The Center for Data Innovation submitted this response to the UK Home Office’s consultation on the codes of practice for the Investigatory Powers (Amendment) Act 2024.
The Act updates the Investigatory Powers Act 2016, which permits UK intelligence services to intercept communications, access certain datasets, and analyse sensitive online information for national security. The codes of practice explain how the updated powers should be implemented by intelligence services.
The Center wrote about the IPA 2024 during a consultation last year when it was moving through Parliament. We opposed the then-bill on the grounds it would constitute an overreach that could threaten digital privacy, especially encrypted communications, for Internet users in the UK. The IPA has garnered significant attention from a host of tech companies due to new requirements to notify the Secretary of State of “relevant changes” to their systems that could potentially impede government access.
We present six key recommendations, separated into three core areas:
- The Secretary of State should amend Annex A relating to BPDs with a low or no expectation of privacy (LNEP) to (1) clarify the application of the factors listed in section 226A(3) IPA 2024 with stronger hypothetical examples in the code, and (2) set clear criteria and proportional thresholds for determining when a dataset qualifies as LNEP.
- Annex H relating to the Notices Regime should be amended to (1) limit the scope of Notification Notices to “relevant changes” that demonstrably and significantly impact lawful access capabilities under the legislation, supported by a body of tangible evidence, (2) limit the scope of “negative effect” for the review process for data retention, technical capability, and national security notices, and (3) expand guidance on the decommissioning of services, in particular confirming that the UK government will not unreasonably impede any decommissioning of a service falling within the notice regime.
- Recommendations of general application to the codes include ensuring the section 2(2) IPA 2016 considerations are afforded the appropriate level of scrutiny by public authorities and that these authorities consider all factors when executing their duties under section 2(1) IPA 2016.