The new law gives UK intelligence and law enforcement bodies
sweeping surveillance powers.
The IPA was introduced in response to recommendations that David
Anderson QC made, in his capacity as the Independent Reviewer of
Terrorism Legislation, to conduct a review of existing laws
relating to regulatory powers. The UK government contends that the
new legislation is needed to respond to evolving threats within a
changing communications environment, especially regarding
cybersecurity and terrorist threats.
In broad terms, the IPA permits intelligence and law enforcement
bodies to require internet service providers to collect, retain,
and disclose broad categories of communications data in certain
The IPA allows the secretary of state to require communications
companies to retain communications data for a period that must not
exceed 12 months. The power is exercised by giving a retention
notice to the company. A retention notice, which may relate to more
than one company, will require the retention of specified data for
the period of the notice, which must not exceed 12 months. This
means that companies could be ordered to retain, for a limited
period, records of every website and messaging service accessed
from any device used by citizens based in the United Kingdom.
Provided that a warrant has been obtained by the secretary of
state, companies could also be ordered to submit bulk data sets to
government bodies or to allow mass surveillance of their
customers' data, such as by allowing the government to see
messages sent or received on smartphones.
The government states that the IPA adequately protects UK
citizens' personal data because the legislation creates
a "double-lock" for the most intrusive mass
surveillance powers, so that warrants issued by a secretary of
state also require a senior judge's approval;
a powerful new Investigatory Powers Commissioner, who will
oversee how the powers are used;
new protections for journalistic and legally privileged
material, and a requirement for judicial authorisation for
acquiring communications data that identify journalists'
tough sanctions for those who abuse the powers, including
In the seminal decision of Maximillian Schrems v. Data
Protection Commissioner, the European Court of Justice (ECJ)
struck down the so-called "Safe Harbor" framework
governing the transfer of personal data exported from the European
Economic Area to the United States. In doing so, the ECJ was
heavily influenced by Edward Snowden's revelations relating to
US law facilitating the mass surveillance of personal data relating
to citizens of the European Union (EU). For as long as the United
Kingdom remains in the EU, concerned citizens may bring a legal
challenge regarding the United Kingdom's compatibility with EU
data protection law, particularly in light of the forthcoming
General Data Protection Regulation, which will take effect in May
2018. Once the United Kingdom triggers notice to leave the EU, any
future data transfer framework agreed on between the the two is
likely to consider the scope of the powers granted to the UK
government under the IPA. Finally, some have expressed concern that
by requiring communications companies to collect this data in the
first place, the government is increasing rather than decreasing
the data protection and security risks for UK businesses and
citizens. Such data sets will likely be highly valuable and sought
after by cyber criminals. This may therefore encourage them to try
to find ways to access such data.
This article is provided as a general informational service
and it should not be construed as imparting legal advice on any
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).