RESPONSE OF THE DATA PROTECTION COMMISSIONER TO
THE GOVERNMENT’S REGULATION OF INVESTIGATORY POWERS BILL
A BRIEFING FOR PARLIAMENTARIANS
1. The Data Protection Commissioner welcomes the Regulation of Investigatory Powers Bill in that it updates the relevant investigatory powers to take account of new technology, implements Article 5 of the Telecommunications Data Protection Directive on confidentiality of communications, introduces controls on interception in private telecommunication systems, and institutes controls on surveillance activities.
2. In 1999 The Data Protection Commissioner (then known as ‘Registrar’) commented at some length on the Government’s proposals for revising the Interception of Communications Act 1985 and on the Government’s draft legislation to facilitate the use of electronic communications and electronic data storage. During the consultation process she made clear her concerns in relation to the lack of external scrutiny for warrants for interception issued for use by law enforcement agencies; the lack of requirement for a warrant where access to communications data is sought and the new powers allowing law enforcement agencies access to protected electronic information.
3. The new Regulation of Investigatory Powers Bill combines rules relating to access to protected electronic information, originally provided for in the Department of Trade and Industry’s draft Electronic Communications Bill of July 1999, as well as provisions revising IoCA. Her responses to the Government’s original proposals are available on her website www.dataprotection.gov.uk. The Commissioner wishes to restate her previous view and draw attention to some additional points, particularly in relation to surveillance activities.
PART II - INTERCEPTION OF COMMUNICATIONS
External Scrutiny Of Warrants
4. The Commissioner recognises the need to review the 1985 legislation relating to the interception of communications so that new media, such as electronic mail, can be dealt with appropriately. However, while she accepts that law enforcement and national security agencies should have the ability to intercept communications, she believes that there are strong arguments in favour of ensuring that warrants for interception are subject to judicial scrutiny at the point of issue, but notes that the Government has not made provision for this in the Bill.
5. The Act of intercepting any communication justifies strict controls. While problems might arise in this area in relation to warrants obtained for the purposes of safeguarding national security, the same complications do not arise in relation to the interception of communications for the purpose of preventing or detecting serious crime.
6. If information were obtained under a judicial warrant where the interception was related to the prevention and detection of crime the intercept product would be admissible in evidence in legal proceedings. This would also allow for judicial scrutiny of the procedure at a later date and would provide an alternative to the Tribunal as a forum for dispute resolution.
7. Two separate systems could be established, whereby judicial warrants would be more appropriate for use in relation to criminal matters and administrative warrants would mainly be relied upon in cases involving national security.
8. The Commissioner questions the distinction made in the Bill between the requirements for gaining access to data contained within an intercepted communication and those for gaining access to other communications data such as traffic and billing information. Both sets of data provide insight into the private lives of individuals and should therefore be subject to equivalent controls and safeguards.
9. The EU Directive on the Protection of Privacy in the Telecommunications sector recognises the importance of safeguarding traffic and billing data and lays down strict rules about the retention and use of this information by telecoms providers. It is the Commissioner’s view that access to traffic and billing data should also be made subject to prior judicial scrutiny, so that consideration could be given to Article 8 of the European Convention on Human Rights.
PART II -
Clause 25(3) of the Bill defines surveillance as
‘intrusive’, providing for greater protection for the privacy of the
individual, if it is covert and is aimed at activities carried out on
residential premises or in any private vehicle. The Commissioner suggests that this definition should be widened
to include any premises or location where the individual has a legitimate
expectation of privacy, for example, a doctor's surgery or an MP's private
Clause 25(5) of the Bill states that if surveillance is
carried out by means of a surveillance device in relation to activities on any residential
premises or in any private vehicle, but is carried out without that device
being present on the premises or in the vehicle, then the surveillance can not
be defined as ‘intrusive’ unless the device provides information of the same
quality and detail as might be expected to be obtained from a device on the
premises or in the vehicle. It is the
view of the Commissioner that external surveillance devices, for example long
lens photographic equipment, can be used in an intrusive manner, providing sufficient
detail to infringe the privacy of the individual, even when the information
obtained is not of the same quality or detail as may be obtained by a device
located on the premises or in the vehicle.
The fact that a picture from a long lens camera might not be quite as
clear as from a camera placed in the room does not necessarily make the
infringement of privacy any less.
The Bill defines surveillance as ‘covert’ under Clause
25(8)(a) “if , and only if, it is carried out in a manner that is calculated to
ensure that persons who are subject to the surveillance are unaware that it is
or may be taking place”. It is the view
of the Commissioner that the surveillance should be regarded as covert if the
effect is that persons are unaware
that it is being carried out. It should
not be defined on the basis of whether it is the intention of those carrying
out the surveillance to ensure that the persons are unaware. It is whether the person is in fact aware
that is important. This is the approach
taken in the Data Protection Act 1998 which requires the provision of prior
information to data subjects to make processing of their personal data fair.
13. Authorisation of intrusive surveillance for law enforcement purposes should be based on a judicial warrant because the invasion of privacy is comparable to the cases of the interception of communications and third party access to encrypted information. Further, criminal sanctions should be applied where appropriate authorisation has not been sought. There is no provision for any criminal sanction in the Bill in relation to unauthorised intrusive surveillance.
PART III - ACCESS TO ELECTRONIC DATA PROTECTED BY ENCRYPTION
14. The Commissioner is concerned that the proposed legislation is currently drafted in such a way that Part III of the Bill has implications not just for encrypted personal data, but for wider categories of electronic data.
15. Part III of the Bill provides powers for law enforcement agencies and others to require the disclosure of any ‘key’. This term is defined under s 52 of the Bill as any key, code, password, algorithm or other data which allows access to electronic data or which facilitates the putting of the data into an intelligible form. This wide definition means that mechanisms such as ‘passwords’ and codes used for gaining access to a computer room might be caught by the Bill.
16. In the original consultation document it was made clear that the aim of the Government was to address the problem of lawful access to encrypted information and the Commissioner is unclear why the scope of the legislation has been extended to cover a wider range of protected data.
17. The value of the encryption process is to safeguard confidential or sensitive information, access to which could have serious repercussions for the privacy of the individual to whom the data relate.
18. In the case of encrypted data the Bill, as currently drafted, makes it unlikely that individuals will be informed where the integrity of their private keys has been jeopardised and they may continue to use these keys without being aware that their security has been compromised. Third parties whose personal data forms part of any protected electronic information may also be unaware of the risks posed to their data.
19. A wide ranging definition of the term ‘key’ increases the implications for the security of personal data, particularly when it is combined with the requirement for secrecy imposed by the creation of the offence of ‘tipping off’ on those individuals obliged to provide access to keys.
20. There might also be a potential breach of the fair processing requirements of the Data Protection Act 1998 if an individual were not informed that the protected information had been accessed or that the integrity of an encryption key had been compromised.
Lack of Any requirement that a clause 46 notice be made in writing
21. The Commissioner frequently deals with complaints where an unauthorised person has by deception, attempted to gain access to personal data to which he or she is not entitled. The lack of any requirement that a clause 46 notice be given in writing increases the chance that such notices will be falsified. The individual receiving an oral notice will also be restricted from informing anyone that such a notice has been received, facilitating the fraudulent access attempt.
External scrutiny of the grounds for serving a clause 46 notice
22. A warrant should also be required for access to protected electronic data. The Commissioner is concerned to note that the Bill appears to allow access to protected information without a warrant by the police, Customs and Excise or Her Majesty’s forces.
23. Access to protected electronic data should be subject to safeguards and controls which are no less stringent than those applying to the interception of the original communications. If parties have chosen to encrypt the communications it is presumably because they wish to keep them secret. A breach of this secrecy may have serious implications not only for the parties communicating but also for any third parties whose information forms part of the text of the encrypted material. Consequently, access to these communications should be subject to restrictions which are if anything more rather than less onerous than those applying to plain text communications.
24. A clause 46 notice should only be served where a judge or another independent authority has ruled that there are sufficient grounds for approving its issue. Whether or not access can be required should be subject to a prejudice test similar to that set out in s.29 of the Data Protection Act 1998.
25. The creation of an offence of failure to provide access to plain text information or to the decryption key also strengthens the argument for external scrutiny of the circumstances in which a clause 46 notice is to be served, particularly given the extent to which the onus is on a person served with a notice to demonstrate his or her innocence.
Restrictions on where disclosure of the key can be required
26. The Commissioner also takes the view that wherever possible access should be restricted to the plain text of any encrypted or protected information. Disclosure of the key should only be sought where it can be shown that restricting the access to plain text information would be likely to prejudice the prevention and detection of crime etc.
27. A clause 46 notice will normally allow the person on whom it is served to provide plain text information as an alternative to providing a key. However, the Bill currently allows the person granting permission for the clause 46 notice to ask that the key must be disclosed. No test of prejudice is required to inform this decision. The inclusion of a test of prejudice would help to ensure that disclosure of the key could always be justified and would not be sought arbitrarily. Where only access to plain text is needed it should also be a requirement that the person serving the notice makes it clear to the person on whom the notice is served that disclosure of the key is not necessary.
28. The Bill makes no reference to any criminal penalties where unauthorised access to protected electronic information is achieved. However, clause 1 of the Bill creates the offence of unlawful interception of communications and a separate but related tort. It is difficult to see why unlawful access to protected electronic information should not be a criminal offence when unlawful interception of communications is. The potential impact on the privacy of individuals is no less great in the case of unlawful access to protected electronic information. Although, offences of knowingly or recklessly obtaining, disclosing or procuring a disclosure of information can be found in s 55 of the Data Protection Act 1998 these relate only to personal data and include a wide range of exclusions.
29. If the legislation retains cases where a warrant is not required prior to the issue of a clause 46 notice, criminal or civil penalties for misuse of a notice could also be introduced to safeguard the privacy of individuals.
30. The Commissioner takes the view that the privacy of individuals can be compromised equally by the interception of communications, surveillance, and access to encrypted data. Indeed intrusive surveillance could be the more invasive.
31. The Commissioner questions the divergence in the systems for authorising different investigating powers. As the threat to individuals’ privacy is broadly comparable whatever investigatory power is used, the mechanism for authorisation should be similar.
32. Investigatory powers can compromise privacy extensively and individuals will not necessarily know that privacy has been compromised, accordingly judicial warrant should be the general standard for authorisation. Unlawful interception of communications, unlawful surveillance and unlawful access to encrypted data should all be subject to criminal penalty.
 Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector, OJ L 24, 30 January 1998. Available at: http://europa.eu.int/comm/dg15/en/media/dataprot/law/ index.htm.
 set out in the Home Secretary’s Consultation Paper ‘Interception of Communications in the United Kingdom’ - June 1999
 set out in the DTI Consultation Paper, ‘Promoting Electronic Commerce’- July 1999