UK Investigatory Powers Act sparks major privacy fears

Net Results: Data surveillance provisions spell more post-Brexit bad news for Irish businesses

Ireland once bore the questionable distinction of having one of the most oppressive data surveillance regimes within Europe.

Our data retention laws, which initially allowed for three years’ storage of details about the phonecalls of every citizen in the State, featured one of the longest mandated holding periods for such call metadata in the world.

Our 2005 law formed the foundation for the EU's subsequent data retention directive of 2006. That directive was subsequently and unceremoniously thrown out two years ago by the European Court of Justice (ECJ), after advocacy group Digital Rights Ireland had its case challenging Irish retention laws referred to Europe's highest court.

(Two years on, and the Government has still done nothing to address our own laws, even though the ECJ made clear the directive was a violation of EU human rights and privacy protections.)


But our laws look like child’s play now, with the passing of Britain’s Investigatory Powers Act – also known as the snooper’s charter – which just gave sweeping powers of surveillance and retention to UK law enforcement agencies.

"[The] Bill will mean the police and intelligence agencies have unprecedented powers to surveil our private communications and internet activity, whether or not we are suspected of a crime," noted Jim Killock, executive director of UK privacy advocacy organisation the Open Rights Group.

‘Extreme surveillance’

Edward Snowden

tweeted that the UK now has “the most extreme surveillance in the history of western democracy”. The UN’s privacy rapporteur described the act as “worse than scary”. World Wide Web creator Tim Berners-Lee tweeted: “Dark, dark days.”

The new Act legalises several of the UK Government Communication Headquarters (GCHQ) programmes that were exposed by whistleblower Edward Snowden in 2013, such as its large-scale, bulk surveillance schemes that suck in data from around the world, including tapping Irish undersea communications cables.

In addition, under the new Act, communications providers must start to keep records of the websites a customer visits. Almost 50 separate UK agencies could access those records – from government departments to the Food Standards Agency to ambulance services – without any judicial oversight needed.

The Act also gives the state the authority to require the insertion of back doors into any new service or device offered by a communications provider – namely, code that gives agencies access to the devices or products, and, therefore, code that weakens everyone’s overall security.

The Act also lets law enforcement require technology companies and service providers to remove encryption on a given user’s device or service.

And it allows police – not just the national surveillance agencies – to conduct surveillance on non-British citizens outside of the UK. The Act even permits “bulk equipment interference” – meaning, mass hacking – by UK surveillance agencies on, say, an entire city outside the UK.

For more details on the Act, The Verge offers a rundown and analysis:

Business impact

Obviously, much can be said about such astonishing and repugnant new legislation. But consider just the business impact of an Act so alarmingly out of touch with business reality, both for UK companies and with regard to the UK’s interactions – even basic ability to engage in commerce – with the entire EU, it’s largest business market by far. According to the UK Office of National Statistics, the EU makes up 44 per cent of the UK’s export market for goods and services, compared to 17 per cent for the US.

In the wake of this new law, who will still wish to buy products and services from UK technology or communications companies when they might include weakened encryption or come with other government-mandated back doors?

And why would any IT company now find the UK an attractive home base? A roster of tech multinationals – many with major operations in the UK – opposed the Bill, including Facebook, Microsoft, Apple and Google. With such an environment, Britain has gutted its ability to attract technology multinationals, or to promote its growing indigenous technology sector.

And how will the UK possibly comply with EU-mandated data and privacy protections required for any UK company to handle EU citizen data, protections demanded by the ECJ’s Digital Rights Ireland and Schrems rulings? As it exits the EU, Britain will need its own version of the EU/US data exchange agreement Privacy Shield (not that Privacy Shield is looking too safe, either, especially under the US president-elect).

And what about London’s status as one of the world’s major internet exchanges, a kind of Grand Central Station for global data? Will a push be on to find ways for the net to route data anywhere but the UK, now Surveillance Central?

Ireland, as an international tech and financial services centre, is sure to scoop up some businesses and services fleeing the UK because of this Act. But the overall negative impact for businesses here, which regularly exchange data with the UK, could be as stultifying as Brexit – especially as Brexit itself will amplify European concerns about the Act's most worrying elements.