The Regulation of Investigatory Powers Act 2000 (RIP) is now in force after a troubled passage through parliament and much criticism from the e-commerce sector.

Before starting to examine some of the more controversial aspects of the legislation and how they have been tempered by last minute amendments and government concessions I think it might be helpful to back up a little and look at why the this controversial piece of legislation was needed at all. Its origin, perhaps rather surprisingly, actually lies in human rights.

Back in December 1948 the newly formed United Nations proclaimed the Universal Declaration of Human Rights (UDHR). The experience of National Socialism in Germany and the treatment, in particular, of the Jewish communities in occupied Europe necessitated the creation of an international agreement as a last protection against the excesses of an individual nation state. On 4 November 1950 the Council of Europe formulated the European Convention of Human Rights (ECHR) which mirrored the UDHR but limited itself to rights thought to be capable of enforcement rather than conceptual interests.

The Convention came into force when it was ratified by 10 member states. The first to ratify were Denmark, Germany, Iceland, Ireland, Luxembourg, Norway and Sweden on 3 September 1953. They were followed by the Netherlands (1954), Belgium (1955) and Austria (1958). The UK did not fully ratify the Convention until 1966.

Among the areas covered by the ECHR are the right to life (Article 2), protection from inhuman treatment and torture (Article 3), freedom from forced labour (Article 4), the right to liberty (Article 5), the right to a fair hearing or trial (Article 6), the right to respect for a private and family life (Article 8), freedom of thought, religion and expression (Articles 9 & 10), the right to demonstrate peacefully and to join a trade union (Article 11), the right to property (Protocol 1 Article 1), education (Protocol 1, Article 2) and fair elections (Protocol 1 Article 3). There is also an overarching requirement that any of the rights within the Convention are to be enjoyed without discrimination (Article 14).

Prior to the implementation of the UK’s Human Rights Act 1998 (in force 2^nd October 2000) the only effective way an individual UK citizen could seek to enforce their rights under the ECHR was by making an application to the European Commission of Human Rights in Strasbourg. The Commission is comprised of one member for every state that is a party to the convention and is supported by a team of international lawyers.

However before an individual citizen could make a complaint claiming a breach of the ECHR he or she had to satisfy the Commission that all the available domestic remedies had been exhausted.

The Human Rights Act 1998 (HRA) alters this position considerably. Under the new Act UK courts must interpret all primary and secondary legislation (basically Acts and Regulations) so far as it is possible in a way which is compatible with ECHR rights. With some pieces of legislation this will mean, effectively, reading in additional wording or qualifications to ensure that there is no breach of the Convention.

Where it is simply not possible to interpret legislation in a way which is compatible with Convention rights then the UK courts can issue a ‘declaration of incompatibility’ - a form of ‘red card’ to the government warning it that legislation requires urgent amendment. Since 1998 all new legislation carries a certification from the relevant Secretary of State that the law is compatible with the Human Rights Act – although such certification does not prevent the UK courts from taking a different view.

The HRA also makes it unlawful for any ‘public authority’ (which would include the police the courts, the Inland Revenue and even your local council) to act in any way which is incompatible with the ECHR. An individual can make an application to the courts to have any such unlawful act or decision overturned and can in certain circumstances claim compensation.

It will still be possible, post HRA, for an individual to take a case to Strasbourg. However, the rationale behind the Act is that such action will become increasingly unnecessary as our own domestic courts will be empowered to overturn acts and decisions undertaken in contravention of ECHR rights and to challenge and re-interpret non-ECHR compliant laws.

Now, Article 8 of the ECHR provides:

Right to respect for private and family life
1 Everyone has the right to respect for his private and family life, his home and his correspondence.

2 There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Article 8 is thus what is known as a ‘qualified’ rather than an ‘absolute right’ – an individual’s privacy may be invaded providing it is in accordance with paragraph 2. One of the fundamental requirements of that paragraph is that any such invasion is ‘in accordance with the law’ and what that essentially means is that legitimate invasions of privacy must be clearly sanctioned by primary or secondary legislation.

Up until RIP the state’s ‘rights’ to spy on people, whether that be by way of visual surveillance, phone tapping, e-mail ‘tapping’, opening post, keeping confidential computer files etc., were only partly regulated by statute. Even then this was on a rather ad hoc basis. For example, the right to monitor public (but not private) telecommunications networks was set out in the Interference with Communications Act 1985 . That Act in turn was the consequence of a pre-HRA application to Strasbourg by a disgruntled victim of surveillance which had no statutory basis.

With the effective incorporation, under the HRA, of the ECHR direct into domestic legislation there was a substantial risk that individual citizens might start challenging surveillance which was not adequately proscribed by statue on the basis that it is unlawful. Consequently codifying ‘umbrella’ legislation putting all state surveillance techniques onto a statutory basis was required. So RIP was born.

The Act seeks to establish a single legal framework for the interception of all communications in the UK - whether they are via public telecommunications systems (such as BT), postal systems (such as the Royal Mail) or by private telecommunications systems attached to a public network (e.g. internal telephone exchanges attached to the main BT network). ISPs, mobile telephone networks, WAP systems and office switchboards will all be brought within the new regime.

RIP does not provide a complete code for such surveillance – the legislation will be complemented by Codes of Practice covering Human Intelligence, Covert Surveillance and Intrusive Surveillance.

One of the more controversial provisions in RIP is the power to require telecommunications service providers to maintain an 'interception capability' - the technical facilities which would enable the authorities to tap into any form of communication at any time (s.12). Such taps will be legitimate where they are in the interests of national security, or aimed at suppressing crime or are designed to safeguard the UK's economic interests.

One of the greatest concerns for ISPs and Internet businesses is the cost of complying with this onerous obligation. Although the government has said it will contribute to the costs it has done so in sufficiently imprecise terms to leave small ISPs fretting. A further concern is that an interception capability which allows the government easy access will also be a prime target for hackers and e-terrorists.

Another highly controversial aspect of the Act is the provision which enables law enforcement agencies to access encrypted messages. Such agencies may require the surrender of either decrypted text or the key that has been used to encrypt communications in the first place. This is done by serving a 's.49 notice'. It is a criminal offence under the Act (s.53) , punishable with up to two years imprisonment, to fail to surrender an encryption key. The Act places the onus on the recipient of the notice to show why any encryption key cannot be surrendered. There is also a related offence (s.54) of 'tipping off' any interested parties about the fact that a law enforcement agency is seeking decryption. This offence carries up to 5 years imprisonment.

One of the principal concerns about this aspect of the legislation is that consumer confidence in encrypted communications may be undermined and thus a piece of legislation promoted by the government as making the UK the best and safest place in the world to conduct e-commerce runs the risk of achieving exactly the opposite.

Next month I will look at the government’s 11^th hour attempts to placate e-entrepreneurs on these two principal concerns and will look at some other aspects of the legislation.

UK's Lawful Business Practice Regulations now in force
The Lawful Business Practice (LBP) Regulations, which have been made under the Regulation of Investigatory Powers Act 2000, came into force on 24^th October 2000. The regulations define exceptions to RIP's general obligation of seeking consent for intercepting communications.

RIP authorises interception in cases where it can be assumed that both the sender and the intended recipient have consented. The LBP Regulations authorise businesses to monitor their own communications without consent where the business needs to determine whether those communications are ‘relevant’ to the business. This will allow businesses to monitor employees' use of e-mail. However, there is a requirement to tell employees that monitoring may take place.

Arguably this is no real change in the situation pre-RIP although the news coverage of the Regulations seem to suggest that employers were being given entirely new powers.

The regulations are available on the website of the Department of Trade and Industry at http://www.dti.gov.uk/cii/lbpintro.htm

In a complimentary and possibly contradictory move the UK Data Protection Commissioner has published a draft code, entitled ‘The Use of Personal Data in Employer/Employee Relationships’. The code gives guidance on what employers need to do to comply with the Data Protection Act 1998 and includes recommendations for good practice.

The draft code is directed at employers and applies to both current and past employees. It includes guidance on the monitoring of employees. The code suggests that the monitoring of business communications (including e-mail) might intrude on employees' privacy, and could be seen as unfair processing under the Data Protection Act 1998. This guidance may have to be reviewed in light of the new Lawful Business Practice Regulations. In general however, the Commissioner recommends that employers make it clear whether facilities such as e-mail may be used for private purposes, and if monitoring is conducted, employees should be informed of that.

The draft code is available at http://www.dataprotection.gov.uk . The Commissioner is inviting comments. These can be sent David Smith, Assistant Commissioner, ODPC, e-mail: dsmith@dpexecutive.demon.co.uk. up to 5^th January 2001.