The Investigatory Powers Act (the “IPA“) was given Royal Assent on 29 November 2016, despite being described by Edward Snowden as “the most extreme surveillance in the history of western democracy”.

At its core, the IPA is a consolidation of existing legislation such as the Data Retention and Investigatory Powers Act (“DRIPA“), the Regulation of Investigatory Powers Act (“RIPA“), and certain provisions of the Telecommunications Act. That being said, the IPA does more than simply consolidate existing laws. In certain places it significantly extends existing requirements.

The main source of criticism and concern regarding the IPA has been around the requirements for bulk retention of data and the ability of public authorities to access such data.

  • Retention of Communications Data: Communications data is the ‘who’, ‘where’, ‘when’, ‘how’ and ‘with whom’ of a communication, but not the content. The IPA requires communications service providers (“CSPs“) to retain communications data when served with a notice requiring them to do so. The IPA allows the police, intelligence agencies and other public authorities (including HMRC, the Gambling Commission and the Department of Transport) to access communications data from CSPs without a warrant. The scope and extent of authorities able to access communications data has been the source of much criticism, particularly in the context of the recent opinion of the EU’s Advocate General to its highest court, who advised that the bulk retention of data from telephone calls and emails is legal only if law enforcement agencies use it to tackle serious crime.
  • Retention of Internet Connection Records: For the first time ever, the IPA also requires the collection and retention of internet connection records (“ICRs“), being records of the internet services that have been accessed by a device. This information won’t include the exact URL of each site visited but it will include the base domain. By way of example, when browsing a page on the BBC website, the ICR wouldn’t record exactly which page was visited but it would record the fact that a person visited, as well as the time the site was visited, how long was spent on the site, and the IP address of the device used to access the site. ICRs will also be able to be accessed without a warrant but for limited purposes. Again, the scope and extent of public authorities able to access this data has been the subject of criticism, although local authority access to ICRs is prohibited.

Another interesting issue raised by the bulk collection of this data centres around security. The government intends to create centralised software that will allow queries to be made across multiple databases using “request filters”. That presumably means that a single program will have access to all communications data and ICR databases, creating a tempting target for those wishing to gain access to the information stored.

Other parts of the IPA deal with the targeted and bulk interception of communications. Targeted equipment interference (or interception) of specific communications and devices is not a new concept and has been present in RIPA since 2000. Under the IPA, this type of interception will require a warrant and will be reserved for serious crime and threats to national security. Bulk equipment interference (or interception) however, is a new concept introduced by the IPA. This power will be limited to the security agencies and can only be used outside of the UK.

The IPA was given Royal Assent on 29 November 2016. However, it seems likely to be simply a matter of time before the IPA is subject to legal challenge like DRIPA was before it, and it is not impossible that the legality of the legislation ends up being reviewed by the Court of Justice of the European Union (if the UK hasn’t exited Europe by that time).

To view a copy of the IPA, please click here.


Miriam Everett
Miriam Everett
Head of Data Protection and Privacy, London
+44 20 7466 2378
Duc Tran
Duc Tran
Senior Associate, TMT, Sourcing and Data, London
+44 20 7466 2954