The Investigatory Powers Bill was passed by parliament a few weeks ago. This Bill, nicknamed the ‘Snooper’s Charter’, has been criticised with claims that it will infringe citizens’ privacy.
The law will legitimise a number of surveillance techniques including bulk data collection and interception. The House of Lords have discussed the proposed legislation this week, with a report on whether the surveillance powers are justified to follow.
Questions remain about the implications the Bill may have further down the line. Particularly, will the Bill address privacy concerns or create more problems around the handling of personal data?
The Bill is expected to come into force in January 2017 and would have major implications for the handling of data in the UK, meaning citizens and businesses need to be aware of it.
Current privacy law permits interference with an individual’s right to privacy by public authorities only where it is in accordance with the law and necessary in a democratic society to achieve a legitimate aim (such as in the interests of national security).
To withstand legal challenge, any interference with the right to privacy needs to be proportionate to what is being achieved by the interference.
This means that legally, there is a balance to be found between the right to privacy on one hand, and national security on the other hand. This balancing act involves moral and legal dimensions, which are inherently intertwined.
William Hague addressed this balance recently when he argued there is no “absolute right to privacy” in modern life but that we do have the right to protections.
Hague explained that a huge proportion of the work to protect citizens from foreign espionage and terrorism is being done through electronic detection and this is why the Bill is so important.
He also explained that the law does not provide intelligence agencies with backing to conduct mass surveillance, rather ‘big data’ collection.
Protecting the citizen
A major concern around this big data collection, though, is the question of whether the Bill will violate the privacy of individuals, rather than focus on criminals who pose a risk to the UK’s security.
In fact, the bulk surveillance powers in the Bill mean it won’t always be the personal information of individuals posing a risk to national security that is accessed by the authorities.
Access to irrelevant personal information can be avoided by targeting investigatory powers where there is a suspicion of a serious crime being committed. This will also help to ensure that the use of surveillance is proportionate to achieving a legitimate aim.
Privacy intrusion can be further minimised by making sure the data is only accessible to organisations on a need-to-know basis. For example, HMRC currently has the same investigatory powers as intelligence services under the Bill, which may not seem necessary and proportionate.
Finally, proper scrutiny is vital in making sure the right targets are under the scope of any bulk surveillance. There are safeguards included in the Bill in the form of Judicial Commissioners who need to approve warrants.
From a privacy perspective, these safeguards could be further strengthened to ensure that only the right targets are under the scope of any surveillance.
Clarity in the law
Another issue that will need to be addressed in order to make the Investigatory Powers Bill effective in meeting privacy concerns is the clarity of the legislation. This will be key in order to avoid challenge of the Bill on human rights grounds.
There are a few examples where there are likely to be questions around what the Bill means. Firstly, the definition of “internet connection records” in the Bill needs to be clarified.
There is currently no consistent understanding of the term, and the requirement for businesses to keep records of information not currently captured could have significant operational and cost implications on those affected.
The Bill also does not require a warrant to access “internet connection records” but it does require a warrant to access “content”.
This division is technically difficult to implement in practice, and would require internet companies to filter through data in order to separate what can and cannot be released without a warrant.
Meanwhile, does the Bill create more risk for the UK from hackers and fraudsters?
Ultimately, the Investigatory Powers Bill is being created to protect people from crime, however some have argued that the acquisition of the data also puts the UK at additional risk. For example, the wealth of data could be another reason for hackers and fraudsters to target the UK.
As a result, it’s crucial that any personal data collected by the government is properly secured. With the proposed penalties in the General Data Protection Regulation (GDPR), the implications of a data breach are higher than ever before, and businesses must be prepared.
Internet user information must not be mishandled and the security required to safeguard personal data successfully will need to be extremely high.
Overall, the Bill will be complex and very likely controversial for both businesses and individuals. The government must ensure there is clarity within the Bill and that it goes to great lengths to ensure that the privacy of individuals is protected, whilst criminals are stopped.
Technology and surveillance online can be highly powerful in stopping cybercrime, but this divisive Bill goes to show that matters of data protection and privacy must be handled very carefully.
Sourced from Nicola Fulford, data protection and privacy lawyer, Kemp Little