Costs of Compliance with the UK’s Draft Investigatory Powers Bill

Compliance Mirkwood Evans Vincent

The UK Parliamentary Science and Technology Committee reported on 1st February on the UK Government’s draft Investigatory Powers Bill, including on the costs of compliance for UK communications service providers (“CSPs”).

The draft Investigatory Powers Bill will require CSPs to retain the internet browsing history of all of their customers for the previous twelve months. The Government appears to have come up with an aggregate figure of £174.2 million for the total likely cost of UK CSP industry compliance with its proposed legal framework. It is not at all clear how being told this figure is supposed to help any individual business assess its individual costs of compliance, or whether there was any likely benefit of trying to identify that number at all.

The industry perception is that the bulk of the costs of compliance with the draft Investigatory Powers Bill will relate to storage. However a more frightening prospective cost may be if the very requirements of the draft Investigatory Powers Bill turn out to be incompatible with the way in which particular services are provided. Apple, for instance, has raised the concern that its iMessaging encrypts the message from start to finish and that they would not have the technology to access the messages even if the Law required them to. Might service providers then be required to incur the cost of altering the underlying service technology just to facilitate legal compliance? If not, what would be to stop service providers intentionally providing services in a way, which would defeat the intent of the relevant legislation. By the same token, what would be the point of requiring elaborate data retention mechanisms if actually the criminals and terrorists would just be in a position to change their means of communication in a perfectly lawful way but one which avoided the possibility of surveillance? There are currently no satisfactory answers to these questions.

Clause 185 of the draft Investigatory Powers Bill provides that CSPs receive an “appropriate contribution” towards their compliance costs. The Science and Technology Committee notes that as drafted, the clause promises that this contribution will “never be nil.” That may be true but it is less clear that any governmental contribution will be sufficient to ensure (a) that the cost burden of compliance does not fall disproportionately on the smaller CSPs or (b) that businesses considering entering the UK CSP market are not deterred by the increased cost burden of legal compliance vs establishing such businesses outside of the UK.

In Denmark it appears that whilst the equipment cost of data retention systems is borne by the telecommunications companies, access to data is billed to the Police. The Government is due to publish draft Codes of Practice later this year, in which matters may or may not become more transparent in terms of where the burden of costs will fall in the UK. The Science and Technology Committee’s report emphasizes that these Codes of Practice must ensure that businesses based in the UK should not be placed at a commercial disadvantage compared with their overseas competitors.

If your business needs to understand the legal impact of the draft Investigatory Powers Bill becoming law, then please contact