Regulation of Investigatory Powers Bill: the story so far

RIP: 'frailties' cause concern as the Bill makes its passage through Parliament

RIP: 'frailties' cause concern as the Bill makes its passage through Parliament

What stage is the Bill at?

Lord Bassam of Brighton put the Regulation of Investigatory Powers (RIP) Bill before the House of Lords for its second reading on 25 May. He attempted to allay the fears of businesses that voiced objections to the new power for law enforcement, security and intelligence agencies to demand that communication data be decrypted.

Bassam told the House that the RIP Bill is intended to respond to developments in modern technology and impose a regime that is compatible with and regulated in accordance with the European Convention of Human Rights. The goal of the RIP Bill is said to be to make the UK the best and safest place in the world to carry out e-commerce.

Several speakers pointed out the frailties of the Bill as it is drafted and how it fails to meet its goals. There is a danger of over-regulation in this area, which may prompt businesses to move to more lenient jurisdictions. International agreement was called for in what is, after all, an international area.

Where do the controversies lie?

There has been considerable controversy over the RIP Bill during its passage through the House of Commons. This has focused on the costs to operators of telecommunications systems in intercepting and monitoring encrypted transmissions under an interception warrant. The House of Lords called for details of the contributions which will be made by the Government towards the cost of compliance, prior to the passing of legislation.

The human rights issues are even more controversial and the importance of preserving civil liberties was repeatedly stressed by the House of Lords.

Lord Cope of Berkeley supported an amendment to list the authorities who will be able to exercise the new powers, as delegation of investigatory powers is inappropriate to law which impacts on individuals and their human rights.

Lord McNally pointed out that there must be a balance between the criminal threats posed by advances in technology and over-intrusion. Lord Lucas stated that the principle of "innocent until proven guilty" must be staunchly protected.

It seems that the RIP Bill will have a far from easy passage at the committee stage, which is scheduled to take place shortly after the summer recess.

What can you be doing now to prepare for the Bill?

IT directors and the IT industry should by now be preparing for the Bill's implementation. This preparation may include:

  • A comprehensive review of every use of encrypted technology and detailed consideration of what the encryption is protecting and why
  • Putting procedures in place for dealing with possible enquiries under RIP from a whole range of regulators, ranging from the police to Customs & Excise
  • Making employees aware of how to react if a request for the key to encrypted transmissions is received (including documents signed with an electronic signature)
  • Reviewing any security or confidentiality agreements in place with third parties that may be breached by regulators being given the key to encryption and the potential impact of this on existing and future commercial arrangements
  • Analysing how easy it will be to comply with the regulators' request - is appropriate tracking information to hand? Who holds the key to encryption? Is the key in an intelligible form? What will be the cost of compliance?
  • Consideration of how the regulators may use the encrypted data and whether the safeguards under RIP, eg that the key will not be misused, are sufficient

What could non-compliance mean to you?

Failure to provide the key to encrypted data will be a strict liability criminal offence carrying a maximum penalty of two years imprisonment and/or an unlimited fine. Both individuals and companies can be held liable, so preparation should not be underestimated.

For further information or advice please contact Jane Rawlings at DLA on 08700-111 111 or [email protected]

Read more on IT risk management