As the Investigatory Powers (Amendment) Bill completes its passage in the House of Lords and enters the House of Commons, techUK sets out our members' views on the key areas for improvement.
The government is proposing to amend the Investigatory Powers Act 2016. The government has stated that the changes set out in the Bill seek to protect the existing capabilities that keep our citizens safe. While techUK and our members support the legitimate aims of enabling investigatory powers that are necessary and proportionate to keep citizens safe.
We are of the view that the proposed changes will exacerbate conflicts of law, hinder technological advancements aimed at improving consumer privacy, integrity and security, and, if emulated by other countries, could negatively impact UK businesses investing overseas.
Taken as a whole, they risk making the UK less attractive for investment, thus contradicting the essence of the Prime Minister's plan for a world-leading tech ecosystem. Our primary concerns revolve around the proposed updates to the notices regime.
Below, we outline techUK members' perspective on the necessary changes to the Bill to ensure the right balance on investigatory powers.
Addressing conflict of laws
The Bill will amend the IPA 2016 to expand the scope of the legislation by changing the definition of telecommunications operator to encompass additional persons/companies involved in the provision of telecommunications services to users in the UK - including when they control or provide a telecommunication system established outside the UK.
techUK remains concerned that the expansion of the government's authority to hold one entity liable for the actions of another will exacerbate existing conflicts of law and could allow the UK government to require foreign companies to take actions that might conflict with their own national laws. This will place private companies in an untenable position of facing an irreconcilable conflict of laws.
Further complexity is added by the strict existing secrecy requirements, which prohibit operators that are under notice from disclosing the very existence of such notice. In practice, this could mean that when a company is forced to break its domestic laws in order to comply with notice issued under the IPA, it would not be able to communicate to the relevant government the reasons for doing so, thus making it impossible to seek a diplomatic assistance to address the conflict.
This proposed change marks a departure in the way the UK approaches the extraterritorial reach of UK law and consequential conflicts of law. While the Government recognised the extraterritorial reach and conflicts of laws created by the data acquisition powers in the 2016 Act, it also identified a partial solution in the form of the UK-US Agreement. However, currently the government has not set out any plans to work towards equivalent solutions.
Therefore, further clarity is needed on how the proposed notice regime will operate in practice alongside potential conflicts arising from extraterritorial reach and enforcement, with clear mitigations for operators.
Ensuring user trust and a secure internet
The Bill will introduce a new type of notice - the notification notice which, upon issuance, would require specified operators to notify the Home Office of plans to make product or system changes to a yet-to-be-defined list of services that will be private and unique to each company. Concerningly, and unlike the existing three types of notices, a notifications notice would be approved by the Home Secretary alone and not need to go through a ‘double lock' process, which requires the approval by the Home Secretary and a Judicial Commissioner before it can be given to the operator in question.
techUK members are concerned that, when used in combination with the new power to order the maintenance of the status quo during a notice referral process, the changes proposed by the Bill could grant the UK government a de facto power to indefinitely veto companies from making changes to their products and services offered in the UK and globally.
This would create a disincentive for companies to provide their services in the UK by constraining the nature and timing of product developments and launches in the UK market, potentially restricting what features are made available in the future. Crucially, these amendments could impede the ability of techUK members to act over time to protect users from active security threats, to innovate, and enhance their services for their users. Instead of focusing on improving user privacy and security, firms' attention would have to be diverted towards fulfilling the surveillance needs of the government. This is of particular concern in the world where threats to users' data security continue to grow.
If other countries were to adopt similar legislative changes, and seek jurisdiction over operators established in the UK, this could pose a threat to UK businesses investing overseas by creating an uneven playing field and hindering their ability to compete in international markets, potentially harming the UK economy.
The government has proposed amendments to the Bill, introducing a requirement for the Secretary of State to review notices within a specified period, and committing to a public consultation on regulations that will set out these timelines.
techUK members welcome these commitments. It is encouraging to see the government acknowledging the need for there to be a limit on the length of the notice review period, which currently does not exist.
However, given the scale of the changes being proposed, we are of the view that more needs to be done. For example, we would welcome more clarity on the time limit for the notices review on the face of the Bill. Additionally, in relation to clause 18 of the Bill, we would welcome further clarity from the government on what information the Secretary of State will be required to take into account when setting the timelines for reviewing the notice, and whether there will be an appeals process for operators to appeal the decision in regards to the length of the review, in case they deem the review period to be too lengthy.
We would also like to see further safeguards built into the regime, including a clear definition of “relevant changes” that would have to be notified - either on the face of the Bill, or in the secondary legislation. Equally important will be to ensure that the notifications notices are subject to the ‘double lock' authorisation process. This will align it with the procedure for approving the three existing notices in the IPA 2016.
Finally, we would like the government to confirm that it will allow ample time for stakeholders to respond to any public consultations on notices regime secondary legislation that are issued.
This will ensure that the updated regime is transparent, proportionate, and contains a robust accountability mechanism.
techUK will be calling for:
- Overarching asks
- A confirmation from the government that it will allow ample time for stakeholders to respond to any public consultations on notices regime secondary legislation that are issued.
- A confirmation from the government that it will allow ample time for stakeholders to respond to any public consultations on notices regime secondary legislation that are issued.
- Clause 18 - Review of notices by the Secretary of State
- During the Lords Report stage, the government has committed to carry out a consultation on the secondary regulations, determining the maximum review period for notices. We are of the view that this should be stated on the face of the Bill instead, for added clarity.
- Ensuring that any extension to the notice review period is within the decision-making authority of the Judicial Commissioner, not for the Home Secretary to decide upon unilaterally.
- Clause 19 of the Bill - Meaning of “telecommunications operator” etc
- Greater clarity on how the proposed notice regime will operate in practice, noting that this Bill is a statement of intent to apply the regime to a new category of operators.
- Mechanism to address potential conflicts arising from extraterritorial reach and enforcement.
- Introduction of mitigations for operators caught in irreconcilable conflicts of law.
- Notifications notices should only be served on operators who have control over services provided in the UK (whether provided by them or another party). The Bill should make it clear that it does not enable UK authorities to request EU user data not held in the UK or enabled lawfully in the EU.
- Clause 21 - notification of proposed changes to telecommunications services etc
- To clarify, on the face of the Bill, the thresholds that would trigger a notification requirement, or, alternatively, a government confirmation that there will be a full public consultation on the “relevant changes” that would have to be notified by the operator.
- Introduction of safeguards in line with the existing Act, including a ‘double lock' authorisation process for all notifications notices and clarification as to defences.