In November 2016, the UK parliament passed the Investigatory Powers Bill, a year after the government proposed it. The bill is expected to become valid by the end of 2016, once it has obtained royal assent. Given its resemblance to the EU's Data Retention Directive, which was struck down in 2014, it is unlikely that the bill will avoid legal challenges. If it stays in force, it could cause huge disruption to tech industries in the UK.
The UK could become an unsafe destination for personal data coming from the EU
Known as the "Snoopers' Charter," the Investigatory Powers Bill has been badly received by privacy advocates. This is due to the fact that it allows the collection of bulk data fromeveryone in the UK. Internet service providers (ISPs) will have to retain the records of phone calls and Internet activity of all their users for 12 months, together with dates, times, and duration of such actions. Over-the-top (OTT) services would also fall into the scope of the act because they would be required to weaken encryption to allow access to their users' communications. In most cases, public organizations (including, but not limited to, intelligence agencies) will be able to access the data without a warrant.
Although the bill is a clear effort to fight crime with stronger instruments in response to technology developments, it also sends a worrying signal to data-heavy industries, and to communications industries in particular. It is also likely to clash with EU laws, which the UK government should continue to comply with while it prepares its plan to leave the EU following the outcome of the recent referendum.
In 2014, the EU's Data Retention Directive, which required telcos to retain communications data from member states for up to two years, was struck down by the European Court of Justice (ECJ). The ECJ found it disproportionate and conflicting with the key principles of EU treaties, and as a result, any member state could refrain from passing a law with similar requirements (even more burdensome ones) for telcos and tech companies. Given the ECJ precedent, the likelihood of a successful legal challenge against the new act could be very high; ISPs and other Internet giants such as Apple and Google have already voiced their concerns, and could be expected to make efforts to strike down this piece of legislation. After all, telcos were reluctantly complying with the Data Retention Directive when it was in force because it entailed burdensome activities with costs that were often not refunded by public authorities.
Even if the act remained in force, it could still mean bad business for the data and cloud industry in the UK. Despite the fact that the EU's General Data Protection Regulation will be adopted by the UK, this new bill could mean that the UK will be seen by the European Commission (EC) as an unsafe destination for personal data once the country leaves the EU. It is worth remembering that the presence of intrusive legislation has been at the heart of the conflict between the EU and the US on the transfer of personal data – an issue that the recent Privacy Shield agreement has only partially addressed. If the EC deems the UK to be an unsafe destination for personal data, cloud providers that have built their data centers in the UK to serve EU customers would face significant disruption, as would any UK-based tech company doing business with the rest of the EU. Not what should be expected from a country that aims to stay "open for business" in the years to come.
How Regulators Are Approaching OTTs, TE0007-001023 (September 2016)
"Recent legal challenges to data retention laws in Europe are bound to succeed," TE0007-000885 (February 2015)
Luca Schiavoni, Senior Analyst, Regulation