[caption id="attachment_135" align="alignleft" width="128"]

Paul Heritage-Redpath, Product Manager[/caption] Since its conception the IPA (Investigatory Powers Act) has been at best “controversial”. It was introduced to replace the expiring DRIPA (Data Retention and Investigatory Powers Act), which in turn was hastily introduced to replace the original RIPA (Regulation of Investigatory Powers Act), which was deemed invalid by the European Court of Justice back in 2014. With each iteration of this legislation under its various guises, one thing remains consistent - the emphasis on data collection and storage by ISPs for access by Government agencies, which is why it seems impossible for this legislation to ever co-exist with the EU, who clearly have opposing objectives when it comes to protecting the privacy and data of its citizens.

ISPReview.co.uk: European Court of Justice Rules ISP Internet Data Retention Law Invalid

In December 2016 the EU Court of Justice ruled that EU law does not allow “general and indiscriminate retention of traffic data and location data,” except for “targeted” use against “serious crime”.

ISPReview.co.uk: UK ISP Internet Snooping Act in Trouble After CJEU Court Ruling

The IPA clearly does not comply with this as it requires all CSPs to log details of your Internet activity, regardless of whether you have been suspected of a crime or not. That data can then be requested by a variety of security groups without needing a full warrant. Quite the polar opposite of the latest EU ruling. To be valid in EU law, data retention must be targeted and used only in cases of serious crime. The EU also states the individual affected must be made aware of the data access - which the IPA does not require. Therefore this latest ruling means the Court of Appeal must determine the legality of the current IPA. (As an important aside, you will look in vain in DRIPA or its predecessor for definitions of “serious crime”, although it does appear in the IPA as crimes either punishable with 3 years’ imprisonment or one which “involves the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose”. The other popular figleaf for state snooping, “national security”, appears to defy definition.) So, how can the IPA continue with such opposing policies from the EU? After all it was originally introduced as a replacement for earlier ‘weaker’ laws that were also seen to be invalid. EU Strike 2 As if that wasn’t enough, further EU legislation also impacts on the IPA. The new ePrivacy Regulation - which will align all previous laws regarding the confidentiality and security of electronic communications with the recently introduced GDPR (General Data Protection Regulation) - calls for further protection of EU citizens’ data. Under these rules “user privacy will need to be guaranteed for both content and metadata derived from electronic communications (such as the time of a call and location), which will need to be anonymised or deleted if users have not given their consent, unless the data is required for purposes such as billing.”

Telecompaper.com: EC issues draft ePrivacy rules for all digital providers

So, on one hand, the UK Government (through the IPA) wants us to collect and store the Internet activity of all customers regardless of whether or not they are suspected of a crime and make that information readily available to security agencies without a full warrant. On the other hand the EU wants us to only collect said activity information for targeted suspects of serious crime and inform the suspects of any access to their data. Throw into that this latest ePrivacy regulation that says all stored data should be anonymised or deleted if users have not given consent to its storage (unless required for billing). How can the IPA ever survive this? It’s OK we are leaving the EU anyway? Oh that’s ok then, phew! Oh no wait a minute...no it’s not, as the situation with the US currently demonstrates. The US are continuing to struggle to finalise a trade agreement with the EU following the abolishment of ‘safe harbor’ for very similar reasons. The EU doesn’t agree with their surveillance and data collection practices and won’t give them access to EU citizens data under the US’ existing laws. If we continue down the IPA route, when it comes to trade negotiation time with the EU, we are likely to face the same struggles. What’s the resolution? That’s one for the politicians to squabble over but one thing is clear - our Government seems hell-bent on strengthening surveillance powers and data collection, increasing and extending powers with every iteration of the current IPA. It’s hard to see them backing down on this in order to ‘play nice’ with the EU who clearly have polar opposite opinions when it comes to the privacy of their citizens data. Further legal challenges are seemingly inevitable and further iterations of the current IPA are highly likely as they continue to slog this out. Who knows what the next IPA replacement could have in store for us all? Have your say! Do you think the IPA could ever possibly co-exist with the EU? Do you think further legal challenges are inevitable? Do you see a compromise being possible or do you think this could cause a serious stalemate situation? Let us know your thoughts by leaving us a comment below. Related articles