The Regulation of Investigatory Powers Act 2000 ("RIP") provides for a new surveillance regime governing intrusive investigative techniques. Critics of government policy fear that this will dramatically increase the compliance costs for online businesses in the United Kingdom, particularly Internet Service Providers ("ISPs"). RIP will also impact on consumer confidence in UK based e-businesses, once people become aware that private communications can be intercepted.

The government claims that European legislation, the Telecoms Data Protection Directive, necessitated RIP. However RIP may have gone further than the Directive required.

Key relevant highlights are:

  • The creation of new civil liability for unlawful interception on a private network by the operator of that system, which therefore affects businesses which check staff use of the web and e-mail;
  • Interception by a business without a warrant is lawful only if either:
    • All parties to the communication consent;
    • It is within the Lawful Business Practice Regulations, which came into force on 24 October 2000. The purpose of the Regulations is to ensure that legitimate business practices are not prevented by the new regime. The Regulations permit business to monitor communications without the caller's consent in specified circumstances e.g. gaining routine access to business communications during staff absence. Businesses are required to inform staff that interceptions may take place.

Employers now have a mass of overlapping regulation on monitoring staff to understand: RIP, the Human Rights Act 1998 and the Data Protection Act 1998. The UK Data Protection Commissioner has published a draft code of practice on the use of personal data in employer/employee relationships.
  • Access to encrypted information can be required by law enforcement agencies in specified circumstances, which makes the United Kingdom now the only G8 country to allow state access to decryption keys. Encryption is the mathematical technique of encoding text or data to make it unreadable to all except the intended recipient.

Businesses that use encryption will need to put in place procedures for the management and disclosure of decryption keys. The United Kingdom's position contrasts with other countries, notably Ireland, which proposes that law enforcement agencies can never require disclosure of encryption keys; and

  • Telecommunications operators, including ISPs, can be required to maintain interception capability.

Compliance costs burdens on ISPs may drive some out of the United Kingdom. The Home Office has put aside £20 million as a contribution to these costs over the next three years but industry estimates are much higher than this.

The information and opinions contained in this publication are provided by national law firm Hammond Suddards Edge. They should not be applied to any particular set of facts without seeking appropriate legal or other professional advice.