Government surveillance

There are many different facets to an Orwellian dystopian society (in which, some may argue, we already live) where privacy no longer exists and Big Brother is watching everyone. Some of the culprits are data mining and tracking used by the tech giants for profiling internet denizens in order to realise lucrative profits from highly targeted advertising which we covered in the July issue of the Newsletter.

But although the erosion of privacy by big business is a major concern – especially in light of the Cambridge Analytica scandal and allegations of Russian interference in elections – the most acute fears have traditionally centred on government surveillance. So what are the main pieces of legislation in the UK which relate to government surveillance?


The Regulation of Investigatory Powers Act 2000 (RIPA) was arguably the first implementation of an official framework for covert surveillance of internet communication by the police and other public bodies. Controversial at its inception, it introduced various measures designed to empower security services and others grappling with the lawlessness of cyberspace, including:

  • allowing police, intelligence services, HMRC and various other public bodies to demand ISPs provide detailed communications records for individual users;
  • forcing ISPs to fit equipment to facilitate interception of internet communication at Government request;
  • enabling government to demand any relevant encryption keys – and making refusal a criminal offence;
  • other measures dealing with non-internet interception such as bugging and wiretaps, reading mail, requesting telephone data and listening to calls, photographing people and using undercover officers and informers.

Although an Investigatory Powers Tribunal was set up to hear complaints about surveillance by public bodies, privacy campaign and other critics argued that powers granted under RIPA were overreaching and posed risks of inappropriate and oppressive surveillance. These fears were borne out in several incidents which followed its introduction, including the revelation of journalists’ sources and a council which spied on a family to determine whether they were entitled to take advantage of a school catchment area.

The “Snoopers’ Charter”

In 2006, the EU Data Retention Directive came into force, requiring member states to store the telecommunications data of their citizens for at least 6 months. This was declared invalid in 2014 by the ECJ following a case after it was found to breach the EU Charter of Fundamental Rights. This ruling led to the UK Government introducing the Data Retention and Investigatory Powers Act (DRIPA) as a piece of “emergency legislation” so that it could continue with its policy of data retention. However, DRIPA was subsequently challenged and also ruled unlawful by the ECJ in 2016. This second ruling paved the way for a new piece of legislation – Investigatory Powers Act 2016 (IPA) – designed to both replace DRIPA and update RIPA.

IPA 2016 not only kept in place retention of data by ISPs, but also beefed up the measures contained in RIPA regarding interception of communications, request for communications data, equipment interference, bulk warrants for communications data and introduced technical capability notices (TCNs). TCNs can require ISPs to introduce permanent interception capabilities – and possibly also to prevent encryption (although this latter point is still a matter of debate).

As well as the traditional communications industry, IPA 2016 can be applied to nearly any business which handles communication of data – such as cloud based service providers, ecommerce businesses and even private network operators (eg business computer networks).

But IPA 2016 has already been successfully challenged in the courts and needs to be amended to better align with EU legislation, with other challenges expected.


The Investigatory Powers Commissioner’s Office (IPCO) was set up in September 2017, centralising the oversight roles which were previously undertaken by the Chief Surveillance, Interception of Communications, and Intelligence Services Commissioners. IPCO is responsible for reviewing the use of investigatory powers by public authorities, including intelligence and law enforcement agencies. It complements the Investigatory Powers Tribunal and conducts audits and investigations when necessary.

Other relevant oversight bodies include the Surveillance Camera Commissioner (responsible for working with public authorities to make them aware of the surveillance camera code of practice), the Intelligence and Security Committee of Parliament (which has responsibility for oversight of the UK intelligence community) and the Biometrics Commissioner (responsible for reviewing the retention and use by the police of DNA samples, DNA profiles and fingerprints – see below).


Biometrics refers to the calculation of biological human characteristics. In terms of government surveillance, this normally translates to the identification of individuals using biometric identifiers such as fingerprints and DNA, or through face or iris recognition. Although the retention of fingerprints by the police is nothing new, the use of automated facial recognition has courted controversy due to huge inaccuracy.

The Home Office recently published a Biometrics Strategy which has been lambasted as woefully inadequate, and was even criticised by the Biometrics Commissioner for lacking direction.

Other relevant legislation

  • The EU Charter of Fundamental Rights and the Human Rights Act (HRA). The former was mentioned earlier in relation to the now defunct DRIPA, and Article 8 of the HRA (right to privacy) has been invoked in relation to RIPA.
  • The Telecommunications Act 1984. Section 94 provides for “bulk Communications Data Acquisition”. This was updated by the Communications Act 2003.
  • The Protection of Freedoms Act 2012. This included several provisions related to controlling or restricting the collection, storage, retention, and use of information in government databases.
  • The GDPR and the Data Protection Act 2018. These relate to the protection of personal data in general but there are several provisions which relate directly to public authorities and bodies (eg the need to appoint a Data Protection Officer).
  • The Intelligence Services Act 1994. This established “a procedure for the investigation of complaints about the Secret Intelligence Service and the Government Communications Headquarters” and the Intelligence and Security Committee of Parliament (see above).

Further reading

New York Times: The Unlikely Activists Who Took On Silicon Valley – and Won

The Register: Here’s the little-known legal loophole that permitted mass surveillance in the UK

Wikipedia: Mass surveillance in the United Kingdom

Big Brother Watch

Amnesty: Mass Surveillance

Cyberleagle: The IP Act data retention regime lives on

Bird & Bird: Visions of adequacy? UK surveillance powers after Brexit

Alex Heshmaty is a legal copywriter and journalist with a particular interest in legal technology. He runs Legal Words (, a copywriting agency in Bristol. Email Twitter @alexheshmaty.