January 31, 2023

Volume XIII, Number 31


January 30, 2023

Subscribe to Latest Legal News and Analysis

Investigatory Powers Act Becomes UK Law

The new law gives UK intelligence and law enforcement bodies sweeping surveillance powers.

The UK Investigative Powers Act was introduced in response to recommendations that David Anderson QC made, in his capacity as the Independent Reviewer of Terrorism Legislation, to conduct a review of existing laws relating to regulatory powers. The UK government contends that the new legislation is needed to respond to evolving threats within a changing communications environment, especially regarding cybersecurity and terrorist threats.

In broad terms, the IPA permits intelligence and law enforcement bodies to require internet service providers to collect, retain, and disclose broad categories of communications data in certain circumstances.

The IPA allows the secretary of state to require communications companies to retain communications data for a period that must not exceed 12 months. The power is exercised by giving a retention notice to the company. A retention notice, which may relate to more than one company, will require the retention of specified data for the period of the notice, which must not exceed 12 months. This means that companies could be ordered to retain, for a limited period, records of every website and messaging service accessed from any device used by citizens based in the United Kingdom. Provided that a warrant has been obtained by the secretary of state, companies could also be ordered to submit bulk data sets to government bodies or to allow mass surveillance of their customers’ data, such as by allowing the government to see messages sent or received on smartphones.

The government states that the IPA adequately protects UK citizens’ personal data because the legislation creates

  • a “double-lock” for the most intrusive mass surveillance powers, so that warrants issued by a secretary of state also require a senior judge’s approval;

  • a powerful new Investigatory Powers Commissioner, who will oversee how the powers are used;

  • new protections for journalistic and legally privileged material, and a requirement for judicial authorisation for acquiring communications data that identify journalists’ sources; and

  • tough sanctions for those who abuse the powers, including criminal offences.


In the seminal decision of Maximillian Schrems v. Data Protection Commissioner, the European Court of Justice (ECJ) struck down the so-called “Safe Harbor” framework governing the transfer of personal data exported from the European Economic Area to the United States. In doing so, the ECJ was heavily influenced by Edward Snowden’s revelations relating to US law facilitating the mass surveillance of personal data relating to citizens of the European Union (EU). For as long as the United Kingdom remains in the EU, concerned citizens may bring a legal challenge regarding the United Kingdom’s compatibility with EU data protection law, particularly in light of the forthcoming General Data Protection Regulation, which will take effect in May 2018. Once the United Kingdom triggers notice to leave the EU, any future data transfer framework agreed on between the the two is likely to consider the scope of the powers granted to the UK government under the IPA. Finally, some have expressed concern that by requiring communications companies to collect this data in the first place, the government is increasing rather than decreasing the data protection and security risks for UK businesses and citizens. Such data sets will likely be highly valuable and sought after by cyber criminals. This may therefore encourage them to try to find ways to access such data.

Copyright © 2023 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VI, Number 342

About this Author

Pulina Whitaker, Morgan Lewis, labor and employment lawyer

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...

Matthew Howse, Employment law attorney, Morgan Lewis

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

44 (0)20 3201 5670
Lee Harding, employment and cybersecurity attorney, Morgan Lewis

Lee Harding advises on employment and cybersecurity matters across a variety of sectors, with an emphasis in the financial services and technology industries, including FinTech. Lee regularly counsels clients in high-stakes crisis litigation and investigations, including in relation to complex disciplinary matters, cybersecurity breaches, class actions, and cases before the High Court of Justice in London that involve business competition issues. Lee’s practice also focuses on the cross-over between employment and regulatory issues under the UK’s Senior Managers and...

Dr. Axel Spies, Telecommunications and technology lawyer, Morgan Lewis
Special Legal Consultant

Dr. Axel Spies has advised clients for many years on various international issues, including licensing, competition, corporate issues, and new technologies such as cloud computing. He counsels on international data protection (EU General Data Protection Regulation), international data transfers (Privacy Shield), healthcare, technology licensing, e-discovery, and equity purchases. A member of the Sedona Conference on Electronic Discovery, Dr. Spies is frequently quoted in the media for his telecommunications and privacy knowledge.

Ronald Del Sesto, Morgan Lewis, Regulatory Attorney

Ron Del Sesto represents technology companies on a broad range of issues including corporate, financial, regulatory, and cybersecurity. Ron also advises financial institutions, private equity firms and venture capital funds with respect to investments in  the telecommunications, media, and technology (TMT) sectors.