Intelligence sharing under the IPA 2016 explained
The rules that apply to intelligence partnerships between the UK and foreign authorities
TL;DR
This newsletter is about the rules that apply to intelligence sharing arrangements between UK public authorities and foreign authorities under the Investigatory Powers Act 2016. It looks at how the Act regulates intelligence requests made to and by foreign authorities, as well as requests made directly to UK telecommunications operators by foreign authorities.
Here are the key takeaways:
Intelligence sharing between the UK and US were previously subject to secret internal arrangements. However, the Snowden revelations in 2013 and the litigation that followed forced these arrangements to be transposed into primary legislation, with such intelligence sharing now being regulated under the Investigatory Powers Act 2016.
This legislation contains rules on requests made to and by foreign authorities regarding the interception of communications. It also touches on requests for data from foreign authorities made directly to telecommunications operators in the UK.
Intelligence sharing arrangements generally require the approval of a warrant. Such warrants can authorise UK public authorities to either intercept communications on behalf of a foreign authority or request the assistance of a foreign authority to intercept communications.
Regarding requests made directly to telecommunications operators in the UK, the 2016 Act permits this where certain conditions are met, including where the request is made under an international agreement between the UK and another country or territory. An example of such an agreement is the Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime, concluded between the UK and the US in 2019.
Out from the shadows
The IPA 2016 makes provision for interception operations that involve foreign authorities in some form. The most famous example of such intelligence sharing arrangements is that between the UK and US, of which dates as far back as 1946.1
For much of their existence, such arrangements remained secret and therefore have not always been governed by publicly accessible legal rules or procedures at international nor domestic level. However, the Snowden revelations in 2013 did shed some light on internal arrangements followed by the UK SIAs when requesting and receiving intelligence from US authorities.2
Today, the Investigatory Powers Act 2016 (IPA 2016) regulates intelligence sharing arrangements between UK public authorities and foreign authorities. This includes requests made to or by a range of different public authorities, including MI5, MI6 and GCHQ.
Requests made to foreign authorities
The rules on requests made by UK public authorities to foreign authorities are now contained in the IPA 2016. Public authorities may only request a foreign authority to carry out the interception of communications sent by, or intended for, an individual who the public authority believes will be in the British Islands at the time of the interception if one of either two cases apply:3
The first is when a targeted interception warrant has been issued under the relevant provisions of the IPA 2016 authorising the UK public authority making the request to secure the interception of communications.4
The second is when a targeted examination warrant has been issued under the relevant provisions of the IPA 2016 authorising the UK public authority making the request to carry out the selection of the content of such communications for examination.5
Consequently, “when a UK intercepting authority asks an overseas authority to carry out (on its behalf) interception of communications of a person in the UK which the overseas authority would not otherwise have been carrying out, the UK intercepting authority must have an interception warrant in place”.6 The material obtained, including the content and secondary data of the communications, “must be subject to the same internal rules and safeguards that apply to the same categories of content or data when they are obtained directly by the intercepting authority as a result of interception under the Act”.7
UK public authorities can also make requests to foreign authorities other than via the issuance of a targeted interception or examination warrant. In this case, a mutual assistance warrant must be sought,8 of which is subject to the double lock (a process for ensuring the necessity and proportionality of the warrant, which I explained in a previous post on interception warrants).9
A mutual assistance warrant may authorise a public authority to request the provision of any assistance from a foreign authority described in the warrant in connection with, or in the form of, an interception of communications (except for secondary data10).11 That request must be made in accordance with an international mutual assistance agreement.12
The mutual assistance warrant may also authorise the disclosure of material intercepted by the foreign authority to the UK public authority.13 As well as being subject to the double lock, the issuance of a mutual assistance warrant by the Secretary of State must satisfy two cumulative conditions:14
It must be necessary for the purpose of giving effect to the provisions of an international mutual assistance agreement.
The circumstances must appear to the Secretary of State to be equivalent to those which the Secretary of State would issue a targeted interception warrant for the purpose of preventing or detecting serious crime.
There are further rules that apply to the UK security and intelligence agencies (MI5, MI6 and GCHQ) carrying out bulk interception in addition to those rules under the IPA 2016. A request for ‘unanalysed intercepted communications’, including their content and secondary data, may only be sought by a UK agency carrying out bulk interception if either one of two conditions apply.
The first is where “a relevant interception warrant under the Act has already been issued by the Secretary of State, the assistance of the overseas authority is necessary to obtain the particular communications because they cannot be obtained under the relevant interception warrant issued under the Act and it is necessary and proportionate for the intercepting authority to obtain those communications”.15
The second is where “making the request for the particular communications in the absence of a relevant interception warrant issued under the Act does not amount to a deliberate circumvention of the Act or otherwise frustrate the objectives of the Act (for example, because it is not technically feasible to obtain the communications via interception under the Act), and it is necessary and proportionate for the intercepting authority to obtain those communications”.16
In that second case, the request “may only be made in exceptional circumstances and must be considered and decided upon by the Secretary of State personally”.17 Any requests made to a foreign authority “in the absence of a relevant interception warrant issued under the Act will be notified to the Investigatory Powers Commissioner as soon as reasonably practicable”.18
Unanalysed communications content and secondary data received from a foreign authority “must be subject to the same internal rules and safeguards that apply to the same categories of content or data when they are obtained directly by the intercepting authority as a result of interception under the Act”.19 Such internal arrangements must set out the retention periods for the different types of data with regard to their nature and intrusiveness, of which should typically be up to two years.20
The prior authorisation of a senior official within the UK SIA is required if data are to be retained beyond this period and must be necessary and proportionate.21 The continued retention of data that no longer meets the tests of necessity and proportionality must be destroyed and the deletion process should preferably be operated through automated means.22
Requests made by foreign authorities
A request for the assistance with the interception of communications made by a foreign authority may not be fulfilled by UK public authorities unless a mutual assistance warrant has been issued under the IPA 2016.23
That warrant can authorise the provision to the requesting foreign authority of any assistance by UK public authorities of a kind described in the warrant in connection with, or in the form of, an interception of communications.24 As mentioned beforehand, mutual assistance warrants are subject to the double lock and must satisfy to the two cumulative grounds for the issuance of mutual assistance warrants.
When disclosing intercepted material to a foreign authority, certain arrangements must be in place.25 Firstly, the following activities must be kept to the minimum that is necessary for the authorised purposes (essentially, the grounds on which a mutual assistance warrant has be issued):26
The number of persons to whom any of the material is disclosed or otherwise made available
The extent to which any of the material is disclosed or otherwise made available
The extent to which any of the material is copied
The number of copies that are made
Secondly, every copy made of any of the material intercepted (if not destroyed earlier) must be destroyed as soon as there are no longer any relevant grounds for its retention.27 Thirdly, restrictions must be in force that would prevent the doing of anything which would result in a prohibited disclosure.28
Requests made to telecommunications operators by foreign authorities
The IPA 2016 also regulates requests made by foreign authorities directly to a telecommunications operator to intercept and disclose communications. Such requests may only be fulfilled where four cumulative conditions are met:
The interception is carried out by or on behalf of a telecommunications operator and relates to the use of a telecommunications service provided by the telecommunications operator.29
The interception is carried out in response to a request made in accordance with a relevant international agreement by competent authorities of a country or territory outside of the UK.30
The interception is carried out for the purpose of obtaining information about the communications of an individual who is outside the UK or who either the person making the interception request or the person carrying out the interception believes is outside of the UK.31
Any further conditions specified in regulations made by the Secretary of State for requests made by foreign authorities to telecommunication providers.32
The IPA 2016 defines a “relevant international agreement” for the second condition as an international agreement to which the UK is party and which is designated as a relevant international agreement by regulations made by the Secretary of State.33 The Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime, agreed between the UK and the US in October 2019, is an example of such an international agreement.34
This Agreement constitutes a bilateral executive agreement under the US CLOUD Act.35 It gives US law enforcement “expedited access to electronic data within the [UK’s] territory, in exchange for reciprocal access to data located in the US”.36
That data may only be obtained by the requesting authority for the purpose of preventing, detecting, investigating or prosecuting “Serious Crime”,37 which means offences punishable by a maximum term of imprisonment of at least three years.38 In addition, any request for data made by a US or UK authority under the Agreement must be in compliance with its domestic law and be based on requirements for a reasonable justification based on articulable and credible facts, particularly legality and severity regarding the conduct under investigation.39
Requests can also be subject to review or oversight by a court, judge, magistrate, or other independent authority prior to, in proceedings regarding, enforcement of the request.40 Some of this oversight is provided by the Investigatory Powers Commissioner, of whom is required to keep under review the compliance by UK public authorities with the terms of the Agreement.41
As envisaged by the IPA 2016, the Agreement allows US authorities to make requests for data directly to telecommunications operators in the UK and such operators can be required to disclose the requested data directly to that US authority.42 Therefore, the “chief feature of this expedited access is the elimination of the responding government's role in approving the requesting government's orders”.43
The kind of data that may be requested under the Agreement includes both the content of electronic communications as well as traffic and metadata.44 This also includes “Subscriber Information”, which means information that identifies a subscriber or a customer of a telecommunications service, including names, addresses, telephone connection records and even means of payment.45
John Ferris, '8: UKUSA and the International Politics of Signit, 1941-92' in Behind the Enigma: The Authorised History of GCHQ, Britain’s Secret Cyber Intelligence Agency (Bloomsbury 2020).
See in particular the legal proceedings following the Snowden revelations regarding the PRISM program starting with Liberty & Others v GCHQ & Others [2014] UKIPTrib 13_77-h and the latest case being Big Brother Watch & Others v UK, App nos. 58170/13, 62322/14 and 24960/15 (ECHR, 25 May 2021)
Home Office, The Interception Code of Practice (2022), para. 9.30.
Home Office, The Interception Code of Practice (2022), para. 9.31.
Secondary data under the IPA 2016 is essentially defined as metadata, though see my previous post on interception warrants for a breakdown of this.
The Investigatory Powers Act 2016, s.15(4)(a).
The Investigatory Powers Act 2016, s.15(4)(c).
Home Office, The Interception Code of Practice (2022), para. 9.33.
Home Office, The Interception Code of Practice (2022), para. 9.33.
Home Office, The Interception Code of Practice (2022), para. 9.34.
Home Office, The Interception Code of Practice (2022), para. 9.39.
Home Office, The Interception Code of Practice (2022), para. 9.37.
Home Office, The Interception Code of Practice (2022), para. 9.38.
Home Office, The Interception Code of Practice (2022), para. 9.38.
Home Office, The Interception Code of Practice (2022), para. 9.38.
The Investigatory Powers Act 2016, s.15(4)(b).
The Investigatory Powers Act 2016, s.54(2)(b). See also ss.54(3) and 56(1).
Overseas Production Orders and Requests for Interception (Designation of Agreement) Regulations 2020, reg 2(a).
Clarifying Overseas Use of Data (CLOUD) Act, 18 US Code § 2523.
Federico Fabbrini et al (eds), Data Protection Beyond Borders: Transatlantic Perspectives on Extraterritoriality and Sovereignty (Hart Publishing 2021), 120.
US-UK CLOUD Act Agreement, Article 4(1).
US-UK CLOUD Act Agreement, Article 1(14).
US-UK CLOUD Act Agreement, Article 5(1).
US-UK CLOUD Act Agreement, Article 5(2).
The Investigatory Powers Act 2016, s.229(3A). See also the Functions of the Investigatory Powers Commissioner (Oversight of the Data Access Agreement between the United Kingdom and the United States of America and of functions exercisable under the Crime (Overseas Production Orders) Act 2019) Regulations 2020, reg 2(a).
US-UK CLOUD Act Agreement, Articles 5(5) and 6(1). However, a telecommunications operator will only be required to disclose data to a requesting authority that it possesses and controls, as per Article 1(3).
Federico Fabbrini et al (eds), Data Protection Beyond Borders: Transatlantic Perspectives on Extraterritoriality and Sovereignty (Hart Publishing 2021), 120.
US-UK CLOUD Act Agreement, Article 1(3).
US-UK CLOUD Act Agreement, Article 1(15).