UK Investigatory Powers Act sparks major privacy fears

Net Results: Data surveillance provisions spell more post-Brexit bad news for Irish businesses

Will a push be on to find ways for the net to route data anywhere but the UK, now Surveillance Central?

Will a push be on to find ways for the net to route data anywhere but the UK, now Surveillance Central?

 

Ireland once bore the questionable distinction of having one of the most oppressive data surveillance regimes within Europe.

Our data retention laws, which initially allowed for three years’ storage of details about the phonecalls of every citizen in the State, featured one of the longest mandated holding periods for such call metadata in the world.

Our 2005 law formed the foundation for the EU’s subsequent data retention directive of 2006. That directive was subsequently and unceremoniously thrown out two years ago by the European Court of Justice (ECJ), after advocacy group Digital Rights Ireland had its case challenging Irish retention laws referred to Europe’s highest court.

(Two years on, and the Government has still done nothing to address our own laws, even though the ECJ made clear the directive was a violation of EU human rights and privacy protections.) 

But our laws look like child’s play now, with the passing of Britain’s Investigatory Powers Act – also known as the snooper’s charter – which just gave sweeping powers of surveillance and retention to UK law enforcement agencies.

“[The] Bill will mean the police and intelligence agencies have unprecedented powers to surveil our private communications and internet activity, whether or not we are suspected of a crime,” noted Jim Killock, executive director of UK privacy advocacy organisation the Open Rights Group.

‘Extreme surveillance’

Edward Snowden

The new Act legalises several of the UK Government Communication Headquarters (GCHQ) programmes that were exposed by whistleblower Edward Snowden in 2013, such as its large-scale, bulk surveillance schemes that suck in data from around the world, including tapping Irish undersea communications cables. 

In addition, under the new Act, communications providers must start to keep records of the websites a customer visits. Almost 50 separate UK agencies could access those records – from government departments to the Food Standards Agency to ambulance services – without any judicial oversight needed.

The Act also gives the state the authority to require the insertion of back doors into any new service or device offered by a communications provider – namely, code that gives agencies access to the devices or products, and, therefore, code that weakens everyone’s overall security.

The Act also lets law enforcement require technology companies and service providers to remove encryption on a given user’s device or service. 

And it allows police – not just the national surveillance agencies – to conduct surveillance on non-British citizens outside of the UK. The Act even permits “bulk equipment interference” – meaning, mass hacking – by UK surveillance agencies on, say, an entire city outside the UK.

For more details on the Act, The Verge offers a rundown and analysis: http://iti.ms/2gkxnNE.

Business impact

In the wake of this new law, who will still wish to buy products and services from UK technology or communications companies when they might include weakened encryption or come with other government-mandated back doors? 

And why would any IT company now find the UK an attractive home base? A roster of tech multinationals – many with major operations in the UK – opposed the Bill, including Facebook, Microsoft, Apple and Google. With such an environment, Britain has gutted its ability to attract technology multinationals, or to promote its growing indigenous technology sector.

And how will the UK possibly comply with EU-mandated data and privacy protections required for any UK company to handle EU citizen data, protections demanded by the ECJ’s Digital Rights Ireland and Schrems rulings? As it exits the EU, Britain will need its own version of the EU/US data exchange agreement Privacy Shield (not that Privacy Shield is looking too safe, either, especially under the US president-elect).

And what about London’s status as one of the world’s major internet exchanges, a kind of Grand Central Station for global data? Will a push be on to find ways for the net to route data anywhere but the UK, now Surveillance Central? 

Ireland, as an international tech and financial services centre, is sure to scoop up some businesses and services fleeing the UK because of this Act. But the overall negative impact for businesses here, which regularly exchange data with the UK, could be as stultifying as Brexit – especially as Brexit itself will amplify European concerns about the Act’s most worrying elements. 

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.