The controversial Investigatory Powers (IP) Act 2016 in the UK, also known as the "Snoopers' Charter", is a comprehensive legislation that expands the electronic surveillance powers of the British police force and the intelligence agencies. The Act consolidated all of the existing but dispersed powers available to UK law enforcement and the security and intelligence agencies, which allowed these agencies to obtain communications and data about communications when they deemed it necessary. The Act requires phone companies and internet service providers to keep copies of users’ emails and browsing histories for up to a period of one year without needing the users consent to do so. State agencies could lawfully hack citizen devices and the use of communication interference equipment.
At the time back in 2016, the Act radically overhauled the way these surveillance powers were authorised and overseen. It introduced a ‘double-lock’ for interception warrants, meaning that, following Secretary of State authorisation, these (and other warrants) could not be brought into force until they we approved by a judge¹. It also created a new Investigatory Powers Commissioner to oversee how these powers were used.
The argument for the Act asserts that the IP Act 2016 ensures the UK’s police force and security agencies are fit and prepared for the digital age. Edward Snowden described the act as “the most extreme surveillance in the history of western democracy.”[1]
Fast forward to 2024 and the Investigatory Powers (Amendment) Bill now aims to modify the Investigatory Powers Act of 2016 and some believe it will further weaken privacy protections for UK citizens. The bill, which originated in the House of Lords, seeks to address current and emerging national security threats by updating the 2016 act to reflect the evolving technology landscape and protect the British people. The Bill is a legislative effort to ensure that the UK’s investigatory framework remains equipped to handle the challenges posed by modern threats and changing technology.
Like the IP Act in 2016, there are, however, some privacy concerns around the Bill. The most striking of these concerns is around the UK’s surveillance regime that would essentially force technology companies, including those based overseas, to inform the UK government of any plans they had to improve security or privacy measures on their platforms so that the government could consider serving a notice to prevent such changes. This would effectively transform private companies into extensions of the UK surveillance state. Not only that but it would erode the security of these companies' platforms as well as undermining the security of the entire internet[2].
TechUK, a representative of the UK tech industry, expressed concerns that the bill could effectively grant a de facto power to indefinitely veto companies from making changes to their products and services offered in the UK³. Additionally, it could impede the ability of techUK members to take immediate action to protect users from active security threats, to innovate, and enhance their services for their users. Instead of focusing on improving user privacy and security, firms’ attention would have to be diverted towards fulfilling the surveillance needs of the government. This is of particular concern in the world where threats to users’ data security continue to grow[3].
The amendment bill recommends the creation of a new type of large data collection (bulk personal datasets or BPD), which would allow for the harvesting of millions of facial images and social media data. This type of data is often already public, and the argument is that people should therefore have a low or no expectation of privacy for such data. The rules for this new type of BPD would be less strict than the current rules under Part 7 of the existing Investigatory Powers Act.
Part 7 of the IP Act already allows for the intelligence services to collect large amounts of data, even if most of the people to which the data pertain are not of interest to them2. This type of data collection is controversial because it’s seen as a form of mass surveillance that invades the privacy of people who are not suspected of any crime.
Clause 2 of the Investigatory Powers (Amendment) Bill introduces a new Part 7A to the IP Act, which allows for the security services to seize personal data of millions of people who have ‘low or no reasonable expectation of privacy’ including data in direct messages or voice or video calls made via social media sites, or their face as it appears on CCTV recordings.
The Bill’s creation of such an imprecise and vague category of information where there is deemed to be ‘low or no reasonable expectation of privacy’ is a concerning departure from existing privacy law in the UK. In particular, the UK General Data Protection Regulation (UK GDPR) and human rights law. The creation of such an undefined category of data, including personal data, for use by security agencies that want to provide their own levels of safeguards according to potentially arbitrary ideas about what constitutes satisfactory expectations of privacy, essentially has the potential to eradicate decades of data protection law in one fell swoop.
The founder of the non-profit organisation None of your Business (NOYB), Max Schrems has spent the last two decades fighting large US technology companies to get them to comply with the EU GDPR when processing the personal data of EU citizens. Section 702 of the Foreign Intelligence Surveillance Act enables US intelligence agencies to collect, analyse and share foreign intelligence information on individuals from foreign countries, including European countries. The Investigatory Powers Amendment Bill is slightly different in that it allows the UK intelligence agencies to conduct surveillance on their own citizens.
These changes to the processing of personal data of millions of UK citizens for surveillance purposes comes in the wake of proposed changes to the existing UK Data Protection Regulation. These changes come in the form of the Data Protection and Digital Information (DPDI) Bill, which was initially introduced in the House of Commons in March 2023. In November 2023, the UK government tabled changes to the existing bill, which included new powers being given to the UK government allowing them to require data from third parties, particularly banks and financial organisations, to help reduce benefit fraud¹. The bill proposed that regular checks be carried out on the bank accounts held by benefit claimants to spot increases in their savings which push them over the benefit eligibility threshold[4].
The DPDI bill also proposed a 'data preservation process' for social media companies to keep any relevant personal data which could then be used in subsequent investigations or inquests¹. In cases where a child has died through suicide, a proposed ‘data preservation process’ would require social media companies to keep any relevant personal data which could then be used in subsequent investigations or inquests¹.
The bill also proposes to abolish the office of the Biometrics and Surveillance Camera Commissioner, which is responsible for reviewing the retention and use by the police of DNA samples, DNA profiles, and fingerprints. It decides on applications by the police to retain DNA profiles and fingerprints, while also reviewing national security determinations which are made or renewed by the police in connection with the retention of DNA profiles and fingerprints. It I also responsible for encouraging compliance with the Surveillance Camera Code and for reviewing how the code is working. The office also provides advice to ministers on whether the code needs amending and provides reports to the Home Secretary about the carrying out of all these functions. Under the DPDI bill some of the functions of this Commissioner will be transferred to other regulators.
The DPDI Bill also proposes a significant change to the current protection from automated decision-making. Clause 14 of the Bill (Automated decision-making) is intended to replace Article 22, of the UK GDPR with new proposed articles 22A-22D and will allow fully automated decision-making based on the processing of the broader category of personal data. Automated decision-making based on the narrower special categories of personal data would still be restricted.
By contrast, the EU GDPR prohibits automated decision-making, unless one of the permissible exceptions is engaged, without making a distinction between the broader personal data and the narrower special category of personal data. By limiting the general prohibition of automated decision-making only to the more narrowly defined special categories of personal data, the DPDI bill essentially limits some of the important protections individuals currently enjoy, albeit retaining some of the safeguards. Limiting the protection from automated decision-making only to the processing of sensitive personal data is a weakening of the current standard of data subject rights protection[5].
In addition to these concerns, a member of the EU Parliament believes the bill could impact the data protection adequacy decision between the EU and the U.K. The two entities' current data transfer agreement acknowledges U.K. data protection standards are equivalent to the GDPR, but Dutch MEP Paul Tang said the proposed U.K. reform bill would have weaker rules and negatively affect the existing adequacy agreement. In a letter sent to the EU Commission in February 2024, he raised concerns around the potential effects of the bill stating that it would weaken the protection of the GDPR and the protection of EU citizens by sharing EU citizens’ data with third parties who do not meet Brussels’ data protection criteria.
The letter went on to point out that not only is the bill eliminating the Biometrics and Surveillance Camera Commissioner, but it also allows indefinite retention of certain biometric data by UK law enforcement. Tang added that the DPDI bill undermines safeguards set by the European Court of Human Rights, potentially jeopardising law enforcement cooperation frameworks like Prüm II and the Law Enforcement Directive[6].
While UK officials argue that the DPDI bill aims to modernize data protection regulations, and the investigatory powers amendment bill seeks to enhance national security, both raise concerns for future privacy rights, equally within the UK and beyond its borders. The proposed lighter touch on bulk personal data collection could set a precedent and potentially influence other countries to loosen their own data protection frameworks and regulations. This, coupled with the potential for increased government access to personal information, could create a chilling effect on online activity and freedom of expression, not just in the UK, but potentially across the globe. The future of privacy in the digital age hinges on striking a balance between security needs and individual liberties, and these bills raise obvious concerns about achieving that balance effectively.
References
[1] https://www.theguardian.com/world/2016/nov/19/extreme-surveillance-becomes-uk-law-with-barely-a-whimper
[3] https://www.techuk.org/resource/expressing-techuk-members-concerns-regarding-proposed-amendments-to-the-investigatory-powers-act-2016-notices-regime.html
[4] https://www.gov.uk/government/news/changes-to-data-protection-laws-to-unlock-post-brexit-opportunity
Comments