A New Investigatory Powers Act in the United Kingdom Enhances Government Surveillance Powers

Remote Visualization

Under the radar in terms of press coverage on both sides of the Atlantic is the new Investigatory Powers (Amendment) Act 2024 adopted by the UK Parliament on April 23, 2024. This swiftly considered set of revisions to government surveillance powers has now been finalized by royal assent. 

The regulation of behavior on the internet, encryption, and the conditions under which law enforcement officers can access the personal communications of citizens are part of an ongoing, dynamic process in Western societies; the challenge is to craft workable rules for national security surveillance that also protect individual rights and maintain an economic environment supportive of innovation. The laudable goal of empowering security agencies with the information collection tools they need to disrupt terrorist plots, fight child trafficking, and thwart industrial espionage schemes must be measured against the diminution of basic human rights and personal freedom. Legislating in this area is increasingly difficult given continual advances in technology and conflicts in the growing web of pertinent international laws.

Background

The Investigatory Powers Act 2016 (IPA 2016) addresses the framework governing the powers of UK public bodies, including intelligence and security agencies and police enforcement, to obtain the content of communications and metadata for law enforcement purposes. According to the Home Office in 2016, the IPA 2016 “enhanced the safeguards applied to the use of investigatory powers, requiring warrants for the most intrusive powers to be authorised” by both the secretary of state and an independent judicial commissioner, and “was intended to ensure that these powers, and their attendant safeguards, were clear and proportionate.” 

Rationale for the New Legislation

With the revisions contained in the current Investigatory Powers (Amendment) Act 2024, the UK government seeks to renovate the process for intercepting communications. The government’s rationale for seeking the new legislation is that “there has been exceptional growth in the volume and type of data relating to people, objects, and locations across all sectors of society.” “Much of this data,” the government states, “is readily accessible and exploitable by the public, the private sector, and foreign states with minimal restrictions.” The government makes the case that the data analysis and collection abilities of law enforcement are uniquely constrained by the IPA 2016. To that end, change is needed to “level the playing field” vis-à-vis bad actors.

Changes to the Notification Requirement Process

Perhaps the most concerning change to the IPA 2016 is the granting of new authorities enabling the UK secretary of state for the Home Department (Home Office) to (1) force technology companies, including those based overseas, to inform the UK government of planned improvements in encryption and other enhanced security and privacy measures and (2) order a halt to such changes if the agency so chooses, pending a review, with no time limit, of the legality of the order. According to the Home Office, notification orders must be kept secret and are “intended to provide the Secretary of State . . . with time to understand the potential impact of the changes and ensure exceptional lawful access can be maintained.”

According to an open letter from 30 cybersecurity experts, cryptographers, and academics to UK home secretary James Cleverly, “these proposals would have disastrous consequences for the security of users of services operating in the UK, by introducing bureaucratic hurdles that slow the development and deployment of security updates.” 

Providing the Home Office a veto over changes to products and services represents a powerful intrusion into the marketplace. These orders have the potential to sow distrust in affected UK service providers, who may be forced to delay advancements in services, thereby damaging their global competitiveness.

The new powers could also require foreign companies who serve UK customers to take actions potentially in conflict with their own national laws. Western governments continue to promulgate laws and regulations regarding what data must be collected (e.g., customer data, for purposes of “know your customer” requirements) and how data must be managed to protect privacy (under the General Data Protection Regulation [GDPR] and the UK-U.S. Extension to the EU-U.S. Data Privacy Framework, for example). The new IPA law contains no plan as to how to reconcile the extraterritorial nature of UK notice and enforcement orders with legal requirements in the United States, European Union, or other countries. The practical overlap of UK legal orders to turn over private data in the hands of foreign firms regulated by the Clarifying Lawful Overseas Use of Data (CLOUD) Act in the United States and the GDPR in the European Union should receive full consideration.

The fact that firms receiving notices to halt the deployment of certain security upgrades are ordered to keep the notice secret from their home government would seemingly inject distrust and uncertainty into the relationship between, for example, U.S. regulators and firms based in the United States providing services in the United Kingdom.

As global companies make software modifications at the behest of the Home Office, some may be forced to specifically alter services delivered to UK consumers. Global firms operating in the United Kingdom could incur substantial economic costs, including those related to loss of consumer trust, if they are forced to withdraw services from the United Kingdom.

Expansion of Bulk Data Surveillance Powers

A second area of concern is the expansion of the bulk data surveillance powers of the state, which allows the exploitation of a new, vaguely defined category of bulk data sets of personal information where “individuals have a low or no expectation of privacy.” This new authority over a “low privacy” category of data is intended to allow the government to access data that exists online without having to obtain a search warrant.

According to The Guardian, CCTV footage and facial images scraped from the internet could be collected under these novel powers. To justify this behavior, governments can invoke the novel concept that individuals whose images are present in such datasets have “no expectation of privacy.” Privacy groups have cautioned that this authority could be employed to assemble databases of social media posts in service of creating “secret government files” that reveal private information about billions of citizens, such as their “sexual orientations, political opinions, religion, [and] health status.”

As David Davis (MP) said, “this ‘low expectation of privacy’ data can tell a Government . . . vast amounts about our lives” and will lead to government agencies peering into key pieces of private data that can reveal our identities and habits, such as “our purchase history, our bank records, [and] our automatic number plate recognition records.”

With the benefit of this new, vaguely defined category of data, intrusive surveillance powers will be continually amplified by the growing power of AI to make bulk data more robust and revealing.

TechUK has warned that the new authorities in the IPA could serve as “a model for less democratic governments” seeking to ramp up controls over their citizens. 

Finally, the new law also expressly expands the authority of the home secretary to require telecommunications operators to hold internet connection records (ICRs) for government access and possible mass surveillance. ICRs are logs of access to internet services that provide far more information than generic telephone records. Privacy rights organizations assert that “no other European or Five Eyes country has surveillance laws that explicitly allow for the compulsory generation and retention of ICRs” for their citizens.

In a change to the IPA 2016, orders will be issued at the sole discretion of the secretary of state, without consultation with privacy regulators who could advise on proportionality. Likewise, the avenue for judicial review has been removed. Elimination of the so-called double-lock for interception warrants, a key feature of the IPA 2016, means that the secretary of state will now no longer be required to obtain approval by an independent judicial commissioner.

Next Step: Public Consultation on Secondary Regulations to the Act

During consideration in Parliament, where many of these concerns and questions were raised, the government committed to carrying out a public consultation on secondary regulations which will be key to understanding how the new law will be applied in practice. With diverging positions to data protection recently hammered out in the U.S.-EU Data Privacy Framework and the U.S.-UK Data Bridge, following difficult negotiations, UK government officials would benefit from consulations with U.S. and EU officials aimed at mitigating future conflicts that could arise over extraterritorial enforcement provisions in the IPA.

Issues that should be clarified in the public consulation on the IPA include (1) the maximum review period for notices, (2) what factors the secretary of state must consider when putting a company under the notification requirement, and (3) whether the notices regime will apply to a new category of telecommunications operators. Finally, the government should clarify that operators will not be required to comply with a notice before a full appeals process is complete.

Conclusion

Because Parliament acted in haste, there has not been sufficient recognition by the UK government that changes to the Investigatory Powers Act can be expected to magnify conflicts of law, dampen technological and security advancements in digital services, and raise issues of extraterritoriality and regulatory compatibility with trading partners, particularly the United States and Europe. Several provisions of the new law foreshadow expansion of the legal liability of UK firms which have a business connection with companies in other jurisdictions but perhaps limited control over their actions. Moreover, the UK government has unapologetically sought to weaken safeguards that were widely touted when the 2016 law was approved, including important protections applied to the use of intrusive investigatory powers, such as the “double-lock” rule for warrants and required interagency consultations with privacy regulators.

By deviating from an approach to tech surveillance that more carefully balances individual rights to privacy with the data needs of national security agencies, the legislation stands to harm the United Kingdom’s reputation as an attractive location for innovation and technology advancement. The public consulation process presents a key opportunity that stakeholders should seize to insist that the government flesh out clear guardrails and due process requirements to govern the new authorities.

Meredith Broadbent is a senior adviser (non-resident) with the Scholl Chair in International Business at the Center for Strategic and International Studies in Washington, D.C.

Image
Meredith Broadbent
Senior Adviser (Non-resident), Scholl Chair in International Business