The changes will, among other things, cut the number of cases in which communications data can be accessed by UK authorities for the purposes of fighting serious crime. They will also require the authorities to seek the approval of an independent body for the right to continue accessing communications data three days after they were given the right to do so through an 'urgent' internal sign-off process.
The changes are contained in the draft Data Retention and Acquisition Regulations 2018 and the draft Investigatory Powers (Codes of Practice and Miscellaneous Amendments) Order 2018, both of which have been laid before the UK parliament.
Communications data is information about communications, such as the time of communications and the location of the sender and recipient, but is not the content of the communications.
Currently, the Investigatory Powers Act governs when UK authorities can obtain access to the data from communication providers and for what purposes they can use it. However, the government previously admitted to failings in the legislation and opened a consultation on proposed reforms last year. That exercise was prompted by a December 2016 ruling of the Court of Justice of the EU (CJEU).
The CJEU ruled that EU law precludes EU countries from passing a law that "provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication" in order to help fight crime.
The CJEU also said that EU law does permit national law makers to, "as a preventive measure", require traffic and location data to be retained on a targeted basis, but only where the objective of the data retention rules is to fight "serious crime".
Subsequent court rulings in the UK have interpreted the EU court's ruling further.
In April, the High Court gave the UK government until 1 November this year to update the Investigatory Powers Act provisions after it ruled the Act's communications data regime unlawful because it does not limit access to retained data "to the purpose of combating 'serious crime'", and because access to the data "is not subject to prior review by a court or an independent administrative body".
Now, after receiving nearly 800 responses to its consultation, the government has said it will make changes to its initial proposals. This includes amending its definition of 'serious crime'.
In its consultation paper, the government proposed to permit authorities to access communications data for crimes that could attract a six month prison sentence, but many respondents to its communications said that threshold was "too low", according to the Home Office's response paper (15-page / 280KB PDF). It said it had "listened to the concerns" and now plans to define 'serious crime' for the purposes of the communications data provisions as crimes for which a 12 month sentence can be imposed.
"This will mean data cannot be acquired for the investigation of crimes where a person is not capable of being sentenced to 12 months imprisonment," the government said. "Depriving a person of their liberty by handing down a prison sentence is, of course, a serious issue."
In addition, the government said it has amended an associated code of practice that complements the Act to require UK authorities to "consider factors such as the particular circumstances of the case, the offender, the impact on the victim, the harm suffered, and the motive of the crime in order to demonstrate that the acquisition of communications data is proportionate".
The Home Office also confirmed its intention to press ahead with the creation of a new Office for Communications Data Authorisations (OCDA) to review requests for communications data made by UK authorities before they are processed by communication providers. It said it "simply would not be feasible" for UK courts to perform this role due to the volume of applications.
In its ruling, the CJEU said that this 'prior review' process should apply "except in cases of validly established urgency", where internal authorisation is sufficient. The government has now set out a deadline of three days for how long data can be accessed under the 'urgency' process before independent authorisation for continued access needs to be obtained.
"The amendments we are proposing to the Act mean that an authorisation made using the urgent internal process cease to have effect after three days, ensuring that a request must be made to OCDA where activity authorised internally via the urgency process is ongoing at the end of the three day period," the government said. "We have now amended the code of practice to make this restriction on urgent applications clear. Of course the use of the urgency procedure also remains subject to the usual oversight by the investigatory powers commissioner."