powers and Regulatory Reform Committee examined the Government’s draft delegated powers memorandum. Its views on the delegations are reproduced at Appendix 3.
33.We are conscious that the array of work in different committees, in addition to the primary role of this committee in addressing the draft Bill as a whole, had the potential to confuse rather than elucidate, and may have added to the burden on witnesses. The high degree of interest taken by committees shows the degree of importance Parliament attaches to these measures. This early and active engagement will no doubt assist the depth of scrutiny which Parliament can offer to the Bill proper when it comes.
34.The arguments surrounding the capabilities provided by the draft Bill and the proposed authorisation and oversight arrangements are considered at length in the remainder of this report. The draft Bill is long and has a heavy technical element. We therefore hope it assists the reader to provide the below table, which simply describes each capability and explains where it is to be found in the draft Bill (clause numbers in parentheses).
Table 1: The powers in the Draft Investigatory Powers Bill
Power |
Conduct authorised |
Statutory bodies/ purposes |
Authorisation—Acquisition |
Authorisation—Access |
Oversight |
Where addressed in this report |
Targeted Interception (13) |
Obtaining the content of a communication in the course of its transmission (12(2)(a)) |
5 law enforcement agencies, MI5, GCHQ, SIS and the Ministry of Defence (15(1)) Purposes: National Security, Serious Crime, Economic Well-Being of the UK related to National Security and as part of a mutual assistance agreement (14(3)) |
Secretary of State authorisation, subject to approval by a Judicial Commissioner before non-urgent warrants come into force (14(1)(d)) |
N/A |
Investigatory Powers Commission (IPC) (167) replaces the Interception of Communications Commissioner’s Office (IOCCO), the Office of Surveillance Commissioners (OSC) and the Intelligence Services Commissioner (ISCom). The judge-led IPC will have an extensive remit to oversee the use of all investigatory powers and will scrutinise those provided with these powers though inspections, investigations, audits and authorisations of warrants and internal practices. (169, 170) Statutory Codes of Practice will outline further details (179) |
Capability: paras 34-42 Authorisation: paras 434-444 |
Obtaining related communications data (RCD) from communications described in the warrant (12(2)(b)) |
||||||
Communications Data (CD) (46) |
Obtain CD, usually via Communications Service Providers (CSPs) (46(2)) (‘any person’) |
Public authorities provided with the ability to acquire CD (54) and statutory purposes (46(7)) listed in the Bill |
Must be authorised by a designated person (who must be independent from the investigation) following consultation with a single point of contact (SPoC) (60) |
N/A For ICRs, restricted to 3 specified purposes; local authorities excluded (47(4) and (5)) |
Capability: paras 43-88 (CD) and 89-156 (ICRs) Authorisation: paras 469-489 |
|
Targeted Equipment Interference (EI) (81(1)(a)) |
Obtaining data covertly from computers and other equipment (communications, private information, equipment data—comms data, system data, extracted CD) (81, 82) |
MI5, GCHQ, SIS, (84) law enforcement (89) and the Ministry of Defence (87) Purposes: National Security, Serious Crime and Economic Well-Being of the UK related to National Security. Law enforcement may only seek warrants for serious crime (89) |
Secretary of State authorises warrants for MoD and security and intelligence agencies. (84, 87). Chief Constable authorises law enforcement use (89). All non-urgent warrants subject to Judicial Commissioner check before coming into force (84(1)(d), 87(1)(d), 89(1)(d)) |
N/A |
Capability: paras 265-305 Authorisation: paras 445-452 |
|
Bulk Powers |
Bulk interception (106) (obtaining overseas-related content and related communications data (RCD) (106(2)) |
MI5, GCHQ, SIS (107(1)). Purposes: |
Secretary of State authorises warrants, subject to approval by a Judicial Commissioner (107, 137, 122) Interception and equipment interference warrants (but not data acquisition warrants) must be for overseas- |
Examination of any material must be necessary for a specified Operational Purpose (which can be general (111(4)), 140(5)), 125(4)), authorised by a Secretary of State and approved by a Judicial Commissioner. Examination of content relating to persons in the UK requires a separate targeted examination warrant |
Capability: paras 306-374 Authorisation: paras 490-493 |
|
Bulk Equipment interference (135)(1)(b) Obtaining overseas-related stored communications, private information and equipment data other equipment (135, 136) |
MI5, GCHQ, SIS (137(1). Purposes: |
|||||
Bulk acquisition of Communications data (122) |
MI5, GCHQ, SIS (122(1)). Purposes: |
|||||
Bulk Personal Datasets (BPD) (150) |
Warrants authorising the obtaining, retention and examination of classes of BPDs (153) and specific BPDs (154). |
MI5, GCHQ, SIS (153(1), 154(1)) Purposes: |
Authorisation to acquire BPDs issued by Secretary of State and subject to approval by a Judicial Commissioner (153(3), 154(5)) |
Examination of any material must be necessary for a specified Operational Purpose (153 (4), 154 (4)), authorised by a Secretary of State and approved by a Judicial Commissioner |
Capability: paras 375-408 Authorisation: paras 494-497 |
|
Data retention notices (71) |
Imposing a requirement on a telecommunications operator to retain relevant communications data (71) |
The Secretary of State considers it necessary and proportionate (71 (1)) for any of the purposes listed in 46(7) |
The Secretary of State considers it necessary and proportionate (71 (1)) |
Access is through the power to obtain communications data (46) |
An appeal to the Secretary of State against a Data retention notice requires the Secretary of State to consult the Technical Advisory Board and the Investigatory Powers Commissioner (73(6)) |
Capability: paras 157-229 |
National Security notices (188) |
Serving a notice requiring a telecommunications operator to take any steps necessary in the interests of national security (188(1)) |
Purposes: Necessary in the interests of national security (188(1)) |
The Secretary of State must consider the notice to be proportionate (188(2)) Notices may not require the taking of any steps the main purpose of which would be to do something for which a warrant under the other provisions of the Bill would be required (188(4)). |
N/A |
An appeal to the Secretary of State against a National Security notice requires the Secretary of State to consult the Investigatory Powers Commissioner (191 (5)) |
Authorisation: paras 498-502 |
Technical Capability notices (189) |
Imposing specific obligations on providers of postal or telecommunications services (189 (2)) |
Purposes: |
The Secretary of State must consider the notice to be reasonable and practicable (189 (3)) and consult with the Technical Advisory Board and the person upon whom the obligations fall (189 (5)) |
N/A |
An appeal to the Secretary of State against a Technical Capability notice requires the Secretary of State to consult the Technical Advisory Board and the Investigatory Powers Commissioner (191 (5)) |
Capability: paras 248-264 (encryption) Authorisation: paras 498-502 |
The information in this table has been based on the information provided in the submission by Professor Lorna Woods on behalf of an ad hoc working group on the draft Bill.13
2 European Court of Justice, Digital Rights Ireland, C-293/12
3 HC Deb, 15 July 2014, col 714
4 Court of Appeal, Davis and oths v Secretary of State of the Home Department, [2015] EWCA Civ 1185
5 Home Office, Investigatory Powers Bill: European Convention on Human Rights Memorandum, 4 November 2015
6 David Anderson QC, A Question of Trust: Report of the Investigatory Powers Review, 2015
7 Intelligence and Security Committee (ISC), Privacy and Security: A modern and transparent legal framework, 12 March 2015, HC 1075
8 Ibid.
9 Royal United Services Institute (RUSI), A Democratic Licence to Operate: Report of the Independent Surveillance Review, July 2015
10 Ibid.
11 HC Deb, 4 November 2015, col 969
12 House of Commons Science and Technology Committee, Investigatory Powers Bill: technology issues (Third Report, Session 2015–16, HC 573)