Restrictions on access to internet connection records agreed by UK peers

Out-Law News | 20 Jul 2016 | 3:14 pm | 3 min. read

New UK surveillance laws will restrict access to people's internet connection records (ICRs) further than was originally proposed after amendments to the Investigatory Powers Bill were approved in the UK parliament.

The House of Lords amendments (35-page / 157KB PDF) come after political opponents of the government had called for greater safeguards to be introduced to ensure access to ICRs would be proportionate in the context of privacy rights. The Investigatory Powers Bill was endorsed by a majority of MPs in June.

ICRs are broadly data that reveals which websites internet users have visited without detailing the precise webpages of those sites that have been viewed. The Investigatory Powers Bill would, for the first time, allow UK authorities the right to acquire ICRs from communication service providers, such as broadband providers and mobile network operators.

Under the agreed amendments to the Bill, ICRs can only be obtained by UK authorities if they are to be used to help prevent or detect crime.

In a debate on the Bill in the House of Lords on Tuesday, Lord Keen of Elie, the advocate general for Scotland, said that ICRs "should not be acquired for trivial purpose". He explained that 'prevention and detection of crime' threshold would mean that, in practice, ICRs would generally only "be able to be acquired only for offences that are sufficiently serious that an offender can be sentenced to at least six months’ imprisonment". However, Lord Keen said that the Bill would permit the collection of ICRs by UK agencies to tackle crime that carries lower potential criminal penalties.

"In implementing this threshold … it is important that internet connection records can continue to be used for certain offences which, for whatever reasons, carry a lower sentencing limit," Lord Keen said.

"These are: the investigation of any offence where the sending of a communication ​is an integral part of the offence: for example, offences related to stalking, cyberbullying and harassment which can, if not investigated, quickly escalate to more serious offences; offences relating to breach of a person’s privacy, such as stealing personal data, which recognises the importance of protecting privacy in the digital age and the need to fully investigate any suspected breaches; offences committed by corporate bodies – for example, corporate manslaughter, where a penalty of imprisonment cannot apply; and any offence meeting the serious crime threshold in the Bill for the most intrusive powers, ensuring that these powers can be used to investigate offences involving the use of violence, conduct that results in substantial financial gain and conduct by a large number of people in pursuit of a common purpose," he said.

According to the agreed amendments, ICRs are defined as "communications data which: may be used to identify, or assist in identifying, a telecommunications service to which a communication is transmitted by means of a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and; comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person)".

Major mobile network operators (MNOs) and internet service providers (ISPs) previously outlined some of the challenges they see in being required to retain ICRs.

Former UK information commissioner Christopher Graham said earlier this year that there would need to be "strong justification" for communication service providers to be required to retain ICRs under the Bill.

"Retaining ICRs is an area where there needs to be strong justification and if this is made on the basis of an assertion of need in advance of a power being given then there needs to be effective post legislative scrutiny to judge the magnitude and nature of the records retained and the use that was made of these in practice including law enforcement outcomes," Graham said.

"There are challenges in resolving IP addresses down to particular identifiable individuals which may make such data of less value in practice. It is understood that in 2014 Denmark repealed its provisions that are similar to the draft Bill as they were unable to achieve their objectives in practice. It is not sufficient for the IPC (a new investigatory powers commissioner) to report on the working of the arrangements; it is the use of the information and its value that is the indicator of whether such intrusion is necessary and proportionate. This information would need to be provided as part of any post legislative scrutiny," he said.