Investigatory Powers (Amendment) Bill: Overview
Updated 26 April 2024
What are investigatory powers?
Investigatory powers are the legal powers available to law enforcement, the intelligence services (MI5, SIS, and GCHQ), and other public authorities, to obtain communications and data about communications.
These powers cover acquisition and retention of communications data, the interception of communications and equipment interference for obtaining communications and other data. They also include provisions relating to the security and intelligence agencies’ retention and examination of bulk personal datasets.
The Investigatory Powers Act 2016
The Investigatory Powers Act 2016 (IPA 2016) provides a framework for the use and oversight of investigatory powers by the intelligence services, law enforcement, and other public authorities. It helps safeguard people’s privacy by setting out stringent controls over the way these powers are authorised and overseen.
The IPA 2016 brought together many of the UK’s existing investigatory powers in one single piece of legislation. The IPA 2016 also created the ‘double lock’ – the requirement for IPA warrants for some powers to be approved both by a Secretary of State and then by a Judicial Commissioner. Alongside the requirement for necessary and proportionate use of the powers, the independent oversight by the Investigatory Powers Commissioner is one of the key cornerstones of the regime. This oversight was consolidated into a single body under the IPA 2016 to ensure clarity and consistency.
The IPA 2016 created a single statutory framework for the following powers:
- interception of communications (targeted and bulk)
- the acquisition and retention of communications data (targeted and bulk)
- equipment interference (targeted and bulk) and
- retention and examination of bulk personal datasets
The IPA 2016 was world-leading legislation for its time, but some aspects need updating following the rapid changes in threats and technology that we have seen in recent years.
Case for amending the IPA 2016
Since the introduction of the IPA 2016, the world has changed. Technology has rapidly advanced, and the type of threats the UK faces continues to evolve.
The Investigatory Powers (Amendment) Bill will deliver the urgent, targeted changes needed to protect the British people. The reforms will enable the security and intelligence agencies to keep pace with a range of evolving threats, against a backdrop of accelerating technological advancements that provide new opportunities for terrorists, hostile state actors, child abusers and criminal gangs. The world-leading safeguards within the IPA will be maintained and strengthened.
Updating the IPA 2016 to reflect the reality of the current threat and technology landscape will help to ensure that our intelligence services can develop the necessary tools and capabilities to rapidly identify intelligence insights from vast quantities of data, allowing them to better understand and respond to threats to the UK.
What does the Investigatory Powers (Amendment) Bill do?
The bill will make a small number of targeted changes to the act.
The bill will include changes to the bulk personal dataset regime, which will improve the intelligence services’ ability to respond with greater agility and speed to existing and emerging threats to national security.
It will expand the oversight regime to support the Investigatory Powers Commissioner in carrying out their role, including putting more of their functions on a statutory basis. This will maintain the robust, transparent, and world-leading safeguards in the regime.
Additionally, the bill will improve the Notices’ regimes, which will help the UK anticipate the risk to public safety posed by the rolling out of technology by multinational companies that precludes lawful access to data. This will reduce the risk of the most serious offences such as child sexual exploitation and abuse or terrorism going undetected.
The bill introduces an additional condition for use of Internet Connections Records, to ensure that these can be used effectively to detect and target the most serious types of criminal activity and national security threats without a disproportionate increase in levels of intrusion.
And the bill will increase the resilience of the warrantry authorisation processes, which will allow for greater operational agility for the intelligence services, as well as for the National Crime Agency, supporting them to tackle the most serious national security and organised crime threats.
How did we get here?
To ensure that the provisions in the IPA 2016 continued to meet its aims, the Home Secretary conducted a Statutory Review of the functioning of the act which was published in February 2023. The conclusion of this review was that some limited aspects of the act are inhibiting the ability of the intelligence services to keep the country safe from both current and evolving threats.
Engagement with law enforcement, the intelligence services, wider public authorities, and government departments found that, whilst in high-level terms the IPA 2016 has broadly achieved its aims, there is a case for immediate legislative change to limited parts.
To complement the Home Secretary’s Statutory Review, and noting the value of the independent scrutiny that informed the passage of the IPA 2016, the Home Secretary appointed Lord Anderson of Ipswich KBE KC to conduct an independent review into the act to inform any potential legislative change.
Lord Anderson’s review was entirely independent from the Home Secretary’s statutory review. His review, published in June 2023, focused on the effectiveness of the bulk personal dataset regime, criteria for obtaining internet connection records, the suitability of certain definitions within the act, and the resilience and agility of warrantry processes and the oversight regime. His report concluded that reforms in these areas were required to keep pace with the reality of the current threat and technology landscape.
Definitions of powers
A Bulk Personal Dataset (BPD) is a set of data that has been obtained by the intelligence services, consisting of personal data relating to a number of individuals, and the nature of that dataset is such that the majority of individuals contained within it are not, and are unlikely to become, of interest to those organisations in the exercise of their statutory functions. This definition does not currently distinguish between different types of datasets and includes those that are publicly or commercially available.
Communications Data (CD) is information about communications: the ‘who’, ‘where’, ‘when’, ‘how’ and ‘with whom’ of a communication but not what was written or said (i.e. the content of that communication).
Equipment Interference (EI) is interference with any equipment for the purposes of obtaining communications, equipment data or any other information that might otherwise constitute an offence under the Computer Misuse Act 1990.
Interception is the obtaining of the content of a communication – such as a telephone call, email or social media message – in the course of its transmission or while stored in or by a telecommunications system.