PI response to Home Office consultatation on codes of practice under the Investigatory Powers (Amendment) Act 2024

'Low Privacy' Bulk Personal Datasets

The IPAA introduces a new concept of 'Low Privacy' bulk personal datasets (BPDs) that runs counter to longstanding principles of privacy law and omits crucial safeguards to prevent abuse, as required by the European Convention on Human Rights (ECHR). Together with the code, this could facilitate the regular mass collection of publicly available data, including social media data such as written posts, videos, and images among other forms of personal data. 

In particular, our submission raises concerns that: 

• The categories of data that could fall within a Low Privacy BPD are insufficiently clear;
• The meaning of sensitive data contained in the code conflicts with established jurisprudence of the ECtHR. We also note that the code's position that a low privacy BPD is highly unlikely to contain sensitive information is contradicted by an admission later in the same policy;
• Low Privacy BPDs will be used to build and test machine learning models. Given the substantial interference with the right to privacy of anyone whose personal data is used for machine learning purposes, it is highly concerning that this has been introduced via the code rather than legislation. 

Third-party Bulk Personal Datasets

The new regime allows intelligence services to access data held in third-party datasets (3PDs). However, it fails to provide for the proper management of third-party BPDs. In particular, the code may:

• Facilitate the purchase of or direct access to the personal data of unlimited numbers of people from data brokers and other actors;
• Allow intelligence services to access data that has been collected or processed contrary to the law (for example, data that has been stolen or hacked). 

Notices under the investigatory powers regime

Data Retention Notices (DRNs), National Security Notices (NSNs) and Technical Capability Notices (TCNs) can be used to require telecommunications operators to carry out activities that would facilitate intrusive forms of surveillance. For example, a notice could require the sending of false security updates or refraining from fixing a security vulnerability. The very purpose of notices is to facilitate intrusive practices that undermine people’s rights. But the present safeguards against these threats are insufficient. Our submission raises the following concerns: 

• The use of notices (and the threat of their use) has wide-reaching and systemic impacts because they negatively affect the proper functioning of the telecommunications sector, the reputation of the UK with respect to global communications networks, and the security of connected devices;
• TCNs and/or NSNs can be used to undermine encryption (whether directly or indirectly);
• TCNs and/or NSNs can be used to prevent security updates;
• The UK’s approach has not responded to changes in the international context relating to end-to-end encryption since 2018, threatening to undermine the compliance of the UK regime with the ECHR and best practice as recommended by UN institutions;
• There is a significant lack of transparency about how the notices regime is operating in practice and how third parties (including civil society, journalists and other operators) can participate in challenges to notices.

Recommendations

Our full submission contains 23 recommendations to improve the draft codes of practice. You can download it below.