Photo: A stock picture of CCTV cameras on the side of a building in central London. Credit: Via Reuters

UK Tech Regulation: Surveillance Shouldn’t Trump Privacy

As the UK election campaign heats up, parties are coalescing around a dangerous expansion of online surveillance.

May 30, 2024

Your messaging apps could be about to get way less secure (and some might disappear entirely), and you have Westminster to blame. Parliament is in the process of finalizing a series of amendments to the Investigatory Powers Act of 2016, the core piece of legislation that dictates the UK government’s surveillance of citizens’ electronic communications.

While proponents insist that the amendments are necessary to keep people safe, opponents argue that they threaten to significantly undermine our online privacy. Worse, tech companies may struggle to comply with the new rules, which could force them to suspend operations in the UK.

These changes have provoked little public or political debate and do not figure to play a role in the present election campaign, with support from both the conservative government and the opposition Labour Party.

That is a pity. Post Brexit, the UK positioned itself as a tech leader, open to innovation and promising light touch regulation in comparison to the European Union. Instead, it risks putting in place the strictest online surveillance rules in a Western democracy.

The updated Investigatory Powers Act would allow the government to direct tech companies to delay or halt “relevant changes,” product feature updates that undermine law enforcement investigation powers. To ensure that no feature goes unnoticed, the Home Office could require tech companies to notify them before making changes to their products.

Get the Latest

In practice, such an authority would likely be used to block new security features that could disable existing surveillance techniques. This would not only stifle innovation in the tech sector. It would also have disastrous consequences for ordinary people using the products that aren’t allowed to release these features, increasing their vulnerability to malicious actors.

Tech companies also fear conflict with other regulatory regimes. Within the UK, the new Investigatory Powers Act requirements could be viewed as in conflict with the UK privacy rules, which require companies to “implement appropriate technical and organizational measures (e.g., encryption) to ensure a level of security appropriate to the risk.”

While surveillance and domestic conflicts are troubling, an even more important danger will be conflicts with other jurisdictions. If a European Union regulator directs a multinational company to make a “relevant change,” UK law would forbid it from doing so and from telling the EU why it cannot do so. A company would have to decide which jurisdiction to disobey, almost certainly leaving all parties disgruntled. Since it would be illegal to even tell other countries about UK-imposed changes, it would be impossible to work out a solution that works for everyone involved. And since the UK insists that its Home Office’s regressive security roadblocks should apply around the globe, it is bound to create conflicts with friends and allies.

If this all sounds troubling to you, I agree! It might pose enough concern or difficulty to companies that they may decide it is easiest to simply no longer offer their services in the UK. Some popular apps like Signal and WhatsApp have already noted that they will leave the UK if told not to encrypt their messages. Despite the dangers, Westminster seems content to push on — risking the digital security of millions of Britons in the process.

Heather West is a non-resident senior fellow at CEPA and a Senior Director of Cybersecurity and Privacy Services at Venable law firm in Washington. Equipped with degrees in both computer and cognitive science, she focuses on data governance, data security, artificial intelligence, and privacy in the digital age.

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.