The need to comply with a European Court Ruling has meant that senior UK police officers are to lose the power to self-authorise snooping on personal phone and web browsing records.
This latest development is the upholding of a ruling (after an appeal) that was sent to the European Court of Justice (ECJ) in 2016. The original ruling dates back to 2015 and relates to a case brought by Labour Party deputy Tom Watson (and Brexit Secretary David Davies, who later dropped out). The original case challenged the legality of core parts of the Data Retention and Investigatory Powers Act (DRIPA), which was a predecessor to the Investigatory Powers Act (also known as the ‘Snooper’s Charter)’.
In upholding the original ruling which went in favour of Tom Watson, the ECJ has said that the general and indiscriminate retention of data cannot be considered justified within a democratic society, and that a mass harvesting of data can only be lawful if it's underpinned by stringent safeguards or independent oversight, and can only be accepted as part of investigations into ‘serious’ crime and terrorism.
What Does This Actually Mean?
In short, the upholding of the original verdict means that The Investigatory Powers Act will need to be changed to align it with the ECJ ruling.
Every year, there are 250,000 requests from police agencies and investigating public bodies to access personal communications data. Under current rules, senior authority figures such as police superintendents, inspectors, or similarly high ranking officials in the Department of Work and Pensions and Revenue and Customs can self-authorise data these harvesting requests.
Under the new ruling, harvesting of data requests will only be permitted in cases that potentially carry prison sentences of six months or more, and communication requests will only be authorised by a newly created Office for Communications Data Authorisation which will be overseen by the investigatory powers commissioner Lord Justice Fulford.
The change in the law will also mean that agencies won’t be able to collect data for things like collection of taxes or public health reports.
Although senior police will no longer be able to self-authorise access to our phone and web browsing records, the new rules won’t apply UK's spy agencies e.g. GCHQ, MI6 or MI5 retaining or acquiring data, because the UK government says that national security is outside the scope of EU law.
Criticisms of the government’s response to the ECJ’s ruling include:
The government has launched a 7-week public consultation to collect feedback about its proposals.
What Does This Mean For Your Business?
This is a time of flux and change where the UK is breaking away from the EU but is still affected by EU data laws, and is having to take account of EU laws and Regulations in its own Investigatory Powers Act (2016), with GDPR, and with trying to make the UK’s own law, the Data Protection Bill (DPB) is in line with GDPR.
Where the Investigatory Power Act is concerned, it is has been in force in the UK for a year and legal challenges (mainly on our behalf), and raising awareness of what the law entails and gathering large support to oppose certain elements are some of the only routes we have to seek changes to it.
National security is, of course, important, but so is privacy in a world where surveillance in all aspects of life is increasing. Some would say that if we’re doing nothing wrong we have nothing to fear, whereas others would say that this attitude simply makes it easy for hard-won freedoms and rights to be lost.
For businesses, security and privacy are vitally important issues where data protection is concerned going forward, and much of the focus in the news has been on how customer and employee data can be protected in a GDPR-compliant way going forward. For many businesses this is a more pressing issue than changes to the Investigatory Powers Act, although this story is a reminder that big brother is still watching, hopefully on our behalf to protect us and our businesses rather than to snoop unnecessarily.