Investigatory Powers (Amendment) Bill: Overview of the Notices Regime
Updated 26 April 2024
What is a ‘notice’?
There are three different types of notices under the Investigatory Powers Act 2016 (IPA 2016) that can be imposed on telecommunications operators.
A “telecommunications operator” means a person who: (a) offers or provides a telecommunications service to persons in the UK; or (b) controls or provides a telecommunication system which is (wholly or partly) in the UK or controlled from the UK.
Notices are critical to ensuring that law enforcement and the intelligence agencies have access to capabilities and communications-related data needed to protect national security and prevent or detect crime. Amendments are being proposed to ensure the efficacy of these long-standing powers, the necessity of which has long been established. The bill will not create any new powers.
The three types of notice are:
- Data Retention Notices which require the retention of communications data (the ‘who’, ‘when’, ‘where’, and ‘how’) by operators.
- Technical Capability Notices which compel companies to build and/or maintain technical capabilities to respond to lawful requests for data under the IPA.
- National Security Notices which require the telecommunications operator to take specific steps that the Secretary of State considers necessary in the interests of national security. For example, providing services or facilities for the purpose of facilitating or assisting an intelligence service to carry out its functions.
All three types of notices are subject to robust, independent oversight before they can be issued. Notices must be both necessary and proportionate and subject to the “double-lock”, which means they must be approved by both the Secretary of State and an independent Judicial Commissioner before they can be given to the operator in question.
The IPA 2016 also lays out the factors the Secretary of State must consider when deciding whether to give a notice, including: whether it is proportionate; the technical feasibility of complying with the notice; the potential financial consequences of the notices; and the likely benefits.
These safeguards ensure there is a high threshold for issuing a notice. Whilst the definition of a telecommunications operator in the IPA 2016 encompasses a large number of companies, notices are only considered when they are of significant operational value and are necessary for law enforcement and intelligence services to protect national security and prevent or detect crime.
Even when there is a notice in place, law enforcement and the intelligence services must also have the relevant warrant or authorisation in place before they are able to access data. The decision to issue a warrant or grant an authorisation will, itself, be subject to appropriate safeguards to ensure that it is necessary and proportionate.
What is being proposed under the bill?
The bill will not create any new powers. Amendments are being proposed to ensure the efficacy of long-standing powers, the necessity of which has long been established. The proposals include introducing a notification requirement and an amendment to strengthen the review process.
-
Preserving the status quo during the review process. If a company has referred their notice (or part of it) back to the Secretary of State for review, this amendment would introduce a requirement for a company to maintain the status quo during the review period, meaning that if lawful access was provided before the notice was given, then it must be maintained during the review period. This will be without prejudice to the outcome of the review. This safeguards public safety during this period by ensuring telecommunication operators do not make changes that will negatively impact existing lawful access.
-
Amending the definition of a telecommunications operator. As companies increasingly have multiple entities spread across the globe involved in the delivery of their services, we are amending the definition of a telecommunications operator to ensure the IPA continues to apply to all those it was intended to. This amendment is being sought out of an abundance of caution and is not seeking to bring additional companies within scope. It but clarifies that large companies are covered in their totality by the IPA, not just specific entities of them. This avoids the need to understand sometimes opaque, complex corporate structures and will improve the effectiveness and efficiency of the regimes and the process of issuing notices.
-
Introducing a notification requirement. The notification requirement is an obligation that can be placed on telecommunications operators to inform the Secretary of State of changes, including technical changes, that they are intending to make which could affect existing lawful access capabilities. It does not provide powers for the Secretary of State to approve or refuse technical changes – it is simply a requirement for the companies to inform the Secretary of State of relevant changes before those changes are implemented.
-
We will also introduce a requirement for the Secretary of State to inform a company that they are bound by this obligation and clear thresholds will be established to define the factors the Secretary of State will consider before placing an operator under the notification requirement. This is to ensure that it does not disproportionately affect operators who do not hold operationally relevant data. It will not be an automatic requirement for all companies. These thresholds will be introduced by regulations, following the passage of the bill.
-
The intention is not to introduce a consent or veto mechanism or any other kind of barrier to market. A key driver for this amendment is to give operational partners time to understand the change and adapt their investigative techniques where necessary, which may in some circumstances be all that is required to maintain lawful access.
-
Renewal process for notices. Currently notices do not expire until they are revoked by the Secretary of State. We plan to introduce a new renewal process for notices so that if two years has passed since a notice was given, varied, or renewed, it must go through the ‘double lock’ process, which includes the full case for necessity and proportionality being made by the Secretary of State and the decision subject to the approval of a Judicial Commissioner.
What will the impact on the tech sector be?
The proposals are intended to ensure the efficacy of the existing powers in the context of new technologies, the commercial structures of a modern digital economy and the associated risks. They aim to ensure that the law mitigates these risks where possible while protecting the privacy of citizens and the ability of companies to develop cutting-edge technologies. It should be noted that existing notices can already include a notification obligation as laid out in the relevant regulations.
To be clear, these changes do not directly relate to end-to-end encryption, but are designed to ensure that companies are not able to unilaterally make design changes which compromise exceptional lawful access where the stringent safeguards of the IPA regime are met.
Ultimately, this is about public safety and ensuring that those tasked with keeping the public safe have the necessary tools to do so. The various forms of notice are a critical part of those tools, ensuring that law enforcement and the intelligence agencies have access to the capabilities and communications-related data that they need to protect national security, prevent child sexual exploitation and prevent and detect other serious crimes.