ICO says Government still to make the case for greater police communications monitoring powers

Out-Law News | 11 May 2012 | 9:19 am | 4 min. read

The case for law enforcement to be given enhanced powers to monitor individuals' internet communications has still to be made, the UK's privacy watchdog has said.

The Information Commissioner's Office (ICO) said it may need extra powers to oversee a planned extension of surveillance powers. The Government has said that it plans to put in place measures relating to the surveillance of 'communications data'.

“We are waiting to see the detail of what is proposed, including any role envisaged for the Information Commissioner," a spokesperson for the ICO said in a statement. "We shall then have to judge whether the Commissioner's current powers are adequate for the task or whether additional powers and resources will be needed."

"It remains our position that the case for this proposal still has to be made, and we shall expect to see strong and convincing safeguards and limitations to accompany the Bill," they said.

On Wednesday the Queen announced that the Government will "bring forward measures to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to scrutiny of draft clauses" within the next Parliamentary session.

Communications data includes information about the timing and duration of telephone calls, the email address communications are sent to as well as the location of the person initiating the communications. It does not include the content of those communications.

According to Home Office briefing notes (59-page / 645KB PDF) on the draft Communications Data Bill published by the Cabinet Office, the new laws would change the way UK law enforcement bodies can currently access "communications data" under the terms of the EU's Data Retention Directive and the UK's Regulation of Investigatory Powers Act (RIPA).

The draft Bill will provide "an updated framework for the collection, retention and acquisition of communications data which enables a flexible response to technological change", the Home Office's briefing notes said.

Under the new laws communication service providers (CSPs) would have to "ensure communications data remains available to law enforcement and other authorised public authorities" subject to "strict safeguards".

The safeguards would include ensuring that CSPs delete communications data they store after a year – compliance with which would be monitored by the ICO. "Measures to protect the data from unauthorised access or disclosure" will also act as safeguards to privacy, according to the Home Office.

Under the draft Bill the role of the Interception of Communications Commissioner (IoCC) would be extended "to oversee the collection of communications data by [CSPs]". An independent 'Technical Advisory Board' would also provide CSPs with a means to consult on the "impact of obligations placed upon them". Individuals could also complain about alleged misuses of powers to "senior judicial figures" who would form an independent Investigatory Powers Tribunal. The Tribunal would "ensure that individuals have a proper avenue of complaint and independent investigation if they think the powers have been used unlawfully".

The Home Office also said that the Bill would remove "weaker safeguards" for accessing communications data that exist under current law.

The Home Office has insisted that current laws that permit law enforcement bodies to conduct surveillance on communications were not wholly fit for purpose. However, civil liberties campaigners have criticised the plans as an unjustified intrusion into individuals' privacy.

Law enforcement bodies currently have the power to access historic communications data held by telecoms firms under the EU's Data Retention Directive. The Directive was established in 2006 to make it a requirement for telecoms companies to retain personal data for a period determined by national governments of between six months and two years. The Commission decided to regulate following terrorist attacks in Madrid in 2004 and London in 2005.

Telecoms firms are required to retain identifying details of phone calls and emails, such as the traffic and location, to help the police detect and investigate serious crimes, the Directive states. The details exclude the content of those communications.

Law enforcement bodies in the UK also already have the power to intercept individuals' communications in certain circumstances. RIPA enables law enforcement bodies to intercept communications by requiring telecoms providers to hand over certain information they hold.

Telecoms companies have a duty under RIPA to hand over communications data it has or could obtain about customers when asked to do so by police unless "it is not reasonably practicable" to do so. The Home Secretary can ask the courts to issue an injunction "or any other appropriate relief" against telecoms firms that fail to comply with their duty under RIPA. The type of injunction that courts can issue is not defined by RIPA. However, first the law enforcement bodies must obtain the Home Secretary's authorisation to intercept the communications.

Under RIPA the Home Secretary has to assess whether the request to intercept communications is necessary and proportionate in order to protect the UK's national security interests, prevent and detect terrorism and serious crime or to safeguard the UK's economic well-being.

Under the Act the Home Secretary must consider certain factors relating to the necessity and proportionality of any interception before authorising it, including "whether the information which it is thought necessary to obtain under the warrant could reasonably be obtained by other means".

The Act can be used by law enforcement agencies to force telecoms companies to hand over customers' details in order to tap phone, internet or email communications.

The Government was forced to make changes to RIPA last year after the European Commission said the privacy of internet users in the country was not being adequately protected. The European Court of Justice (ECJ) had been asked to review the UK's compliance with EU law prior to the amendments to RIPA being made.

RIPA was amended to state that it is now generally only legal to intrude on private communications if you have a warrant or both the sender and recipient of information have given consent, even if it is done unintentionally. Under the old RIPA regime there only needed to be 'reasonable grounds' for believing that consent had been given to allow communications to be intercepted without a warrant. 

New powers were also handed to the Interception of Communications Commissioner (IoCC) granting it the authority to impose fines of up to £50,000 for unlawful interceptions.

The Commission reported earlier this year that the changes had addressed its concerns.

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, previously said that the Government could face further legal action over any attempts to widen the scope of communications data monitoring unless there were sufficient safeguards over privacy.

Wynn also said that internet service providers (ISPs) and social media networks could face technological challenges in complying with real time access requests and that UK intelligence agency GCHQ would face "information overload" unless real time access was suitably focused.