What was formerly known as the Investigatory Powers Bill has received Royal Assent and is now the Investigatory Powers Act. The Bill was first published in draft form in November 2015 (- for a very helpful analysis of the Bill at this stage, please read Dr Tom Hickman’s blog). The passage of the Bill through Parliament, after it was it was introduced in March this year, took just under nine months. Amendments made by the House of Commons were described as ‘largely technical or minor drafting amendments’. Consequently, for all those hoping to see significant changes made to the legislation, a lot hung on the Bill’s amendments during its passage through the Lords.
This post examines seven key changes made by the Lords. While some of the changes may serve to make the safeguards contained in the Act more robust, many of them were fairly minimal. Furthermore, certain of the changes either do not appear to meaningfully restrict the powers in the Act or fall short in terms of meeting concerns expressed by those called on to scrutinise the Bill.
1. Intelligence sharing
One part of the Bill where the Lords inserted key changes, were provisions related to the sharing of intelligence between countries. The issue of intelligence sharing found its way onto the front pages of newspapers in 2013 when journalists, relying on documents provided by Edward Snowden, alleged GCHQ had access to PRISM – an NSA program to acquire information from Yahoo, Microsoft, Facebook and other American technology companies. Such access was subsequently declared unlawful by the Investigatory Powers Tribunal who ruled that material received from foreign partners such as NSA was not ‘in accordance with the law’ prior to November 2014.
When reviewing earlier versions of the Investigatory Powers Bill, the Intelligence and Security Committee (ISC) acknowledged the critical need for this practice to be regulated. It made clear in its report that ‘the proportion of intercept material obtained from international partners is such that it is not appropriate to exclude it from legislation which purports to cover interception.’
However, the Government did not make any changes when it introduced the Bill into the Commons and maintained that safeguards it had included, which were analogous to those that existed in the Regulation of Investigatory Powers Act 2000, were adequate.
The safeguards (in Chapter 1 and Chapter 3 of Part 6 of the Act) apply to the disclosure of material, collected using bulk interception warrants and bulk ‘equipment interference’ (hacking) warrants, overseas. They include requirements that only the minimum necessary number of people at a foreign agency are provided access to the material, and that the minimum necessary copies of any intelligence product are made.
The Lords introduced an amendment (Lords amendment 160) which added to these requirements. The new provision states that the ‘the Secretary of State must be satisfied that the overseas authority has safeguards in place corresponding to those in the Bill in relation to the selection of data for examination’. Such safeguards include that the selection of material for examination must be carried out for for specified purposes and be necessary and proportionate.
While further restrictions were needed in this area, this one falls short of what could have been achieved. The safeguards will not always be applied, as they are only exercised ‘to the extent [if any] as the Secretary of State considers appropriate’. Furthermore, we will not know for sure which overseas authorities will apply which safeguards, or how they will be applied.
Also of concern is the fact that the Act also does not provide any statutory rules setting out how and when raw intelligence can be exchanged between British and foreign intelligence agencies. Nor does it attempt to include even a casual reference to the 70 years long arrangements that existed between bodies such as the Five Eyes Intelligence alliance, which included British intelligence agencies.
2. Bulk warrants and operational purposes
Under Part 6 and 7 of the Act, a number of different kinds of bulk surveillance warrants may be issued, all of which enable the security services to intercept or collect huge volumes of data. The Lords added several amendments (Lords amendments 154 -155) relating to bulk warrants. In particular, they changed the provisions relating to ‘operational purposes’.
The Act provides that for each bulk warrant issued, the warrant must specify the ‘operational purposes’ for which data under a bulk warrants may be selected for examination. The operational purposes provided for in the Act (under the heading ‘Requirements that must be met by warrants’ for each bulk warrant in Part 6 and 7 of the Act) are: national security; or national security and the purpose of preventing or detecting serious crime; or national security and in the interests of the economic well-being of the United Kingdom.
These descriptions are broad, and could therefore potentially allow for the examination of a large quantity of the data obtained under the bulk warrant. Indeed, the breadth of communications that may be accessed under bulk warrants was one of the most controversial parts of the Bill during its passage through Parliament. Many organisations, such as Privacy International, argued that Bill may not be compliant with the UK’s obligations under the European Convention on Human Rights (ECHR), partly because of the broad nature of the operational purposes required to access data obtained by the bulk warrant. This view was also expressed by the UN Special Rapporteur when he delivered his first report to the UN Human Rights Council in March this year.
The Lords changed the Bill to ensure that the operational purposes included in a warrant can no longer be ‘general’ in nature. General in this context means that all that is included in a bulk warrant, with regards to operational purposes, is merely the broad descriptions as laid out in the preceding paragraph (such as ‘national security’ or ‘national security and in the interests of the economic well-being of the United Kingdom’). The Act now provides that the Secretary of State may only give approval to bulk warrants if the ‘operational purposes are specified in a greater level of detail than the descriptions’. This means that the security services will have to describe with more accuracy (than that of the descriptions) the kind of purposes for which data collected under bulk warrants may be examined.
Whether or not this amendment will in practice serve to limit the extent to which material collected under bulk warrants may be examined is not clear. If in practice the only extra detail that is included on the warrants uses broad or vague language, only slightly more specified than the descriptions, then presumably this amendment will not make much difference.
The Lords introduced further requirements which include that the heads of the intelligence services must maintain a list of operational purposes, which would be overseen by the new Investigatory Powers Commissioner (the head of a new oversight body set up under Part 8 of the Act). Furthermore, the list of operational purposes will have to be reviewed annually by the Prime Minister and be provided to the ISC every three months. Also, the Investigatory Powers Commissioner is now required to publish ‘information about the operational purposes specified’ for bulk in their annual report.
No doubt these changes provide welcome additional scrutiny by outside parties in a key area that has so far remained solely in the hands of the agencies. Indeed, it is understood that this will be a big change for the intelligence agencies, who will need to reconstruct a number of their systems to ensure that analysts can be compliant with this newly developed criteria. Perhaps more than any other part of the Investigatory Powers Act, this development will force a day-to-day change in the practice of the agencies’ officers trying to justify the necessity and proportionality of their individual actions.
However, even with these additional amendments, concerns regarding the compliance of these provisions with the ECHR may still stand. The human rights concerns cited in relation to bulk powers by the UN Special Rapporteur were that they “prima facie fail the benchmarks” set by the European Court of Human Rights in the recent Grand Chamber case of Zakharov v Russia (47143/06).
Although the Court was not in this case specifically dealing with questions regarding bulk interception, there is at least one ‘benchmark’ of relevance that may be tentatively read into the Court’s commentary in Zakharov (discussed in more detail by Carly Nyst here). It relates to the acceptable scope of surveillance carried out. In Zakharov, the Grand Chamber stated that interceptions must:
‘clearly identify a specific person to be placed under surveillance or a single set of premises as the premises in respect of which authorization is ordered. Such information may be made by names, addresses, telephone numbers or other relevant information” ()
It may be that in failing to specify individual targets, data or equipment of a particular person, premises or even an organisation, the use of bulk warrants, despite the use of more specified operational purposes, may be found unlawful by Strasbourg.
3. LPP and journalistic material
The previous surveillance regime, under the Regulation of Investigatory Powers Act 2000, contained no specific restrictions in relation to the state access to legally privileged or journalistic material. With recent inquiries into the identification of journalist sources by police, and findings by the Investigatory Powers Tribunal that the intelligence agencies policies for handling material subject to legal professional privilege (LPP) were unlawful, it was essential that the Investigatory Powers Act remedied past failings in this area.
With respect to material subject to LPP, the then Bill was amended such that: (a) LPP material could not be intercepted solely on the grounds that it was necessary for the interests of the economic well-being in the UK and; (b) a definition was provided for the ‘exceptional and compelling circumstances’ in which it may be considered necessary to intercept or select for examination LPP material.
Powers allowing LPP material to be accessed solely on the grounds of pursuing the interests of the economic well-being of the UK, would have been seen as a complete rejection by the Government of the importance of LPP as a vital principle of the administration of of justice. Some will be relieved that this part of the Bill was changed.
The inclusion of a definition of ‘exceptional and compelling circumstances’ will also be a source of relief. This is insofar as the Bar Council has expressly emphasised the need for a definition contained in primary legislation, as opposed to an accompanying code of practice.
The definition for ‘exceptional and compelling circumstances’ inserted into the Bill is that:
‘(a) the public interest in obtaining the information that would be obtained by the warrant outweighs the public interest in the confidentiality of items subject to legal privilege
(b) there are no other means by which the information may reasonably be obtained, and
(c) in the case of a warrant considered necessary…[as mentioned in the relevant section for each warrant]…obtaining the information is necessary for the purpose of preventing death or significant injury’
While this definition will be a welcome addition to the Act, problems remain with regards to the provisions for restricting access to LPP material. For example, the restrictions do not apply to communications data in the Act. This is troubling as it is widely accepted that communications data, described as the ‘who, where, when, what and how’ of our communications, may be just as revealing as the content of communications. The lack of LPP restrictions to communications data may be particularly concerning to the Bar Council and Law Society who, when the draft Bill was first published, argued that the new legislation should expressly protect LPP from ‘all forms of investigatory powers, including the acquisition of communications data’.
The Bill was also amended by the Lords to provide additional safeguards to confidential journalistic material and sources of journalistic information. The safeguards provide that an application for interception, examination or equipment interference with respect to material which the relevant authority believes will contain confidential journalistic material, or which may identify or confirm a source of journalistic material, must contain a statement that the purpose (or one of the purposes) is to access such material. Additionally, the person to whom the application is made may only issue the warrant if they consider that there are specific arrangements for the handling, retention, use and destruction of communications containing confidential journalistic material. Strangely, the protections regarding ‘sources of journalistic material’ do apply to communications data while protections for ‘confidential journalistic material’ do not.
Protections for journalistic material have been long awaited by many engaged with the passage of the Bill. The Joint Committee of the Draft Investigatory Powers Bill stated in clear terms that ‘protection for journalistic privilege should be fully addressed by way of substantive provisions on the face of the Bill’. Specifically, the Joint Committee recommended that the level of protection provided for in the bill should be ‘at least equivalent’ to the protection presently applicable under Police and Criminal Evidence Act 1984 and the Terrorism Act 2000.
However, the protections for journalistic material that have been added to the Bill are a far cry from the kind of protections provided for in Police and Criminal Evidence Act 1984, which requires a hearing on notice in front of a judge in order for journalistic material to be accessed – with the Government and the affected party both permitted to make legal representations. Indeed, there is no opportunity for such representations in the Investigatory Powers Act. What’s more, the new amendments contain no formal requirement that the relevant authority treats the case any differently just because they see that journalistic material may be involved. The National Union of Journalists have since condemned the passing of the bill along with many other free expression groups.
4. Restrictions on class Bulk Personal Dataset Warrants
Amendments have been added to impose further restrictions on the use of class bulk personal dataset (BPD) warrants. A BPD is a dataset containing information about a wide range of people, most of whom are not likely to be of interest to the security services. An example of a BPD is a list of people who have passports. Class BPD warrants are warrants which authorise the examination and retention of BPDs that are considered to be of a similar type and raise similar considerations. The Government has cited ‘travel data’ as an example of a class that the warrants might cover.
There has been wide opposition to the use of class warrants in relation to BPDs, primarily on the basis that they have the potential to exponentially expand an already broad power. The ISC in its report on the draft Bill stated of class warrants that the ‘acquisition, retention and examination of any Bulk Personal Dataset is sufficiently intrusive that it should require a specific warrant’. In subsequent evidence provided to the House of Commons, Rt Hon Dominic Grieve QC MP, the Chair of the ISC, stated that subject to safeguards to ensure the use of class warrants was limited, he was satisfied that class warrants were appropriate.
The Lords added several restrictions on the use of class BPD warrants. First, provisions were added to prevent a class BPD warrant being used to access a dataset that consists of health records or if a substantial proportion of the dataset consists of sensitive personal data (based on the definitions used in the Data Protection Act 1998). Second, it was added that an intelligence service may not retain, or retain and examine, a BPD in reliance on a class BPD warrant if the head of the intelligence service considers (a) that the BPD consists of, or includes, health records, or; (b) that a substantial proportion of the BPD consists of sensitive personal data.
A restriction was also added which specified that an intelligence service may not retain, or retain and examine, a BPD in reliance on a class BPD warrant if the head of the intelligence service considers that the nature of the BPD raises novel or contentious issues which ought to be considered by the Secretary of State and a judge (named a Judicial Commissioner).
Additional amendments provided that a class BPD warrant may not be used to retain or examine a BPD that contains “protected data” (which would include the contents of letters, emails or other documents). Safeguards were also added for items subject to legal professional privilege in BPDs – which were consistent with those safeguards provided for in relation to other bulk warrant.
The restrictions regarding personal data and novel or contentious issues were two of three safeguards proposed by the Rt Hon Dominic Grieve QC MP that would limit the use of class warrants for BPDs for the purposes of making these powers appropriate. The third restriction recommended was that there should be a limit on the number of BPDs that could be obtained under a class warrant. This restriction was not included in the Bill. Consequently, the provisions regarding class warrants fall short of meeting the standard, as laid out by the ISC.
5. Privacy protections
An example of an amendment which appears to have neither tightened up restrictions in the Bill nor responded to concerns expressed about the Bill, relates to privacy protection. An amendment was made to clause 1 of the Bill, which inserted the following line:
‘This Act sets out the extent to which certain investigatory powers may be used to interfere with privacy’
This amendment was tabled on behalf of the ISC. The need for strengthening privacy protections was initially emphasised by the ISC in their evidence submitted in response to the draft version of Bill. The ISC stated that it was their view that ‘privacy protections should form the backbone’ of the Bill. Specifically, it was highlighted that ‘[p]rivacy considerations must form an integral part of the legislation, not merely an add-on’.
In the subsequent version of the Bill, introduced into the House of Commons, the title of Part 1 of the Bill had been changed from ‘General Protections’ to ‘General Privacy Protections’, and a clause was added which laid out a general duty for public authorities to have regard to the public interest in the protection of privacy.
To many, these changes resembled something very much like an ‘add-on’ and it was highlighted at the time that for privacy considerations to form an integral part of the Bill, what would be required is more than adding the word privacy at the beginning of the Bill. In this context, it may be that the Lords amendment will also be seen as not making much of a contribution towards ensuring that privacy considerations are infused along the spine of the Bill.
6. Examination of material offences
Sometimes individuals in intelligence agencies abuse their powers. In the 2015 annual report of the Intelligence Services Commissioner, ‘two serious breaches’ were identified. The breaches involved officers accessing bulk data without appropriate justification. Both were fired.
Documents revealed in the course of litigation by Privacy International explain that in 2011 the Secret Intelligence Service sent a newsletter to all staff warning them about such abuse. It stated: ‘‘[w]e’ve seen a few instances recently of individuals crossing the line with their database use … looking up addresses in order to send birthday cards, checking passport details to organise personal travel, checking details of family members for personal convenience’.
Furthermore, it was revealed that, between June 2014 and February 2016, 47 ‘instances of non-compliance’, either with the MI5 closed section 94 handling arrangements or internal guidance or the communications data code of practice, were detected.
It is not known what further disciplinary action was taken against such individuals. It is unlikely that any criminal proceedings were taken against them. This is in part because, despite misuse of intelligence and security agencies systems being unlawful, it is not a specific criminal offence. Indeed, for misuse of those powers, only the general purposes in the Data Protection Act 1998, or the very general offence of misconduct in public office, can be relied upon should a prosecution be sought.
New amendments, introduced on behalf of the ISC, aimed to remedy this failing. With the support of the Government, they were passed. As Lord Butler explained when introducing them to the Lords, while the changes provide for new specific criminal offences for wrongfully examining material collected under the bulk warrants, they have been restricted to cases of deliberate misuse (under ‘[o]ffence of breaching safeguards relating to examination of material’ in Part 6 and Part 7 of the Bill). As such, if an officer didn’t deliberately choose to examine material which they know or believe is not authorised under the Bill, then this new offence would not apply.
This new penalty plugs a vital gap, nonetheless how and when it will be applied remains to be seen. While there are concerns about abuse inside the agencies not being properly punished, there are also concerns regarding what is officially considered to be abuse or illegitimate behaviour. For example, it transpired, in the course of recent IPT litigation, that Amnesty International had their communications intercepted by GCHQ. Many people would consider this to be an improper use of investigatory powers. However, the Investigatory Powers Tribunal found that the communications have been unlawfully interfered with, only because of internal handling errors rather than it being considered an abuse to acquire the communications of the world’s leading human rights charity.
7. National Security Notices, Technical Capability Notices and Data Retention Notices
National Security Notices, Technical Capability Notices and Data Retention Notices have been subject to amendments by the Lords (Lords amendments 299 -303).
National Security Notices, provided for in Part 7 of the Act, allow the Secretary of State to require telecommunications operators to take specified steps in the interests of national security. Such steps include requiring the operators to carry out any conduct, including the provision of services or facilities, for the purpose of assisting an intelligence service to carry out its functions more securely or more effectively.
The Lords have added changes which make clear that National Security Notices cannot be used as a means to require the taking of steps that would otherwise only have been lawful in those instances that a warrant or other authorisation (under a relevant enactment) had been obtained. In these cases, a warrant or authorisation must be obtained.
With respect to Data Retention Notices, approval by a Judicial Commissioner is now required. On one level, this change is good news insofar as it may be seen to tighten up the process for serving Data Retention Notices. However, the concerns that have previously been expressed about this form of authorisation still stand. As was highlighted in an earlier (and very informative) blog post written by Byron Karemba, there are varying views regarding the extent that the Judicial Commissioner will feel able to substantively review the decision by the Secretary of State. This is due to express provisions in the Act which state that the Judicial Commissioner is to apply judicial review principles. Karemba argues that there is a real danger that the system of authorisation which is contained in the Bill has the potential to morph into a rubber-stamping exercise whereby the Judicial Commissioner easily acquiesces to the assessment made by the Minister.
In addition to approval by a Judicial Commissioner being added in relation to a Data Retention Notice, any variation or revocation of a National Security Notice will now require that the Secretary of State applies a test of necessity as well as proportionality, and obtains judicial authorisation. The same is also now true with regards to Technical Capability Notices which will impose ‘requirements’ and obligations on tech companies, to ensure that they can carry out equipment interference, interception and data retention on the Government’s behalf.
These amendments are welcome insofar as they may help to prevent the Secretary of State being able to add more controversial material to the notices through variation following the initial judicial authorisation. However, as stated, the concerns regarding the potential limitations, with respect to the ability of Judicial Commissioners to scrutinise the Secretary of State’s decision, still stand.
It is clear that many of the changes made by the Lords were not purely cosmetic: some will serve to make the safeguards contained in the Bill more robust. However, some of the changes are fairly slight and do not seem to meaningfully restrict the powers in the Act. Furthermore, certain of them appear to fall short of meeting some of the concerns expressed by those who were called on to scrutinise the Bill, such as the ISC and the Joint Committee for the Bill. Many may view these results to be a disappointment given the rigorous engagement with the Bill, by experts, lawyers and NGOs, who provided extensive advice to the Government both on the issue of resolving official concerns and compliance with international law.
The authors would like to thank Graham Smith and Dr Tom Hickman for their helpful comments on earlier drafts of this piece. Any errors are the authors’ own.
Eric King is a Visiting Lecturer at Queen Mary, University of London and former Director of Don’t Spy on Us, a coalition of NGOs campaigning for surveillance reform.
Daniella Lock is a PhD Candidate (ESRC) at University College London.
(Suggested citation: E. King and D. Lock, ‘Investigatory Powers Bill: Key Changes Made by the Lords’, U.K. Const. L. Blog (1st Dec 2016) (available at https://ukconstitutionallaw.org/))