On April 25, 2024, the UK’s Investigatory Powers (Amendment) Act 2024 (“IP(A)A”) received royal assent and became law.  This law makes the first substantive amendments to the existing Investigatory Powers Act 2016 (“IPA”) since it came into effect, and follows an independent review of the effectiveness of the IPA published in June 2023.

The most significant amendments are:

  • Introduction of requirements to notify the UK Government of changes to services.  The IP(A)A grants a new power to the UK Government, which may issue notices to operators of covered services (e.g., communications service or network providers) requiring them to notify the Government before they make certain types of changes to their services.  The precise types of changes that may be notifiable will be set out in secondary legislation, but the intent appears to be to cover changes that might prevent a provider from complying with warrants they receive under the IPA.  This provision has been controversial, as it could potentially be used to require providers to notify the UK Government if they wish to introduce tools like end-to-end encryption.
  • New personal data breach notification requirements.  The UK’s Privacy and Electronic Communications Regulations 2003 already require providers of electronic communications networks and services to notify the Information Commissioner’s Office if they suffer a personal data breach.  The IPA(A) introduces a new requirement on such providers also to notify the Investigatory Powers Commissioner (“IPC”).  Where (among other things) there is a public interest in doing so, taking into account the seriousness of the breach and potential impacts on national security / the prevention of crime, the IPC must inform individuals affected by the breach.  Covered providers may need to consider amending their incident response plans to account for these notifications.
  • Broader powers for intelligence agencies to access certain types of data.  The IPA currently requires intelligence agencies to obtain a warrant from the Secretary of State (and approved by a Judicial Commissioner) before they can retain large databases of personal data consisting primarily of data relating to individuals who are unlikely to be of interest to the intelligence services.  The IP(A)A will permit the head of an intelligence agency (again subject to approval by a Judicial Commissioner) to issue certain types of warrants for bulk personal datasets where individuals have a “low expectation of privacy”, based on factors including whether the data was made public by the individual or is widely known about in the public domain.  The IPA(A)A also makes provision, for the first time, for intelligence services to access bulk personal datasets held by third parties, provided they obtain a warrant from the Secretary of State and that warrant is approved by a Judicial Commissioner.

    In addition, the IP(A)A creates a broader set of circumstances when law enforcement and intelligence agencies may access internet connection records, i.e., metadata relating to when and where individuals connected to the internet or other communications networks.

Other provisions of the IP(A)A are largely intended to clarify certain provisions of the IPA and to prevent circumvention—for example, amendments to clarify that the definition of “telecommunications operator” covers operators located outside the UK but that provide services to people in the EU, and an express statement that the UK Government can enforce “retention notices” (i.e., notices requiring a telecommunications operator to retain data for a certain period) against providers located outside the UK.  There are also new provisions related to when certain powers set out in the IPA may be used in relation to Members of Parliament and journalists.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Photo of Marty Hansen Marty Hansen

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues. Martin has extensive experience in advising clients…

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under EU and U.S. law, UK law, the World Trade Organization agreements, and other trade agreements.