View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 18, 2016

As IP Bill becomes law, what does the Snoopers Charter mean for your business?

Data and cyber security could be key business concerns about the IP Bill.

By Alexander Sword

The controversial Investigatory Powers Bill (IP Bill) has now passed through the House of Lords, meaning that it has all but become law.

The House of Lords had proposed amendments including greater press regulation, but eventually the original bill passed without amendments. The Bill passed through the House of Commons with 444 votes in support to 69 against back in June, with the opposition Labour party voting in favour of the bill.

The IP Bill provides UK authorities with new abilities to legally conduct surveillance on citizens, including tracking online activity.

Much has been written about how the IP Bill will affect citizens, but how will it affect businesses?

One sector that will immediately see a concrete impact from the bill is internet service provision. Internet service providers will now upon request have to keep records of customers’ online activity for a year even if they are not suspected of crime.

internetThe requirements here are theoretically unlimited: the Bill specifies that “all data or any description of data” could be ordered to be retained. However, the notice does impose an upper limit of a year.

It is also an offence for a telecoms operator to disclose to a customer that their information has been requested or accessed by authorities.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The fact that data will be retained rather than simply deleted may raise cyber security concerns for some businesses; what if these databases are hacked?

However, the Bill includes requirements that this data be given “at least” the same level of security and protection as the data on the system it is derived from.

There are also requirements for the telecoms provider to secure that data so that it can only be access by specially authorised personnel and against loss or alteration.

In theory, then, businesses shouldn’t be any more worried about the security risk of the retained data than they are about any other data held by telcos.

More concerning, though, than security risks are regulatory ones: there is a possibility that the IP Bill could bring businesses into conflict with European regulations such as the General Data Protection Regulation (GDPR).

As it stands, the European Commission has issued a statement raising no objections to the Bill.

However, Open Rights Group has argued that the new surveillance powers could mean that UK businesses are unable to meet the standards of data protection standards.

Previously, for example, the Safe Harbor agreement for the transfer of data from the EU to the US was ruled to be invalid by the European Court of Justice because it did not provide enough protection against surveillance by US authorities.

The case was brought by the Austrian law student Max Schrems, who argued that revelations about the US’s National Security Agency showed that data was not being held securely by companies such as Facebook.

Assuming that the UK proceeds with the decision to leave the EU, a new data transfer agreement will be needed.

“[T]he fact is that upon Brexit, the flow of EU personal data to the UK will no longer be lawful unless the UK is assessed as having an adequate level of data protection by the European Commission (EC),” wrote Stuart Buglass, VP Consulting at consultancy group Radius, in a blog looking at this issue.

Now-PM Theresa May sponsored the Bill when head of the Home Office.

Now-PM Theresa May sponsored the Bill when head of the Home Office.

If the IP Bill ends up being a spanner in the works of such an agreement, the consequences for UK businesses could be severe, as they could be unable to handle data from EU customers.

The Bill also enshrines in law the legal interception of communications by businesses for monitoring and record-keeping purposes when a customer is conducting business with them.

This is dependent upon this appearing to the Secretary of State to constitute a legitimate practice reasonably required for the purposes of this business.

These communications can include, as one might expect, consumers entering into transactions with the business or anything else that is relevant to the business.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.