New powers put privacy laws to the test

The government's move to give more agencies access to personal Internet and telecoms information will put a strain on the Data Protection Act and other institutions, say critics

Privacy advocates said that upcoming moves to broaden the government's electronic surveillance powers will put a strain on existing consumer-protection legislation such as the Data Protection Act (1998).

Next Tuesday MPs will debate a draft order that will effectively allow a broad range of government agencies, including all local authorities, the NHS, the Postal Services Commission and the Food Standards Agency, to demand the communications records of Internet and telephone users. The agencies, all of which have some law enforcement authority, were not previously guaranteed access to the records without a court order.

The powers are the latest expansion of the Regulation of Investigatory Powers Act (RIPA), passed last year, which will require ISPs to install so-called black boxes to monitor Internet traffic, and will give the police powers to demand that encrypted messages are decoded and those involved in investigations remain silent.

RIPA was originally extended to law-enforcement agencies such as police departments. The new rules will give RIPA powers to organisations which may or may not be sufficiently prepared to handle sensitive personal information, according to critics.

"The troubles start once the data is accessed," said Dr Yaman Akdeniz, director of Cyber-Rights & Cyber-Liberties. "There are question marks over how the data will be scrutinised. There are issues about the protection and security of data accessed by these organisations. Big Brother is slowly integrating itself into our society."

Much of the burden for regulating how organisations use and distribute the information will fall on the Data Protection Act (1998), which prevents organisations from revealing personal data. It also states that a communications provider must only retain traffic data for the length of time necessary for legitimate billing purposes, although an exception is made for the prevention and detection of crime.

But critics say the Act will be difficult to enforce. "It's easy to say that there are already some laws in place to handle this, but in practice it's difficult to see those standards being applied," said Akdeniz. "The real damage was the enactment of RIPA. This is just putting the legislation into action."

The Home Office said that under RIPA, the retention of personal data is effectively determined by each government agency: "It depends on what they want it for. It needs to be kept for a sufficient length of time for court proceedings or for law enforcement."

Information requests will be approved by a designated individual within each body, according to the Home Office, but there will be no independent review of RIPA requests. However, requests can be audited by the Interception of Communications Commissioner.

The burden will be on individuals to take complaints to the investigatory powers tribunal if they feel their information has been misused. However, the tribunal has been heavily criticised by members of the Intelligence and Security Committee (ISC), Britain's intelligence services watchdog, which said in a debate last year that it was underfunded and understaffed.

Alan Beith MP, a member of ISC, said at the time that the tribunal was "quite incapable of carrying out its job" with its tiny support staff. Beith said that the tribunal was "Britain's defence in relation to the European Convention on Human Rights," and warned that it could not be guaranteed to protect these rights.

The Home Office said that the RIPA changes should be viewed "less as strengthening investigatory powers than as better regulation... These organisations previously could have requested ths information and got it or not, but now it is being put into a statutory framework."

Will Knight and Wendy McAuliffe contributed to this report.

Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.