The controversial Investigatory Powers Bill (IP Bill) has now passed through the House of Lords, meaning that it has all but become law.
The House of Lords had proposed amendments including greater press regulation, but eventually the original bill passed without amendments. The Bill passed through the House of Commons with 444 votes in support to 69 against back in June, with the opposition Labour party voting in favour of the bill.
The IP Bill provides UK authorities with new abilities to legally conduct surveillance on citizens, including tracking online activity.
Much has been written about how the IP Bill will affect citizens, but how will it affect businesses?
One sector that will immediately see a concrete impact from the bill is internet service provision. Internet service providers will now upon request have to keep records of customers’ online activity for a year even if they are not suspected of crime.
The requirements here are theoretically unlimited: the Bill specifies that “all data or any description of data” could be ordered to be retained. However, the notice does impose an upper limit of a year.
It is also an offence for a telecoms operator to disclose to a customer that their information has been requested or accessed by authorities.
The fact that data will be retained rather than simply deleted may raise cyber security concerns for some businesses; what if these databases are hacked?
However, the Bill includes requirements that this data be given “at least” the same level of security and protection as the data on the system it is derived from.
There are also requirements for the telecoms provider to secure that data so that it can only be access by specially authorised personnel and against loss or alteration.
In theory, then, businesses shouldn’t be any more worried about the security risk of the retained data than they are about any other data held by telcos.
More concerning, though, than security risks are regulatory ones: there is a possibility that the IP Bill could bring businesses into conflict with European regulations such as the General Data Protection Regulation (GDPR).
As it stands, the European Commission has issued a statement raising no objections to the Bill.
However, Open Rights Group has argued that the new surveillance powers could mean that UK businesses are unable to meet the standards of data protection standards.
Previously, for example, the Safe Harbor agreement for the transfer of data from the EU to the US was ruled to be invalid by the European Court of Justice because it did not provide enough protection against surveillance by US authorities.
The case was brought by the Austrian law student Max Schrems, who argued that revelations about the US’s National Security Agency showed that data was not being held securely by companies such as Facebook.
Assuming that the UK proceeds with the decision to leave the EU, a new data transfer agreement will be needed.
“[T]he fact is that upon Brexit, the flow of EU personal data to the UK will no longer be lawful unless the UK is assessed as having an adequate level of data protection by the European Commission (EC),” wrote Stuart Buglass, VP Consulting at consultancy group Radius, in a blog looking at this issue.
If the IP Bill ends up being a spanner in the works of such an agreement, the consequences for UK businesses could be severe, as they could be unable to handle data from EU customers.
The Bill also enshrines in law the legal interception of communications by businesses for monitoring and record-keeping purposes when a customer is conducting business with them.
This is dependent upon this appearing to the Secretary of State to constitute a legitimate practice reasonably required for the purposes of this business.
These communications can include, as one might expect, consumers entering into transactions with the business or anything else that is relevant to the business.