Government response to the Home Office consultation on revised notices regimes
Updated 8 November 2023
November 2023
Ministerial foreword
The Investigatory Powers Act 2016 (IPA) is one of the most critical pieces of legislation for law enforcement and the intelligence agencies in their tireless efforts to keep our country safe from hostile actors, terrorists and serious organised crime groups.
It is vital that the act remains as effective as possible as time passes. It is the responsibility of the Home Office to ensure that this is the case even in the face of ever-changing technologies and the increasingly complex ways in which data is held as a result.
We must ensure that the fundamental safeguards that underpin these investigatory powers - ensuring that any usage is strictly necessary, proportionate, authorised, and accountable – remain at the core of any changes that are made to the regime.
It was in this context that this consultation was originally launched. It was designed to ensure that the efficacy of the IPA notices regime endures in the face of technological advances since 2016.
The importance of the notices has been established over the last thirty-nine years and to this day they remain as essential to the use of investigatory powers, and the ability of law enforcement and the intelligence agencies to keep our country safe as a result, as they were when introduced in the Telecommunications Act 1984. It is therefore vital that they keep pace with current requirements and are sufficiently future proofed to be used as required when it is necessary and proportionate to do so.
Ensuring tightly controlled and strict lawful access to communications content is vital to the investigation and prosecution of serious crimes, including terrorism and child abuse, as well as countering national security threats. Companies and government can, and already do, work well together on a vast range of public safety and national security issues. But it is critical that decisions about lawful access are taken by those with democratic accountability to those affected by these decisions, utilising a framework approved by Parliament. It will never be acceptable for the range of options available to elected decisionmakers to be vetoed by foreign executives. We cannot, and should not, outsource the safety of our citizens to unaccountable multinational companies.
Having considered the responses to the consultation, we have developed a set of measures designed to enhance the notices regimes, forming a key part of the Investigatory Powers (Amendment) Bill.
Rt Hon Suella Braverman KC MP
Home Secretary
Executive summary
The revised IPA notices regimes are intended to ensure the efficacy of the existing powers in the context of new technologies, the commercial structures of the modern digital economy and the risks associated. It aims to ensure that the law mitigates these risks where possible while protecting the privacy of citizens and the ability of companies to develop cutting-edge technologies.
The IPA more generally, has been subject to extensive review this year – in February, the Home Secretary published her report on the Operation of the Investigatory Powers Act 2016 [footnote 1] and in June, Lord Anderson’s Independent review of the Investigatory Powers Act 2016 [footnote 2] was published.
As part of our wider engagement on the preparation of the Investigatory Powers (Amendment) Bill, we carried out a public consultation between June and July 2023. We have since given careful consideration to the responses received and have made further amendments to the relevant clauses in the bill.
Overview of consultation responses
The following table lists the responses that we received during the consultation.
Nature of response | Number of responses |
---|---|
Members of the public | 289 |
Legal representatives | 0 |
Oversight bodies | 0 |
Public authorities | 2 |
Other bodies | 10 |
In total, we received 301 responses to the consultation. We are very grateful to all those who took the time to respond and share their views on the proposed objectives. The majority of these responses were from members of the public as a result of a campaign by Open Rights Group and therefore were broadly consistent in their content. There was a predominant focus in these responses on end-to-end encryption. As none of the consultation objectives specifically related to end-to-end encryption, the response on this is set out separately after each of the five objectives of the consultation has been considered.
Additionally, there were three responses from telecommunications operators (as defined in the IPA), four from advocacy groups and three from trade associations.
Some of the responses specified that they did not wish to have their answers attributed to them, others were content to be identified and a large number did not confirm either way. For consistency, we have therefore chosen to not attribute any of the responses to specific individuals or organisations.
Approximately 5% of the responses received touched on a perceived interplay between the Online Safety Bill and the IPA. The two pieces of legislation are entirely separate in their purposes. The IPA regulates the use by public authorities of investigatory powers. It makes clear the circumstances in which the various investigatory powers may be used and the strict safeguards that apply, ensuring that any usage is strictly necessary, proportionate, authorised, and accountable. The Online Safety Bill is designed to regulate technology companies and requires them to implement proportionate systems and processes to tackle illegal content and content that is harmful to children on their platforms. As such, the bill does not give Ofcom or the government any powers to monitor users’ private messages.
Consultation responses and government response
Objective 1 – Strengthening the notice review process
The consultation proposed amending the application of the notice to make clear that no changes should take place during the review period to ensure there were no gaps in capability while the review process was being conducted.
Consultation responses
Most of the consultation responses, because of the focus on end-to-end encryption (E2EE) concerns, did not touch on this objective. Those that did raised concerns that this would allow the Secretary of State to issue notices without appropriate independent oversight (some responses referred to this as a “court order”), the involvement of the operator in question, and that this objective would result in the removal of a safeguard. There were also suggestions that the operator would not have any ability to object or challenge the review.
Government response
The intention of this objective was to ensure that public safety was not impacted during the review period by creating a capability gap as, currently, during the review period the operator is not required to comply with the notice. This is without prejudice to the outcome of the review and will not involve the application of the whole notice, rather the maintenance of the status quo. We believe that giving force to the notice during the review period strikes a proportionate balance between public safety and the intention of the review process. It gives primacy to the independent decision of the Investigatory Powers Commissioner, who ultimately decides whether or not to approve the decision of Secretary of State to issue or vary the notice subject to a review, rather than to the affected operator (or to government).
Before the notice review stage is reached, there is an extensive process to go through. First there is the consultation process where the Secretary of State is obligated to consult with the operator in question. Following this, should it be decided to proceed with a notice, the notice then goes through the formal “double lock” – it is first issued by the Secretary of State and then approved by an independent Judicial Commissioner.
There are 17 Judicial Commissioners who support the Investigatory Powers Commissioner in his oversight of the use of the investigatory powers. They are required to hold, or have held, high judicial office (within the meaning of Part 3 of the Constitutional Reform Act 2005) to be eligible to be Judicial Commissioners. [footnote 3]
Once the double lock has been completed, the notice is then given to the operator. It is at that point, once they have been consulted and once the notice has received independent judicial authorisation, that the review period begins. An operator has 28 days to request a review of the notice, either in whole or in part [footnote 4]. It is only the operator who can request a review of a notice and they are under no obligation to request it.
As laid out in the IPA [footnote 5], the Secretary of State must then consult the Technical Advisory Board and a Judicial Commissioner as part of that review. The Technical Advisory Board must consider the technical requirements and the financial consequence for the operator of the notice (or the referred element). The Judicial Commissioner must consider whether the notice is proportionate.
Both the Technical Advisory Board and Judicial Commissioner must give the operator and the Secretary of State the opportunity to provide evidence, or make representations, before reaching their conclusions. Those conclusions must subsequently be reported to both parties. In short, this means that the timeline for the review is largely driven by the Technical Advisory Board and the Judicial Commissioner.
The IPA requires that the Technical Advisory Board is made up of both those who can have notices imposed on them and those who can apply for IPA warrants or authorisations [footnote 6] (on an even ratio) as well as an independent Chair and two further independent members. A code of practice for members of the Technical Advisory Board and their terms of reference are also available publicly [footnote 7].
The consultation did not propose to change any of this process thereby ensuring that the double lock, and the independent judicial oversight it provides, as well as the general safeguard of a right of review for the company and their ability to engage with the process as laid out in statute remain.
Objective 2 - Timely and informative responses
The consultation proposed that an obligation should be imposed on the operator to engage in the consultation process for a notice. Currently the obligation only exists on the Secretary of State to consult the operator during the consultation period.
Consultation responses
Most of the consultation responses, because of the focus on E2EE concerns, did not touch on this objective. There were a small number of responses that were supportive of this proposal. Other responses wanted to understand how compliance would be measured and what penalties would exist for non-compliance and suggested that disclosure obligations, in absence of a relevant warrant or prior independent authorisation, raise significant compatibility concerns with Article 10 of the European Convention of Human Rights.
Government response
This objective was originally proposed as a formalisation of a process we would anticipate occurring automatically and informally in most cases. It is in the best interests of both the Secretary of State and the operator that the notice is drafted in a way that will interact most appropriately with the operator’s existing systems.
The exact details of the obligation will vary from notice to notice and operator to operator. The intention was to ensure that all involved are in possession of the relevant facts as a notice is developed and those facts will be individual to each case.
Having considered the responses to the consultation we have decided not to proceed with this change. As indicated above, as it is in both the Secretary of State and the operator’s best interest to have a workable notice which is necessary and proportionate, we do not believe this adjustment to the regime is necessary. We also wish to ensure that operators have the ability not to engage in the process if they wish to take that approach.
Objective 3 – Scope of the regime
The consultation proposed that changes needed to be made to the regime to provide greater clarity on how the IPA applies to operators with complex corporate structures. Any changes will not affect the flexibility of the modern digital economy which is so important to the UK economy and its citizens. Nevertheless, there have been unforeseen consequences of this due to how the IPA is structured and we need to ensure that data can be accesses when it is necessary and proportionate to do so.
The consultation also proposed that it may be appropriate to strengthen the enforcement options available for non-compliance with the notices regimes.
Consultation responses
This objective was only addressed by a small number of responses to the consultation. There were a couple of supportive responses although one of those noted the need to ensure there were no unintended consequences of these changes. Objections were raised in a few responses. These were over the expansion of the notices regimes’ scope, that a non-UK company could be forced to undermine the security of all its users as it has a UK user base. One response queried the extent to which this has been discussed with the governments likely to be impacted.
On enforcement, only one respondent provided any specific observations. They noted that they felt fines would be inappropriate as they are typically used in regulatory matters, and a more nuanced approach is needed in this context.
Government response
When the IPA was passed in 2016 technology looked very different to how it does today, and while the intention was to create a technology-neutral piece of legislation, an intention that was mostly achieved, there are areas where the subsequent direction of travel was not what was anticipated in 2016. It is appropriate that we continue to try and ensure the technology-neutral, futureproofing of the IPA and that is what this objective was intended to achieve. It is not about expanding the powers but about maintaining them, and ensuring their effectiveness, in the modern digital economy. We are seeking to protect the existing capabilities that keep our citizens safe, and it is important that operators cannot deliberately structure their way out of the IPA’s obligations. To address this risk, we intend to adjust the definition of a telecommunications operator.
There is no direct correlation between any changes to the scope of the IPA and undermining the security of users – as covered in further detail later in this response the government supports strong encryption. It does not automatically follow that operators have to compromise their systems to provide lawful access, indeed much of the data sought is already generated and retained by the operators for either their own purposes or to support user experience.
The IPA already has strong enforcement options, and the inclusion of enforcement in the consultation was to ensure consideration was given to the totality of the relevant elements of the regime. Fines were an option that it felt appropriate to consider given their usage in other elements of the UK’s domestic regime. However, following the consultation, we do not believe they are necessary for the IPA at this time. We will nevertheless make minor adjustments to create consistency in enforcement between the three types of notices.
Objective 4 – notification requirements
The consultation proposed the introduction of a notification requirement intended to facilitate early engagement between the government and operators. This notification requirement would require certain operators, who would have been explicitly informed by the Secretary of State that they were subject to this obligation, to inform us of relevant changes they intended to make to their systems and products that may impact on lawful access. The consultation proposed a series of thresholds would be developed that would also trigger the notification requirement and noted that there could be requirements on the Secretary of State to take account of the impact on commercial decisions of the proposed changes.
Consultation responses
This objective attracted the most direct comments from respondents. The predominant objection in responses was that this proposal would allow the Home Office to veto or block the roll out of new technologies and that this would subsequently stifle innovation. Additionally, that it would empower the Home Office to pre-emptively direct the design of products and services intended for the UK consumer market and make the Home Office the de facto global arbiter of what level of data security and encryption are permissible.
Concerns were also raised about the proportionality of this proposal and the assumption that the government intends to introduce a requirement in legislation to “have regard to” necessity and proportionality only. It was suggested that at-risk groups would be put in danger because of this proposal and that bad actors could exploit vulnerabilities during any delay.
It was also suggested that the proposal would be unreasonable and unworkable as operators do not necessarily know what changes to a service could affect lawful access. To this end further detail on how the powers would operate in practice was requested. Another respondent noted that if the proposal were limited to specific capabilities, clearly described on the face of the notification requirement, then this might be workable.
Lastly, it was noted that the impact on commercial decisions being taken into account was appreciated although concerns remained.
Government response
The IPA already provides for a notification requirement [footnote 8] within the notices regimes. The intention of this objective is to isolate this requirement to formalise the expectations we have of relevant operators with regards to existing lawful access capabilities. The obligation could still be placed within a notice and the notification requirement would not negate the need for a notice in certain circumstances.
The notification requirement will not allow the Secretary of State to prevent a technical change to an existing service, rollout of a new service or any other relevant change. Equally, it is not intended as an approval mechanism. There will be no method within the notification requirement itself for the Secretary of State to intervene in any way with the decision the operator has chosen. The requirement will be just to notify the Secretary of State.
The notification requirement is intended to ensure law enforcement and other relevant public authorities have time to adjust accordingly and mitigate the impacts wherever possible to continue to keep the public safe.
As laid out in the consultation, it is our intention to introduce alongside the notification requirement, an obligation for the Secretary of State to formally inform an operator that they are bound by this requirement. It will therefore not be possible for an operator to not be aware that they are bound by the obligation of the notification requirement. We would intend that this notification from the Secretary of State would lay out further details on exactly which of an operator’s service the notification requirement applies to and what level of change meets the threshold for notification.
We intend to provide further detail on these thresholds in secondary legislation, in the same way that further details on the notices regimes generally are provided in regulations. However, there will always be a required level of individualisation to each notification requirement due to the unique services each operator provides and equally which of those are relevant to lawful access.
When considering whether to issue an obligation to a company on the notification requirement, the Secretary of State will make the same necessity and proportionality consideration as would be made for the use of any of the investigatory powers. The government expects that, in practice, the requirement will only apply to a relatively small number of companies who routinely provide exceptional lawful access under the IPA.
Objective 5 – renewal of notices
The consultation proposed to introduce a renewal process for a notice if two years hthad elapsed since the notice was given, varied or renewed (once this renewal process is in place). This renewal would require the notice to go through the full double lock process and be issued by the Secretary of State and then approved by a Judicial Commissioner.
Consultation responses
Only a small number of responses to the consultation addressed this objective. Two of these felt the two-year timeline proposed was reasonable, another felt it was too long. There were general comments about further detail being welcome and also what options would be available to a Judicial Commissioner such as termination. One of the responses stated it should be made clear that the Judicial Commissioner would conduct a full review of the notice. Lastly, one of the responses questions why this role was only being introduced for renewals and not new notices.
Government response
The intention of this objective is for there to be a full renewal of the notice in circumstances where two years have passed since a notice was given, varied or renewed (once a renewal process is in place). When a notice is given, a full necessity and proportionality case must be made as part of the double lock process. Whenever a notice is varied, the necessity and proportionality case for the whole notice has to be made, not just on the element that is being added, amended or deleted (depending on the nature of the variation).
The standard of review by the Judicial Commissioner whether the notice being issued for the first time or varied is identical and that would be the same for a renewal process. Should this review be implemented, it would require the Secretary of State and then Judicial Commissioner to consider the full necessity and proportionality case for the notice. In short, the complete double lock process.
Should the Judicial Commissioner not agree with the case for the renewal of the notice, they could choose not to approve it. In this circumstance, just like with IPA warrants, the notice would cease to have effect. Therefore, the Judicial Commissioner would have the ability to terminate the notice by not approving it.
End-to-end encryption
A number of responses referred to end-to-end encryption, so it is important to set out the government’s position clearly. The government has always been clear on its position on private and secure communications technologies, including encryption. We fully support the responsible use of strong encryption, including end-to-end encryption, where public safety is designed in. We know it is possible to implement end-to-end encrypted services in a way which is consistent with public safety.
End-to-end encryption and other private and secure communications technologies have severely eroded the ability of law enforcement and intelligence partners to prevent, detect, investigate, prosecute and disrupt the most serious crimes and threats to national security.
The first duty of government is to protect its citizens. This consultation covers a variety of powers intended to ensure that government has the powers it needs to do so. This does not and must not mean restricting innovation. However, it does mean holding private companies to a common-sense set of legal standards that puts the interests of our citizens ahead of shareholders. This is a well-established principle that applies to every sector of our economy.
Tech companies have a moral duty to ensure they are not blindfolding themselves from abhorrent crimes like child abuse and terrorism on their platforms. We have listened to concerns raised internationally, both inside and outside of governments, about the impact removing lawful access could have on protecting our citizens, including children, from harm, and on the responsibility we believe companies have to keep their users safe. We believe that there does not need to be a choice between protecting children and maintaining user privacy. Tech companies must do all that is technically feasible to keep children safe.
The UK is not unique in this position. We are a signatory to the International Statement on End-to-End Encryption and Public Safety which was signed in October 2020 by the governments of Australia, Canada, India, Japan, New Zealand the United Kingdom and United States. It has subsequently also been signed by Singapore, Georgia, Jordan and Ecuador.
Next steps
We have considered the representations made in response to this consultation and they have been used to inform the policy proposals that have been brought forward through the Investigatory Powers (Amendment) Bill.
Improving the effectiveness of the existing notices regime is an important part of the legislation.
Footnotes
-
Report on the operation of the Investigatory Powers Act 2016 ↩
-
Section 227(2), IPA. ↩
-
The Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018 (SI/2018/354), Reg. 2. ↩
-
Section 257, IPA. ↩
-
Section 245, IPA and Reg. 3, SI/2018/354. ↩
-
Terms of Reference for the Technical Advisory Board and Code of Practice for members ↩
-
Schedule 1, Part 1, paragraph 13; Schedule 2, Part 1, paragraph 13; Schedule 3, paragraph 11 of The Investigatory Powers (Technical Capability) Regulations 2018. ↩