The United Kingdom Parliament is currently in the pre-legislative scrutiny phase of a new Investigatory Powers Bill, which aims to “consolidate existing legislation and ensure the powers in the Bill are fit for the digital age”. It is fair to sat this Bill is controversial with strong views being expressed by both critics and supporters of the Bill. Against this backdrop it is important to cut through the rhetoric and get to the heart of the Bill and to examine what it will do and what it will mean in terms of the legal framework for British citizens, and indeed for those overseas.
The Investigatory Powers Bill
Much of the Bill’s activity is to formalise and restate pre-existing surveillance powers. One of the key criticisms of the extant powers of the security and law enforcement services is that the law lacks clarity. Indeed it was this lack of clarity which led the Investigatory Powers Tribunal to rule in the landmark case of Liberty v GCHQ that the regulations which covered GCHQ’s access to emails and phone records intercepted by the US National Security Agency breached Articles 8 and 10 of the European Convention on Human Rights. Following a number of strong critiques of the law including numerous legal challenges the Government received three reports into the current law: the report of the Intelligence and Security Committee of Parliament, “Privacy and Security: A modern and transparent legal framework”; the report of the Independent Reviewer of Terrorism Legislation. “A Question of Trust”; and the report of the Royal United Services Institute: “A Democratic Licence to Operate”. All three reported deficiencies in the law’s transparency.
As a result the Bill restates much of the existing law in a way which should be more transparent and which, in theory, should allow for greater democratic and legal oversight of the powers of the security and law enforcement services. In essence the Bill is split into sections: interception, retention, equipment interference and oversight, with each of the three substantive powers split again into targeted and bulk. What this means in practice is the authorisation of three broad types of activity (each of which have sub-types); the authorisation to intercept data between sender and receiver, the authorisation to retain data such as communications data and internet connection records (more below) for possible processing later and authorisation to interfere with (in colloquial terms “hack”) systems and devices. For each of these there is a split between targeted activity, this is required when dealing with communications which are sent and received by individuals who are inside the British Islands (domestic communications) and bulk activity which is permissible where either the sender or receiver (or both) of the communications are located outside the British Islands.
Two of the more controversial aspects of the Bill are the oversight provisions and the introduction of a new form of retained data, so called “internet connection records.”
The retention of internet connection records are an entirely new power found in the Bill. It is an extension to the extant, but currently legally uncertain data retention powers found in the Data Retention and Investigatory Powers Act 2014 (DRIPA). This new power is thus controversial on two bases: (1) it fails to meet the proportionality principle on the basis it fails to comply with the EU Charter on Fundamental Rights; (2) even if the current law is proportionate an extension of powers is almost certainly disproportionate. With regard to the first of these the current law, as contained in DRIPA, is subject to an ongoing legal challenge brought by MPs David Davis and Tom Watson supported by Liberty. The case, Secretary of State for the Home Department v David Davis MP and others  EWCA Civ 1185, has recently been referred by the Court of Appeal to the Court of Justice of the European Union where the court asks the CJEU to rule on whether the ground-breaking case of Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Others, the case which ruled that European data retention laws were incompatible with Articles 7 & 8 of the EU Charter, also binds national legislators in the making of domestic data retention laws. Thus the current status of domestic data retention laws is unclear, yet at the time that this case remains under review the Bill seeks to extend the powers of the state to order the retention of data from simple, yet still very invasive power to retain all traffic data on our communications to also cover internet connections records, described in the guide to the Bill as “a record of the internet services a specific device has connected to, such as a website or instant messaging application.” This would be data such as which banking services we use, which rail company or airline we tend to favour and which may reveal much about us including gender, ethnicity, religious beliefs, medical conditions and much more. University of East Anglia law lecturer Paul Bernal has written upon this issue very eloquently in his blog. As he notes despite the Home Office’s best attempts to paint these as akin to itemised phone records, they are much more invasive of personal privacy and they are also clearly likely to be more invasive than the mere retention of communications records, a practice ruled illegal under EU Law in Digital Rights Ireland, and which at domestic law is currently under review. It is difficult to see how this new provision could be seen to be proportionate.
The second key battleground over the Bill is likely to be the oversight procedure for the issuance of warrants. The three reports were split as to whether Ministers or judges should issue warrants. The Intelligence and Security Committee felt the power should remain with Ministers, as “Ministers are able to take into account the wider context of each warrant application and the risks involved, whereas judges can only decide whether a warrant application is legally compliant”. The Independent Reviewer of Terrorism Legislation recommended that “Specific interception warrants, combined warrants, bulk interception warrants and bulk communications data warrants should be issued and renewed only on the authority of a Judicial Commissioner”, however he recommended that the Secretary of State should be allowed to issue a national security certificate where the application related to “the interests of the defence and/or foreign policy of the UK” and in such cases the “Judicial Commissioner in determining whether to issue the warrant should be able to depart from that certificate only on the basis of the principles applicable in judicial review”, this is sometimes called a “double lock” provision. Finally the RUSI report recommended something very similar to the Independent Reviewer with warrants for a purpose relating to the detection or prevention of serious and organised crime “always being authorised by a judicial commissioner” while warrants for purposes relating to national security (including counter-terrorism, support to military operations, diplomacy and foreign policy) and economic well-being, the warrant should be authorised by the secretary of state subject to judicial review by a judicial commissioner. The provisions of the Bill though are quite different. Despite the recommendations of both the Independent Reviewer of Terrorism Legislation and RUSI that warrants in relation to serious crime be issued by a Judicial Commissioner they will continue to be issued by the Secretary of State or by Scottish Ministers. All forms of warrant, including national security warrants, will however be subject to review by Judicial Commissioners under cl.19 of the Bill. There remains however a further complication. While the RUSI and Independent Reviewer of Terrorism Legislation reports suggested that only in relation to national security warrants the Judicial Commissioner should apply “principles applicable in judicial review”, by cl.19 all warrants will be restricted to this narrow set of principles, essentially illegality, fairness, and irrationality and proportionality.
There have been a number of critiques of the way the double lock system has been set up with among others David Davis MP (one of the DRIPA challengers) and the Shadow Home Secretary being highly critical. Again the question of proportionality of the legislation is questionable. In terms of domestic intercept warrants, which Davis in his comment notes “should not be a political decision”, it is questionable whether the role of the Secretary of State is complaint with the spirit, if not the law of Article 8 ECHR, as well as Article 6’s “independent and impartial” requirement. One must ask is it proportionate, or even relevant, to involve a minster of cabinet rank, a political decision-maker, in a decision as to whether a warrant should be issued to intercept communications in an organised crime case. One of the many benefits of our legal systems in the United Kingdom is that judges are appointed and not elected, allowing them to remain apart from the political process. To retain a role for a political office holder in warrants such as these, and against the recommendations of the RUSI and Independent Reviewer of Terrorism Legislation reports appears disproportionate.
Andrew Murray is Professor of Law at London School of Economics. He is the author of Information Technology Law: The Law and Society. He is a leading expert in Information Technology Law and Regulation and has written many articles on aspects of the interface between information technology and the legal framework including surveillance and data protection laws.