Out-Law News 3 min. read

UK admits that Investigatory Powers Act needs updated to comply with EU law

The Investigatory Powers Act needs to be updated if it is to comply with EU law, the UK government has admitted.

The government has opened a consultation (23-page / 362KB PDF) on "new safeguards for the use of communications data" that it is looking to add to the Act in light of a ruling last year by the Court of Justice of the EU (CJEU). The proposals are set out in draft new regulations (21-page / 359KB PDF).

In December 2016, the CJEU set out how national laws on the retention of electronic communications data and on access to that data by national authorities should be framed to comply with EU law, following requests for clarity by courts in the UK and Sweden.

The CJEU said EU law precludes EU countries from passing a law that "provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication" in order to help fight crime.

It also said that EU law does permit national law makers to, "as a preventive measure", require traffic and location data to be retained on a targeted basis, but only where the objective of the data retention rules is to fight "serious crime".

Although the CJEU's ruling directly concerned, in part, a legal challenge that had been brought against the now-expired Data Retention and Investigatory Powers Act (DRIPA), the judgment prompted civil liberty groups to call on the UK government to make changes to the piece of legislation that was introduced to replace DRIPA – the Investigatory Powers Act.

Now, the UK government has admitted that the Act does need to be updated to comply with the requirements of the CJEU's judgment.

"The government considers that some aspects of our current regime for the retention of and access to communications data do not satisfy the requirements of the CJEU’s judgment and, therefore, proposes to amend the Investigatory Powers Act 2016," Ben Wallace, UK security minister, said.

Under the proposed changes to the Act, a new body called the Office for Communications Data Authorisations (OCDA) will be responsible for independently assessing and authorising requests for access to retained communications data, although "urgent" requests for the data will be able to be authorised through "a designated senior officer in a public authority", other than local authorities. Internal authorisation of requests will also take place where the request concerns the use of the data for national security purposes.

The government is working to establish ODCA in consultation with the IPC (investigatory powers commissioner) and the task of setting it up is significant," the Home Office said in its consultation. "It involves the procurement of premises (including appropriate security arrangements), recruiting and training new staff, and the development of the necessary IT systems and processes which will allow OCDA staff to electronically consider applications from over 600 public authorities."

Under the planned reforms, authorities would only be able to use communications data as part of investigations into serious crime. The government said it intends to remove provisions from the Investigatory Powers Act which currently enable communications data to be acquired and retained on public health grounds, or for the purposes of collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department, or for exercising functions relating to the regulation of financial services and markets, or financial stability.

Further changes related to when authorities would have to notify individuals that their communications data was used have also been proposed, as well as new safeguards concerning the retention of data "generated, processed or stored" outside of the EU.

A draft communications data code of practice (140-page / 1.17MB PDF), designed to complement the provisions in the Investigatory Powers Act and specify in more detail the requirements of telecoms providers have in retaining communications data, as well as the powers authorities have to access it, has also been opened for consultation by the UK government.

"Communications data is used in the vast majority of serious and organised crime prosecutions and has been used in every major Security Service counter-terrorism investigation over the last decade. Its importance cannot be overstated," said UK security minister Ben Wallace. "For example, it is often the only way to identify paedophiles involved in online child abuse and can be used to identify where and when these horrendous crimes have taken place."

"As this is an issue of public importance, we consider it important to consult on our proposed changes to inform our legislative response and subsequent parliamentary debate. All responses will be welcomed and carefully considered," he said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.