On April 25, 2024, the UK’s Investigatory Powers (Amendment) Act 2024 (“IP(A)A”) received royal assent and became law. This law makes the first substantive amendments to the existing Investigatory Powers Act 2016 (“IPA”) since it came into effect, and follows an independent review of the effectiveness of the IPA published in June 2023.
The most significant amendments are:
- Introduction of requirements to notify the UK Government of changes to services. The IP(A)A grants a new power to the UK Government, which may issue notices to operators of covered services (e.g., communications service or network providers) requiring them to notify the Government before they make certain types of changes to their services. The precise types of changes that may be notifiable will be set out in secondary legislation, but the intent appears to be to cover changes that might prevent a provider from complying with warrants they receive under the IPA. This provision has been controversial, as it could potentially be used to require providers to notify the UK Government if they wish to introduce tools like end-to-end encryption.
- New personal data breach notification requirements. The UK’s Privacy and Electronic Communications Regulations 2003 already require providers of electronic communications networks and services to notify the Information Commissioner’s Office if they suffer a personal data breach. The IPA(A) introduces a new requirement on such providers also to notify the Investigatory Powers Commissioner (“IPC”). Where (among other things) there is a public interest in doing so, taking into account the seriousness of the breach and potential impacts on national security / the prevention of crime, the IPC must inform individuals affected by the breach. Covered providers may need to consider amending their incident response plans to account for these notifications.
- Broader powers for intelligence agencies to access certain types of data. The IPA currently requires intelligence agencies to obtain a warrant from the Secretary of State (and approved by a Judicial Commissioner) before they can retain large databases of personal data consisting primarily of data relating to individuals who are unlikely to be of interest to the intelligence services. The IP(A)A will permit the head of an intelligence agency (again subject to approval by a Judicial Commissioner) to issue certain types of warrants for bulk personal datasets where individuals have a “low expectation of privacy”, based on factors including whether the data was made public by the individual or is widely known about in the public domain. The IPA(A)A also makes provision, for the first time, for intelligence services to access bulk personal datasets held by third parties, provided they obtain a warrant from the Secretary of State and that warrant is approved by a Judicial Commissioner.
In addition, the IP(A)A creates a broader set of circumstances when law enforcement and intelligence agencies may access internet connection records, i.e., metadata relating to when and where individuals connected to the internet or other communications networks.
Other provisions of the IP(A)A are largely intended to clarify certain provisions of the IPA and to prevent circumvention—for example, amendments to clarify that the definition of “telecommunications operator” covers operators located outside the UK but that provide services to people in the EU, and an express statement that the UK Government can enforce “retention notices” (i.e., notices requiring a telecommunications operator to retain data for a certain period) against providers located outside the UK. There are also new provisions related to when certain powers set out in the IPA may be used in relation to Members of Parliament and journalists.