RESPONSE OF THE DATA PROTECTION COMMISSIONER TO
THE GOVERNMENT’S REGULATION OF INVESTIGATORY POWERS BILL
A BRIEFING FOR PARLIAMENTARIANS
INTRODUCTION
1.
The Data Protection Commissioner welcomes the Regulation of
Investigatory Powers Bill in that it updates the relevant investigatory powers
to take account of new technology, implements Article 5 of the
Telecommunications Data Protection Directive[1]
on confidentiality of communications, introduces controls on interception in
private telecommunication systems, and institutes controls on surveillance
activities.
2.
In 1999 The Data Protection Commissioner (then known as
‘Registrar’) commented at some length
on the Government’s proposals for revising the Interception of Communications
Act 1985[2]
and on the Government’s draft legislation to facilitate the use of electronic
communications and electronic data storage.[3] During the consultation process she made
clear her concerns in relation to the lack of external scrutiny for warrants
for interception issued for use by law enforcement agencies; the lack of
requirement for a warrant where access to communications data is sought and the
new powers allowing law enforcement agencies access to protected electronic
information.
3.
The new Regulation of Investigatory Powers Bill combines
rules relating to access to protected electronic information, originally
provided for in the Department of Trade and Industry’s draft Electronic
Communications Bill of July 1999, as well as provisions revising IoCA. Her responses to the Government’s original
proposals are available on her website
www.dataprotection.gov.uk. The
Commissioner wishes to restate her previous view and draw attention to some
additional points, particularly in
relation to surveillance activities.
PART II -
INTERCEPTION OF COMMUNICATIONS
External Scrutiny Of Warrants
4.
The Commissioner recognises the need to review the 1985
legislation relating to the interception of communications so that new media,
such as electronic mail, can be dealt with appropriately. However, while she accepts that law
enforcement and national security agencies should have the ability to intercept
communications, she believes that there are strong arguments in favour of
ensuring that warrants for interception are subject to judicial scrutiny at the
point of issue, but notes that the Government has not made provision for this
in the Bill.
5.
The Act of intercepting any communication justifies strict
controls. While problems might arise in
this area in relation to warrants obtained for the purposes of safeguarding
national security, the same complications do not arise in relation to the
interception of communications for the purpose of preventing or detecting
serious crime.
6.
If information were obtained under a judicial warrant where
the interception was related to the prevention and detection of crime the
intercept product would be admissible in evidence in legal proceedings. This would also allow for judicial scrutiny
of the procedure at a later date and would provide an alternative to the
Tribunal as a forum for dispute resolution.
7.
Two separate systems could be established, whereby judicial
warrants would be more appropriate for use in relation to criminal matters and
administrative warrants would mainly be relied upon in cases involving national
security.
Communications Data
8.
The Commissioner questions the distinction made in the Bill
between the requirements for gaining access to data contained within an
intercepted communication and those for gaining access to other communications
data such as traffic and billing information.
Both sets of data provide insight into the private lives of individuals
and should therefore be subject to equivalent controls and safeguards.
9.
The EU Directive on the Protection of Privacy in the
Telecommunications sector recognises the importance of safeguarding traffic and
billing data and lays down strict rules about the retention and use of this
information by telecoms providers. It
is the Commissioner’s view that access to traffic and billing data should also
be made subject to prior judicial scrutiny, so that consideration could be
given to Article 8 of the European
Convention on Human Rights.
PART II -
SURVEILLANCE
10.
Clause 25(3) of the Bill defines surveillance as
‘intrusive’, providing for greater protection for the privacy of the
individual, if it is covert and is aimed at activities carried out on
residential premises or in any private vehicle. The Commissioner suggests that this definition should be widened
to include any premises or location where the individual has a legitimate
expectation of privacy, for example, a doctor's surgery or an MP's private
office.
11.
Clause 25(5) of the Bill states that if surveillance is
carried out by means of a surveillance device in relation to activities on any residential
premises or in any private vehicle, but is carried out without that device
being present on the premises or in the vehicle, then the surveillance can not
be defined as ‘intrusive’ unless the device provides information of the same
quality and detail as might be expected to be obtained from a device on the
premises or in the vehicle. It is the
view of the Commissioner that external surveillance devices, for example long
lens photographic equipment, can be used in an intrusive manner, providing sufficient
detail to infringe the privacy of the individual, even when the information
obtained is not of the same quality or detail as may be obtained by a device
located on the premises or in the vehicle.
The fact that a picture from a long lens camera might not be quite as
clear as from a camera placed in the room does not necessarily make the
infringement of privacy any less.
12.
The Bill defines surveillance as ‘covert’ under Clause
25(8)(a) “if , and only if, it is carried out in a manner that is calculated to
ensure that persons who are subject to the surveillance are unaware that it is
or may be taking place”. It is the view
of the Commissioner that the surveillance should be regarded as covert if the
effect is that persons are unaware
that it is being carried out. It should
not be defined on the basis of whether it is the intention of those carrying
out the surveillance to ensure that the persons are unaware. It is whether the person is in fact aware
that is important. This is the approach
taken in the Data Protection Act 1998 which requires the provision of prior
information to data subjects to make processing of their personal data fair.
13.
Authorisation of intrusive surveillance for law enforcement
purposes should be based on a judicial warrant because the invasion of privacy
is comparable to the cases of the interception of communications and third
party access to encrypted information. Further, criminal sanctions should be
applied where appropriate authorisation has not been sought. There is no provision for any criminal
sanction in the Bill in relation to unauthorised intrusive surveillance.
PART III - ACCESS TO ELECTRONIC DATA PROTECTED BY ENCRYPTION
14.
The Commissioner is concerned that the proposed legislation
is currently drafted in such a way that Part III of the Bill has implications
not just for encrypted personal data, but for wider categories of electronic
data.
15.
Part III of the Bill provides powers for law enforcement
agencies and others to require the disclosure of any ‘key’. This term is defined under s 52 of the Bill
as any key, code, password, algorithm or other data which allows access to
electronic data or which facilitates the putting of the data into an
intelligible form. This wide definition
means that mechanisms such as ‘passwords’ and codes used for gaining access to
a computer room might be caught by the Bill.
16.
In the original consultation document it was made clear that
the aim of the Government was to address the problem of lawful access to
encrypted information and the Commissioner is unclear why the scope of the
legislation has been extended to cover a wider range of protected data.
17.
The value of the encryption process is to safeguard
confidential or sensitive information, access to which could have serious
repercussions for the privacy of the individual to whom the data relate.
18.
In the case of encrypted data the Bill, as currently
drafted, makes it unlikely that individuals will be informed where the
integrity of their private keys has been jeopardised and they may continue to
use these keys without being aware that their security has been
compromised. Third parties whose
personal data forms part of any protected electronic information may also be
unaware of the risks posed to their data.
19.
A wide ranging definition of the term ‘key’ increases the
implications for the security of personal data, particularly when it is
combined with the requirement for secrecy imposed by the creation of the
offence of ‘tipping off’ on those individuals obliged to provide access to
keys.
20.
There might also be a potential breach of the fair
processing requirements of the Data Protection Act 1998 if an individual were
not informed that the protected information had been accessed or that the
integrity of an encryption key had been compromised.
Lack of Any requirement that a clause 46 notice be made in writing
21.
The Commissioner frequently deals with complaints where an
unauthorised person has by deception, attempted to gain access to personal data
to which he or she is not entitled. The
lack of any requirement that a clause 46 notice be given in writing increases
the chance that such notices will be falsified. The individual receiving an oral notice will also be restricted
from informing anyone that such a notice has been received, facilitating the
fraudulent access attempt.
External scrutiny of the grounds for serving a clause 46 notice
22.
A warrant should also be required for access to protected
electronic data. The Commissioner is concerned to note that the Bill appears to
allow access to protected information without a warrant by the police, Customs
and Excise or Her Majesty’s forces.
23.
Access to protected electronic data should be subject to
safeguards and controls which are no less stringent than those applying to the
interception of the original communications.
If parties have chosen to encrypt the communications it is presumably
because they wish to keep them secret.
A breach of this secrecy may have serious implications not only for the
parties communicating but also for any third parties whose information forms
part of the text of the encrypted material.
Consequently, access to these communications should be subject to
restrictions which are if anything more rather than less onerous than those
applying to plain text communications.
24.
A clause 46 notice should only be served where a judge or
another independent authority has ruled that there are sufficient grounds for
approving its issue. Whether or not access can be required should be subject to
a prejudice test similar to that set out in s.29 of the Data Protection Act
1998.
25.
The creation of an offence of failure to provide access to
plain text information or to the decryption key also strengthens the argument
for external scrutiny of the circumstances in which a clause 46 notice is to be
served, particularly given the extent to which the onus is on a person served
with a notice to demonstrate his or her innocence.
Restrictions on where disclosure of the key can be required
26.
The Commissioner also takes the view that wherever possible
access should be restricted to the plain text of any encrypted or protected
information. Disclosure of the key
should only be sought where it can be shown that restricting the access to
plain text information would be likely to prejudice the prevention and
detection of crime etc.
27.
A clause 46 notice will normally allow the person on whom it
is served to provide plain text information as an alternative to providing a
key. However, the Bill currently allows
the person granting permission for the clause 46 notice to ask that the key
must be disclosed. No test of prejudice
is required to inform this decision.
The inclusion of a test of prejudice would help to ensure that
disclosure of the key could always be justified and would not be sought
arbitrarily. Where only access to plain
text is needed it should also be a requirement that the person serving the
notice makes it clear to the person on whom the notice is served that
disclosure of the key is not necessary.
Criminal Penalties
28.
The Bill makes no reference to any criminal penalties where
unauthorised access to protected electronic information is achieved. However, clause 1 of the Bill creates the
offence of unlawful interception of communications and a separate but related
tort. It is difficult to see why
unlawful access to protected electronic information should not be a criminal
offence when unlawful interception of communications is. The potential impact on the privacy of
individuals is no less great in the case of unlawful access to protected
electronic information. Although,
offences of knowingly or recklessly obtaining, disclosing or procuring a
disclosure of information can be found in s 55 of the Data Protection Act 1998
these relate only to personal data and include a wide range of exclusions.
29.
If the legislation retains cases where a warrant is not
required prior to the issue of a clause 46 notice, criminal or civil penalties
for misuse of a notice could also be introduced to safeguard the privacy of
individuals.
CONCLUSION
30.
The Commissioner takes the view that the privacy of
individuals can be compromised equally by the interception of communications,
surveillance, and access to encrypted data. Indeed intrusive surveillance could
be the more invasive.
31.
The Commissioner questions the divergence in the systems for
authorising different investigating powers.
As the threat to individuals’ privacy is broadly comparable whatever
investigatory power is used, the mechanism for authorisation should be similar.
32.
Investigatory powers can compromise privacy extensively and
individuals will not necessarily know that privacy has been compromised,
accordingly judicial warrant should be the general standard for
authorisation. Unlawful interception of
communications, unlawful surveillance and unlawful access to encrypted data
should all be subject to criminal penalty.
March 2000
[1] Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector, OJ L 24, 30 January 1998. Available at: http://europa.eu.int/comm/dg15/en/media/dataprot/law/ index.htm.
[2] set out in the Home Secretary’s Consultation Paper ‘Interception of Communications in the United Kingdom’ - June 1999
[3] set out in the DTI Consultation Paper, ‘Promoting Electronic Commerce’- July 1999