Out-Law News | 11 Feb 2016 | 12:42 pm | 4 min. read
The Joint Committee on the Draft Investigatory Powers Bill said the issue was one of a number that the UK government would need to address before its proposed communication surveillance reforms could be implemented. The committee was set up to scrutinise the Bill after it was published by the government in November last year. It gathered both written and oral evidence from a range of stakeholders, including the government, technology companies, internet service providers, mobile network operators and privacy watchdogs.
In its report, the committee said that it supports the government's plans to bring together different UK surveillance laws under one piece of legislation, but made 86 recommendations on how the Bill could be improved, including in relation to bulk personal datasets.
Under the draft Bill, UK intelligence agencies would have a qualified right to obtain "bulk data" through separate powers that apply to the accessing of communications data, interception of communications or equipment interference activities. Distinct legal frameworks will govern access to communications data, interception of communications and equipment interference activities more generally under the Bill.
Under the government's proposals, powers to obtain bulk data, whether via interception of communications, the communications data regime or via equipment interference, would be reserved for use by security and intelligence agencies for national security reasons only. At the time it published the draft Bill the government said that "robust safeguards" would "govern access to this data to ensure it is only examined where it is necessary and proportionate to do so".
"Warrants will be issued by the secretary of state and must be approved by a judicial commissioner before coming into force," it said. "The draft Bill will require that bulk interception and bulk equipment interference warrants may only be issued where the main purpose of the activity is to acquire intelligence relating to individuals outside the UK. Conduct within the UK or interference with the privacy of persons in the UK will be permitted only to the extent that it is necessary for that purpose."
The Joint Committee on the Draft Investigatory Powers Bill said, though, that "the lack of a formal case for BPDs remains a shortcoming when considering the appropriateness of this power". It called on the Home Office to "produce its case" for BPDs when it publishes the Bill for formal parliamentary scrutiny.
"While the Committee acknowledges the case made by the Home Office for not providing detailed information as to the contents of bulk personal datasets (BPDs), the lack of that detail makes it hard for parliament to give the power sufficient scrutiny," the committee said. "The safeguards for BPDs are not sufficiently explained in the Bill. We have not seen a draft code of practice on BPDs, and we therefore do not know whether BPDs will, in practice, be treated differently from the communications datasets that are referred to [elsewhere in the Bill]."
"We believe that a draft code of practice on BPDs should be published when the Bill is introduced to provide greater clarity on the handling of BPDs, not least in relation to the provisions of the Data Protection Act 1998. To the greatest extent possible, the safeguards that appear in the Data Protection Act 1998 should also apply to personal data held by the security and intelligence agencies. We also agree that existing powers for acquiring BPDs should be consolidated in this Bill and that any other powers for the security and intelligence agencies to acquire BPDs should be repealed," it said.
Under the government's plans for the Bill, current powers held by UK law enforcement and intelligence agencies to access communications data would be expanded. The bodies would have a new right to require telecommunication service providers to retain and hand over "internet connection records" (ICRs) to help combat terrorism, serious crime or protect the UK's economic interests, among other limited purposes provided for in the legislation.
ICRs have been included within the definition of 'communications data' for the first time, with the Bill setting out the specific legal framework, including authorisation procedures, safeguards and oversight arrangements that would apply to the storing and accessing of such data.
However, some communication providers providing evidence to the Joint Committee on the Draft Investigatory Powers Bill raised concerns about the draft provisions relating to ICRs. The companies expect to have to invest in new equipment so as to capture ICRs and comply with the planned legislation because they do not currently collect that information.
Mark Hughes, president of BT Security, said deploying new equipment will "come at a cost" and said BT has concerns that the Bill is not clear that communication service providers will be able to recover the costs they incur in complying with the legislation from the government.
The Joint Committee on the Draft Investigatory Powers Bill called on the UK government to confirm "how the issues which have been raised about the technical feasibility of ICRs will be addressed in practice" and work with communication providers on "the detail of the cost estimates for data retention to show how it will be deliverable in practice and deliver value for money".
The committee is the second parliamentary body this week to publish a report on the Bill. The Intelligence and Security Committee said (18-page / 342KB PDF) that privacy protections set out in the Bill are "inconsistent and … need strengthening", and that other provisions on equipment interference, BPDs and communications data are "too broad and lack sufficient clarity". It said "substantive amendment is required" before the Bill should become law.
The Science and Technology Committee in the House of Commons, which assessed the technical feasibility of the draft Investigatory Powers Bill, separately said recently that the new laws should not impose obligations on communication providers to decrypt messages sent over their networks if they have not added the encryption to those messages themselves.