Impact of Investigatory Powers Bill on the UK s Digital Economy May 2016

Transcription

1 Impact of Investigatory Powers Bill on the UK s Digital Economy May 2016 Talal Rajab Head of Programme National and Cyber Security +44 (0) talal.rajab@techuk.org Tom Morrison-Bell Public Affairs Manager +44 (0) tom.morrison-bell@techuk.org 10 St Bride Street T London F EC4A 4AD

2 About techuk techuk represents the companies and technologies that are defining today the world that we will live in tomorrow. More than 850 companies are members of techuk. Collectively they employ approximately 700,000 people, about half of all tech sector jobs in the UK. These companies range from leading FTSE 100 companies to new innovative start-ups. The majority of our members are small and medium sized businesses. Executive Summary techuk welcomes the Government s attempt to harmonise investigatory powers legislation. There is, however, growing anxiety among businesses about the Bill s unintended consequences for the digital economy. As Britain s digital economy is the largest in Europe, any negative consequences will have a significant impact on the UK economy more broadly. Vague provisions and broad definitions in the Bill threaten to undermine user trust in technology and digital services. These need to be tightened on the face of the Bill as trust is the bedrock of the digital economy. It is vital that encryption services are not weakened. Encryption is fundamental for UK GDP and underpins the digital economy. It is widely seen as the best method to ensure that businesses and government are not vulnerable to cyber-attacks and fulfil their data protection obligations. The Bill currently places potentially disproportionate technical and financial burdens on businesses. These threaten many of the UK s fastest growing and most dynamic companies, and a number of start-ups have already left the UK as a result. The Bill must clarify the compensation available to companies for compliance costs, such as data retention as uncertainty could be crippling to businesses. Costs must be proportionate and the Government should consider covering 100% of costs. Unilateral assertions of extraterritorial jurisdiction in the Bill will create conflicting legal obligations for many companies that are subject to legal obligations elsewhere. This will make the UK a harder place to do business and is a disincentive to investment and innovation. To minimise the impact on the UK s digital economy, it is vital that Government departments take a joined up approach on this Bill, especially in light of the forthcoming UK Digital Strategy. 2

3 Background In March 2016, the Home Office published a revised Investigatory Powers Bill and the Government s response to the Bill s pre-legislative scrutiny. techuk fully supports the Government s commitment to bringing legislation in this area within a single Investigatory Powers Bill. However, there is growing anxiety among businesses about the unintended consequences of the powers in the Bill on user confidence in digital services. As outlined in a recent letter from tech leaders published in the Telegraph, consumer trust is the bedrock on which the digital economy is founded. Therefore, small shifts in public sentiment regarding the security and privacy of users communications can have serious consequences for the UK s digital economy. This is particularly important as the UK s digital economy is the largest in Europe. It accounts for nearly 15% of GDP and more than 1.5 million jobs. As such, any negative consequences the Bill has on the UK s digital economy will have a significant impact on the UK economy more broadly. Data-driven companies require clarity and consistency and the Bill fails to deliver these. This document outlines a number of areas where this is the case and techuk encourages the Government to act now to avoid the potential unintended consequences of the Bill on the UK s digital economy as Government, companies and users of digital services all have a shared interest in the sector s continued growth. Issue 1 The Bill threatens to undermine users trust in the UK s digital economy Since 2010 there has been growing public concern into how surveillance is conducted in the UK, with recent surveys revealing that 72% of British consumers are concerned about their private information online. Consumer trust is the bedrock on which the digital economy is founded. Therefore, small shifts in public sentiment regarding the security and privacy of users data can have serious consequences for the UK s digital economy. Many of the provisions in the Bill are vague and broad in their scope. This has the potential to create legal uncertainty for companies, undermine trust in the UK s digital economy and confidence in the UK as a place to do data-driven business. It is crucial that investors in the UK s digital economy do not feel that the broader interests of the digital economy will be compromised. For example, by virtue of powers now being within a single Bill, any power would be applicable to any entity capable of being deemed a communications provider. This brings new technology and security intermediaries within scope, without any ability for these companies to reasonably forecast when or how they might be affected. Transparency is a further cornerstone for trust in the digital sector, evidenced by the increasing number of companies producing transparency reports on the number and nature of requests that they receive for data. The Bill currently prohibits user notification, one of the sector s key transparency principles. 3

4 Recommended actions The Bill should: Include an additional section that explicitly addresses each privacy safeguard within the Bill and includes a clause that explicitly sets out the universal privacy protections which apply across the full range of investigatory powers. Enshrine the principle of user notice: as a general rule, users should be informed when the Government seeks access to account data. It is important both in terms of transparency, as well as affording users the right to protect their own legal rights. Provide for a right of appeal for service providers to the Investigatory Powers Commissioner, in cases where permission to notify a user is refused. Permit companies to publish data about requests received under international agreements. Issue 2 The Bill raises serious question marks for rapidly growing tech companies The Bill creates disproportionate and burdensome technical and financial requirements that could have a significant impact on many start-up and scale-up companies. A retention or technical capability notice served on one of these companies could negatively impact at a crucial time in their business development. For example, a data retention notice may impose an obligation on a small provider to retain data after the data controller has deleted the data. Not only will this require investment in new business practices, it would make the provider the de facto data controller, creating a host of further obligations for the provider as the controller of the data. This could be crippling for such companies. A number of start-ups have already decided to leave the UK due to the perceived burdens they would face from the Bill. Recommended actions DCMS, HMT and BIS have outlined goals for the digital economy and must seek assurances that the Home Office is not trading off broad objectives against business confidence. This is particularly pertinent for DCMS and BIS in light of the forthcoming UK Digital Strategy. In light of this, the Government should carry out an impact assessment of the current Bill on the UK s digital economy before enacting legislation. Provisions in the Bill that will require novel business practices must be set out coherently, so that companies are fully aware of, and can prepare for, the requirements that will be placed on them. 4

5 Issue 3 Economic security and national security are two sides of the same coin A company s ability to keep data secure is key to business success, however, the Bill creates a number of conflicting security and legal obligations that have the potential to undermine network integrity and cyber security in the pursuit of national security. A central concern is the Government s ongoing failure to confirm, on the face of the Bill, that encryption will not be weakened. Encryption is fundamental for UK GDP and underpins the digital economy. It is widely seen as the best method to ensure that businesses and government are not vulnerable to online attacks and fulfil their legal obligations under data protection statutes to keep personal data free from external intrusion. Furthermore, equipment interference requirements and technical capability orders could apply to cybersecurity companies, since many of them route traffic from other companies. This would undermine trust in their services and potentially weaken the cybersecurity services they offer. Such requirements could therefore harm a growing cybersecurity sector, despite it being identified as a priority sector by the Government in the National Cyber Security Strategy. Recommended actions The Bill must specifically safeguard encryption. The Government must take steps to ensure that the Bill does not undermine cyber security create nor reduce the ability of companies to secure their products and services. Issue 4 The Bill is unclear on the implications of data retention costs for companies The Bill places new and potentially expensive technical requirements on companies. For example, some companies will be required to store internet connection records (ICRs) for 12 months. This will be beyond normal business practice for many of them and will greatly increase operational costs. The Government has reassured industry that it will help with these costs, recognising the damaging impact they could have. However, the Bill remains ambiguous as to what these contributions will be, stating that the Government will make an appropriate contribution that must never be nil towards costs of retaining data that companies would not normally retain. 5

6 Recommended actions The Bill must clarify the compensation available to companies for compliance costs, such as data retention. This uncertainty is damaging to companies. Costs must be proportionate and the Government should consider covering 100% of costs. Issue 5 Potential conflicts of the Bill Unilateral assertions of extraterritorial jurisdiction in the Bill will create conflicting legal obligations for overseas providers who are subject to legal obligations elsewhere. There is a considerable risk that the Bill could conflict with newly adopted EU legislation such as the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NISD). The Bill will currently result in a patchwork of overlapping and conflicting laws that creates uncertainty, undermines user privacy and hinders innovation. This disincentive to investment and innovation will make the UK less attractive for investment. It also sets a worrying international precedent: UK companies abroad might find themselves having to retain and provide data to satisfy overseas governments. Recommended actions The Bill must ensure that no obligations can be placed on providers which require them to undermine customer security and put them in breach of cybersecurity or privacy laws. Furthermore, DCMS, HM Treasury and BIS should push the Government to create a coherent international legal framework, taking into account issues of proportionality, necessity and transparency, in order to resolve these conflicts across jurisdictions. 6