Opinion: Tim Musson
The Investigatory Powers Bill raises many contentious issues regarding the proper boundary between security and the right to privacy, but two at least should be of particular concern to solicitors
The Investigatory Powers Bill (IPB) is the latest in a controversial series of bills attempting to balance the needs of the security and intelligence agencies and other authorities to carry out investigations against the right to privacy enshrined in article 8 of the ECHR. It is widely agreed that terrorism and serious crime are carried out by networks of individuals who communicate electronically with each other and that investigation of their activities requires surveillance and analysis of their communications. It is also fairly generally agreed that members of the public have a right to privacy. The difficulties lie in agreeing on precisely what information is needed for investigations, the degree of intrusion into privacy that is proportionate in a particular situation and the mechanism for approving the intrusion (the collection of information).
The IPB is a true beast of a bill, very long and very complex. Various parliamentary committees have discussed it at length and with huge quantities of evidence. It attempts to bring together, “clarify” and extend powers which currently exist in a wide range of instruments, amending these as necessary. Accompanying notes repeatedly make statements like “the bill will not create a new power but bring greater transparency to this important capability and provide for enhanced safeguards”: the reality is that some powers, particularly under the Regulation of Investigatory Powers Act, have a very dubious status and the IPB effectively creates them.
At least two issues are of particular relevance to solicitors. The first relates to legal professional privilege (LPP). The draft bill made no reference to LPP, though assurances were given that this would be covered by a code of practice. In written evidence the Law Society of Scotland considered that this was both unsatisfactory, as a code does not have the force of law, and very unusual as all previous investigatory powers legislation made express provision for LPP. The current version of the bill does make some provision.
The protection is probably adequate for targeted warrants, which may only be issued in “exceptional and compelling circumstances” and with safeguards concerning the subsequent destruction of any material obtained. Similar constraints apply to bulk interception and bulk equipment interference warrants, where the selection criteria make it likely that items subject to LPP will be identified. If large datasets are involved, some items relating to communications between a solicitor and client will certainly be identified. The problem is that LPP is fragile: once confidentiality is breached, LPP ceases to exist. If communications between lawyer and client are for criminal purposes, LPP does not exist, so the confidentiality issue is irrelevant. However, when there are no criminal purposes this breach of confidentiality is problematic.
The second issue is the definition of the offence of unlawful interception. The interception of a communication being transmitted by a public postal service is defined to be an offence. Many solicitors use private services, such as Legal Post, to send sensitive and confidential information. These are not given any equivalent protection.
There are many other issues with the bill as it stands, some of which may be resolved before it is passed, which it certainly will be. Some definitions are very unclear, especially in relation to controversial aspects. For example, an “internet communication record” is communications data which make it possible to identify which internet services (e.g. websites) have been accessed by a particular device, but precisely what it comprises is not clear, even to expert witnesses. The precise definition is important because it determines the practicability and cost of collecting and storing data, which could relate to every internet access made by every device in the country over a year.
The security measures required to keep these data are another concern. Bulk personal datasets of this sort typically contain only a very small proportion of data of interest to the authorities; however a much greater proportion may be of interest to criminals, forming an obvious target.
Other concerns, very briefly, include:
- ongoing cases at the CJEU and ECtHR which may impact on the IPB;
- the CJEU decision in the 2014 Digital Rights Ireland case, the basis for the legal challenge to the Data Retention and Investigatory Powers Act, may well give grounds for challenging the mass data collection aspects of the IPB.
The IPB is an ambitious bill, possibly too ambitious. It might well have been better to proceed through several smaller, less complex bills.
Tim Musson is director of Computer Law Training Ltd and convener of the Law Society of Scotland’s Privacy Law Subcommittee