Geo Focus: The United Kingdom , Geo-Specific , Governance & Risk Management

UK Lawmakers Reject Privacy Limits for Bulk Data Collection

Amendments to Constrain Investigatory Powers Bill Fail in Final Stretch
UK Lawmakers Reject Privacy Limits for Bulk Data Collection
The U.K. Parliament is close to approving new bulk data collection authorities for law enforcement and intelligence agencies. (Image: Shutterstock)

A last-ditch attempt by British lawmakers to amend a bill expanding electronic communication interception by the U.K. intelligence agencies failed despite concerns over pervasive surveillance.

See Also: Does Office 365 Deliver The Email Security and Resilience Enterprises Need?

U.K. lawmakers in November 2023 introduced the Investigatory Powers Bill, which seeks to update the Investigatory Powers Act of 2016 - the primary regulation allowing British law enforcement and intelligence agencies to intercept data.

The proposal would authorize interception of bulk personal datasets with "limited or no expectation of privacy" in a bid to remove restrictions put in place by the previous regulation. Newly accessible to authorities would be information such as IP addresses, details of websites visited by users, and data collected from public websites, such as news articles, academic papers, and public and official records (see: UK Lawmakers Push Ahead With Revised Snoopers' Charter).

The bill is close to final passage but still at a stage where lawmakers can introduce changes. Speaking Thursday before a public bill committee set up to support the proposal, criticized a lack of clarity regarding the datasets with "low or no expectation of privacy." The present scope of the bill could allow authorities to use hacked and leaked data containing sensitive data, he argued.

"There must be clarity on important definitions relating to personal data," Jarvis said, adding that while there should not be unnecessary limitations on the police and security services, "there needs to be parameters for what is considered fair game."

The committee did not approve his amendments to regulate bulk personal data collection under the U.K General Data Protection Regulation and Data Protection Act of 2018.

Thursday's hearing did not consider the amendments proposed by Stuart McDonald of the Scottish National Party, who called for the omission of CCTV and Facebook data. McDonald said that bulk datasets from CCTV and Facebook likely contain personal data with different data processing requirements, meaning such data should not be categorized under one broad set of "low or no expectation of privacy."

"If the dataset contains information about millions of people and different types of information about different people, how can it have one single level of expectation?" McDonald said. "People having low expectations of complete privacy may reasonably have high expectations that the data is not going to be retained and processed by the intelligence services."

Lawmakers proposed privacy-focused revisions to the bill after rights groups raised concerns regarding its privacy implications, and advocates argued the bill will result in state-enabled large-scale surveillance by private companies. In written evidence submitted to the lawmakers, the Washington-based Center for Data Innovation urged the lawmakers to bring more clarity by clearly defining what data falls within the "low or no expectation of privacy" category.

The introduction of a new data category without adequate data protection may "infringe upon individual privacy rights," the Center for Data Innovation said, adding that greater clarity on data safety will inform the U.K. citizens about the types of data that the agencies can lawfully access.

Tech industry body TechUK also raised concerns regarding the provisions in the bill that requires telecom companies to update the secretary of state about any proposed changes to their services.

The organizations argued the requirement could prevent the affected companies from rolling out security updates or feature upgrades, which could expose their users to the risk of data breaches from malicious actors, including foreign adversaries.

"The amendments published do not address any of TechUK members' substantial concerns about the bill," a TechUK spokesperson said. "Given the scale of the proposed changes, we remain of the view that more needs to be done to ensure the updated regime is transparent, proportionate, and contains a robust accountability mechanism."

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.