Consultation on revised notices regimes in the Investigatory Powers Act 2016 (accessible version)
Updated 8 November 2023
Ministerial foreword
For many years, the UK government has had the power to place requirements on telecommunications operators to assist with national security and law enforcement, for example in the Telecommunications Act 1984. This consultation is therefore not about the creation of new powers, it is about the efficacy of long-standing powers the necessity of which has long been established.
The Investigatory Powers Act 2016 (IPA) is a world-leading piece of legislation that provides a comprehensive regime for regulating the use by public authorities of intrusive investigatory powers. It makes clear the circumstances in which the various investigatory powers may be used and the strict safeguards that apply, ensuring that any interference with privacy is strictly necessary, proportionate, authorised and accountable.
When it was introduced, one of the main aims of the IPA was to ensure the powers were fit for the digital age. In the period since 2016, the global volumes of data that exist have grown exponentially, and significant, fast-paced technological change has become the norm. As noted in my Report on the Operation of the Investigatory Powers Act 2016, published on 9 February 2023, “the Act has not been immune to changes in technology over the last 6 years.”
We have seen the efficacy of the powers shifting with these changes in technology and an increase in data being held overseas. Some of these technological changes risk having a negative effect on the capabilities of our law enforcement and intelligence agencies. We must ensure that the law enables us to mitigate this risk, whilst still promoting technological innovation and the legitimate interest in increased privacy of the majority of our citizens.
Companies and governments can, and do, work together to ensure the safety of the public on a range of threats, from child sexual exploitation and abuse to terrorism content, but in order for that cooperation to be effective, and for our investigatory powers to remain effective against a backdrop of rapid technological change companies must work openly and willingly with us. The changes proposed in this consultation seek to improve the mechanisms, that if required, allow the Secretary of State to act to ensure that our investigatory powers remain effective, and to protect the capabilities of our law enforcement and intelligence agencies. It is clear that there are ways in which the current notices regimes can be, and should be, improved in that regard.
It is vital that investigatory powers are properly regulated and subject to appropriate safeguards and oversight. Decisions about lawful access to data in the interests of national security or tackling serious crime should be taken by democratically accountable Secretaries of State within a statutory framework approved by Parliament, and overseen by Judges and by Parliament. This decision-making ability must not be curtailed for commercial reasons with consequent detrimental impact on citizens. We are committed to working with industry, and other relevant stakeholders, to develop reasonable proposals that will enable technology companies and government to continue to protect the public and their privacy, defend cyber security and human rights, and support technological innovation.
This consultation is a step towards enhancing this cooperation and all responses will be welcomed and carefully considered.
The Rt Hon Suella Braverman KC MP Home Secretary
Scope of the consultation
Topic of this consultation:
This consultation is on possible outcomes for revised Investigatory Powers Act notices regimes intended to improve the effectiveness of the current regimes.
Scope of this consultation:
This consultation seeks representations on the proposed outcomes for amended regimes for technical capability notices, data retention notices and national security notices.
Basic information
To:
Representations are welcomed from those organisations whose services could be affected by the relevant provisions of the IPA, the public authorities who have powers under the IPA, professional bodies, interest groups, academia and the wider public.
Duration:
8 weeks
Enquires and responses:
Please send any enquiries and responses to:
IPAnoticesconsultation@homeoffice.gov.uk
Please indicate in your response whether you are content for it to be published, with or without attribution to you/your organisation.
After the consultation:
Following the consultation period, responses will be analysed and the consultation response published. Consideration will also be given to exactly when, and how, to take forward any changes.
Background
Getting to this stage:
In preparing this draft, we have engaged with public bodies who utilise the powers covered by the existing notices regimes. We have also sought input from the independent Investigatory Powers Commissioner, who oversees and monitors the operation of the legislation.
What are the notice regimes?
The IPA provides for 3 different kinds of notices that can be imposed on telecommunications operators (and in some cases postal operators):
Data Retention Notices (DRNs)[footnote 1] require the retention of communication data (communications data is the ‘who’, ‘when’, ‘where’ and ‘how’) by operators.
Technical Capability Notices (TCNs)[footnote 2] require operators to provide and maintain technical capabilities enabling them to respond to relevant IPA authorisations or warrants allowing access to communications data, the content of a communication (the ‘what’), or to enable equipment interference. A notice does not itself authorise the activity that the technical capability is intended to enable.
The obligations that may be imposed by a TCN are set out in the Investigatory Powers (Technical Capability) Regulations 2018.
National Security Notices (NSNs)[footnote 3] require the telecommunications operator to take such specified steps as the Secretary of State considers necessary in the interests of national security. This may include providing services or facilities for the purpose of facilitating or assisting an intelligence service to carry out its functions, or dealing with an emergency (as defined within the Civil Contingencies Act 2004).
All 3 types of notices must be ‘double-locked’ (approved by both the Secretary of State and a Judicial Commissioner) before they can be given to the operator in question. The IPA also lays out the factors the Secretary of State must consider when deciding whether to give a notice.
The IPA also specifies that those persons in receipt of a notice, or any person employed or engaged for the purposes of that person’s business, must not disclose the existence or contents of the notice to any other person without the permission of the Secretary of State.
For this reason, it is Home Office policy to neither confirm nor deny the existence of any notices.
Why do we need the notice regimes?
The various forms of notice are critical to ensuring that law enforcement and the intelligence agencies have access to capabilities and communications-related data that they need in order to protect national security and for the purposes of the prevention and detection of crime.
Without the capabilities that are provided by telecommunications and postal operators in accordance with the notices, in many cases it would not be practicable for operators to give effect to IPA authorisations and warrants, nor would it be possible for the public authorities to use the respective powers under the IPA at the scale and pace required for their investigations.
The public authorities must have the relevant warrant or authorisation in place before they are able to access data even where a notice is in place. The decision to issue a warrant or grant an authorisation will, itself, be subject to appropriate safeguards to ensure that it is necessary and proportionate.
Why are we consulting?
Any changes to the notice regime would impact upon specific groups – current and prospective postal operators[footnote 4] and telecommunications operators[footnote 5], as defined by the Act. These groups are theoretically quite large. However, notices may only be given where necessary and proportionate and so, in practice, notices are likely to be given only to a limited number of operators. We are therefore specifically targeting these groups with this consultation.
Nevertheless, we also welcome the opportunity to receive comments on the operation of the notices regime from interested groups and members of the public. Therefore, we are undertaking a full public consultation so we can be confident that all those who it might reasonably be considered appropriate to consult, have been consulted.
Proposed changes
As this consultation will feed into the development of the policy, the focus of the proposed changes section is on overarching objectives rather than on the specific amendments to the IPA that may be needed to realise these objectives. Additionally, some of the objectives could be achieved through different routes and the outcomes of this consultation will inform which of these we choose to pursue.
These changes are primarily intended to address the notice regimes as they apply to telecommunications operators, however we propose that the changes apply across all notice regimes to ensure consistency and therefore cover both telecommunications operators and postal operators.
As previously noted, the notice regimes have been in place in various forms for nearly 40 years and have, for the most part, proven to be effective and fostered positive and collaborative relationships with telecommunications operators. It is therefore critical that any existing capabilities provided under the notices are not negatively impacted by any changes.
Objective 1 – Strengthening the notice review process
When giving a notice for the first time the Secretary of State has a statutory obligation to engage in a consultation period with the relevant operator. Following this consultation, and taking into consideration the views of the operator, the Secretary of State then considers whether to formally give the notice. Should she decide to do so, the notice has to then be approved by a Judicial Commissioner and formally given to the company before its obligations become binding on them. If at this point the operator is dissatisfied with the terms of the notice they have a statutory right to refer the notice (or part of it) to the Secretary of State for review.[footnote 6]
As it stands, during a review period the operator is not required to comply with the notice, so far as referred, until the Secretary of State has concluded the review. Where an operator is seeking to make changes to their system that would have a detrimental effect on a current lawful access capability, this could create a capability gap during the review period, which is an issue we believe should be addressed.
This could be done through a general requirement to maintain the status quo through this period, ensuring that our lawful access to data is maintained.
This would be without prejudice to the outcome of the review process.
Objective 2 – Timely and informative responses
Linked to objective 1, we propose that there should be an obligation placed on the operators to cooperate with the consultation process before the decision to give a notice is made, and with any subsequent review process, and to provide relevant information as necessary and within a reasonable time.
This should ensure that these processes can be concluded in a timely fashion and that the relevant decision makers are able to make fully informed decisions. Those decision makers will include, where a notice is given, the Judicial Commissioner, whose role is to approve the notice.
Sharing of technical information, in particular, is vital for the development of any solutions and will ensure that the Secretary of State is fully informed before making a decision.
Objective 3 – Scope of the regime
Some provisions of the IPA already have extraterritorial effect, which is a key element of its operational effectiveness.[footnote 7] The notices can be served on overseas operators already. However, the wider regulatory and commercial environment risks affecting the operational effectiveness of these notices given the current scope of the IPA.
In the modern digital economy, an operator in Country A can provide services in Country B using infrastructure that the operator does not own and without the need to have a physical presence there. This is a critical part of how the system operates and we are not proposing anything that would affect this flexibility and freedom that benefits both the economy and UK citizens as customers of these services.
However, there may be unintended consequences of this flexibility in the system regarding lawful access to data for example, where the provision of a service in the UK is separated across different legal entities in different jurisdictions making it harder to discern to which entity a notice should most appropriately be issued. While we must always ensure our use of the investigatory powers is necessary and proportionate, we do need to ensure data can be accessed when it is necessary and proportionate to do so.
We propose to resolve this potential for uncertainty by making changes to the Act to provide greater clarity that its provisions continue to apply to the operators to whom it was intended to apply, including those that have adopted more complex corporate structures.
Additionally, we believe that it would be appropriate to strengthen the enforcement options available for non-compliance with the notices regimes[footnote 8]. We propose to draw on existing precedent in wider UK legislation as a starting point for these options however we welcome the views of respondents on the most appropriate approach.
Objective 4 – notification requirements
We propose to make changes that would support cooperation between government and industry by setting clear expectations about the circumstances in which operators might be expected to notify the Secretary of State of planned changes to their service that could have a negative impact on investigatory powers and, where necessary, mandating notification of planned changes. This would be intended to facilitate early engagement between operators and the government so that, where necessary, appropriate steps can be taken in good time to ensure that any negative impact on investigatory powers is fully considered, and so that we can ensure continuity of lawful access to data against a background of changing technology.
As previously stated, the overarching intention of this consultation is to secure and maintain IPA capabilities by making efficiencies to our existing notices regimes. We want to ensure that the impact on business is appropriately taken into account and that notification requirements do not unduly impact on those operators who are not, and who are unlikely to be, called upon under the IPA. To this end, we fully acknowledge the need for strong safeguards that deliver the IPA’s fundamental principle of necessity and proportionality.
We therefore propose that a provision should be introduced to require, where necessary, relevant operators to inform the Secretary of State of relevant changes, including technical changes. We propose that the provision would require the notification to be made a reasonable time before relevant changes are implemented. These obligations could also apply to a person who is proposing to become a postal operator or a telecommunications operator in line with the existing position on IPA notices.
To ensure this provision is proportionate, we propose to introduce a requirement for the Secretary of State to consider the necessity and proportionality of imposing a requirement to notify, including taking into account the impact on the business or businesses to whom it will apply as well as the likely benefit of early notification. This would avoid placing burden on those telecommunications operators whose data is of minimal operational importance.
Additionally, we intend to develop a series of thresholds that would also trigger the notification requirement, for example, if a technical change could substantively impact existing IPA capabilities or the availability of communications and communications related data for a certain number of users or a certain percentage of the market. We welcome comments from respondents on this approach, including potential thresholds.
There could also be requirements on the Secretary of State to take account of the impact on commercial decisions, or by extension the relevant market.
Existing notices can include a notification obligation, as laid out in The Investigatory Powers (Technical Capability) Regulations 2018. The concept proposed here replicates a similar obligation but applies it in isolation. We believe this is therefore a proportionate solution that ensures we are able to protect citizens without placing any unnecessary or disproportionate obligations on operators. However, it would not negate the potential need for a notice in other circumstances.
Objective 5 – Renewal of notices
Currently, notices are double-locked for any variations, and the IPA requires that the Secretary of State keeps notices under regular review, with the review process described in the relevant Codes of Practice. However, there is not a requirement for the Investigatory Powers Commissioner to renew the notices once they are in place, which is different from the warranty regime. The introduction of a statutory role for the Investigatory Powers Commissioner within a renewal process would help ensure the notices remain necessary and proportionate.
This renewal process would be conducted if a 2-year window had passed since the notice was given, renewed, or last varied, as each variation requires the full case for the notice overall to be put forward thereby effectively creating a pseudo-renewal process.
-
Part 4 IPA. ↩
-
Chapter 1, Part 9 IPA. In particular, section 253. ↩
-
Chapter 1, Part 9 IPA. In particular, section 252. ↩
-
Defined in section 262, IPA. ↩
-
Defined in section 261, IPA. ↩
-
For DRNs, see section 90; for TCNs and NSNs, see section 257. ↩
-
See, for example, section 41(4). ↩
-
Section 95 for DRNs and section 255(10) for TCNs. ↩