SMEs bear brunt of RIP legislation

Recent Home Office consultation on the Regulation of Investigatory Powers (RIP) Act, due to become law in October this year, has...

Recent Home Office consultation on the Regulation of Investigatory Powers (RIP) Act, due to become law in October this year, has brought into sharp focus the legal burden such legislation imposes on SMEs.

Dai Davis, an IT lawyer at legal firm Nabarro Nathanson, believes SMEs are disproportionately affected by the RIP Act which will extend the investigatory powers of policing authorities by allowing them to obtain private employee keys and passwords.

"In the case of intranets, companies have a got a real headache sorting out what they should and should not be doing. This is obviously the same problem for all businesses regardless of size, but SMEs with fewer staff and less money will be hit much harder," said Davis.

"A policing authority must go to the individual employee in charge of the keys and passwords to obtain them and not the company as a whole. Therefore, companies must be on the lookout for authorities asking for keys and passwords that they are not entitled to, because the legal fall-out would then land back on the company," he added.

Davis recommends that SMEs put a system in place to deal with such situations if they arise. But he points out that the process of planning would incur high legal costs.

"I think it would be an excellent idea to have advice on the Act readily available for all employees, maybe even included in any new employee manuals or contracts," said Davis.

Forged warrants pose liability danger to SMEs
The Legal Advisory Group at e.centre, the association for standards and practice in electronic trade, has also devised a scheme to protect SMEs which act as communications service providers (CSPs) from legal liability, should they act on a forged warrant for obtaining access to employee keys or passwords.

Will Roebuck, a legal affairs executive at e.centre said: "We suggest that the interception should take place within one working day of the CSP being able to verify the authentication of the warrant."

To avoid delays in securing authentication, Roebuck recommends that one person acts as a single point of contact to serve all interception warrants on a CSP.

The e.centre legal team has also proposed that the chain of liability be severed at a reasonable point for firms. It is particularly concerned that SMEs should not be made liable for any failure of the transmission link or the process of handing over intercepted traffic.

"We advise that the responsibilities of the CSP should terminate at a point of hand-over of the intercepted traffic which will be previously agreed with the interception authority," said Roebuck.

RIP Act not the only legal problem SMEs
The RIP Act is potentially just the tip of a legal iceberg as the online economy takes off and the government seeks to police and regulate Internet trading. One legal quagmire threatening to drag down small firms is the emergence of apparent contradictions between the RIP Act and other legislation, such as the Human Rights Act.

Article Eight of the Human Rights Act is a case in point. It specifies that individuals have the right to respect for their "private life and correspondence". This clause could come into conflict with the monitoring and interception required by the RIP Act. Codes of surveillance issued by the Data Protection Commission also appear to contradict those in the RIP Act.

The confusion is further compounded by ongoing problems with the Data Protection Act (1998), which requires departments and agencies to process personal data "fairly" and "lawfully".

Data protection standards in this area will be set out in the Information Commissioner's forthcoming Code of Practice on the use of personal data in employer/employee relationships, due for publication towards the end of 2001.

Dai Davis advises SMEs to keep a low profile and hope for the best when dealing with this cumbersome legislation.

"I would advise them to keep their heads down, avoid drawing attention to themselves and hope the spotlight does not fall on them," he said. "That is what everyone else will be doing.

"It is very expensive for SMEs to comply fully to the DPA and 99.9% of the time you will be able to breach it with impunity. The worst that can happen is that you will get sued but this would be far less expensive than the cost of fully complying with the legislation."

Are you prepared for RIP legislation?
Do you feel the proposed RIP Act places too much responsibility on businesses? What changes would you like to see included in the final legislation?
E-mail and let us know what you think about the RIP Act >>

Read more on IT legislation and regulation