The Investigatory Powers Act 2016. Interesting Times.

The Investigatory Powers Act 2016 (IPA) consolidates existing legislation and powers available to law enforcement and intelligence agencies to gather data. The Act has largely been introduced as a counterterrorism measure. However, it may now need to be reconsidered in light of the decision handed down by the European Court of Justice (CJEU) in Home Office v Watson.

Home Office v Watson was an action for judicial review of the lawfulness of the data retention regime in section 1 of the Data Retention and Investigatory Powers Act 2014 (“DRIPA”). This required telecommunications operator to retain communications data for up to 12 months. The claimants argued that DRIPA and the national regime had to comply with the processing of personal data and the protection of privacy under the ePrivacy Directive and the Charter of Fundamental Rights of the EU. How does this connect with the IPA?

The IPA gives authorities wide-ranging surveillance powers to collect data about individual’s activities. For example, authorities can collect internet connection records (ICR) and communications data which must be stored by companies for up to 12 months. Furthermore, authorities can now hack into phones and connect remotely to computers described in the Act as “specific equipment interference”.

Although the IPA has safeguards in place when information is to be accessed (example the Investigatory Powers Commissioner is to act with a judicial commissioner when considering if a warrant is to be granted) the CJEU in Home Office v Watson has now clarified that certain parts of the IPA and of the Charter of Fundamental Rights of the EU must be interpreted as meaning:

1. That national legislation cannot be passed demanding general or indiscriminate
   retention of communication and/ or location data by EU Member States; and
2. In the instances where communication and/ or location data is retained:

• The data must only be accessed in limited circumstances in order to fight serious crimes which includes the terrorism.
• National authorities belonging to an EU Member State must obtain approval prior to accessing such data by from a court or independent administrative authority.
• The EU Member State should implement national laws requiring data to be kept within the EU.

As part of the EU the UK is bound by the decisions rulings of the CJEU. However, even after the UK leaves the EU, the EU data protection laws cannot be ignored. In Schrems v Data Protection Commissioner, the CJEU held that the sharing of data from an EU Member State to a non-EU Member State (including the UK after Brexit) must provide a level of protection of fundamental rights equivalent to that of the EU Member State.

Please note that the above does not constitute legal advice. Please contact Nath Solicitors for further information.