A further thought: s254 requires the judicial commissioner to review the TCN for necessity and proportionality. You might reach one sort of decision if the TCN is targeted against individuals under some sort of suspicion. But it would be interesting to review the thought processes if the TCN is directed at all Apple users of their cloud storage service.
The main route for questioning IPA decisions is the Investigatory Powers Tribunal.
This was another question that I was thinking about over the weekend. Very few UK users will have turned on this advanced data protection setting. Is this TCN meant to be future proofing or is there a specific targeted account that they are already after which has the encryption turned on?
s 253 IPA Technical Capability Notices as well as s 252 National Security Notices are subject to the "double lock" authorisation protocol - laid down in s 254. The authorisers are judicial commissioners at IPCO:
In deciding whether to approve a decision to give a relevant notice, a Judicial Commissioner must review the Secretary of State's conclusions as to the following matters—
(a)whether the notice is necessary as mentioned in section 252(1)(a) or (as the case may be) section 253(1)(a), and
(b)whether the conduct that would be required by the notice is proportionate to what is sought to be achieved by that conduct.
In doing so, the Judicial Commissioner must—
(a)apply the same principles as would be applied by a court on an application for judicial review, and
(b)consider the matters referred to in subsection (2) with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).
Inevitably their actual work is shrouded in secrecy but it's a reasonable question to ask about the competence of the commissioners and the TAB to undertake all that is asked of them. None of them, as far as I know, are in the least bit stupid but there is an issue of the extent of their knowledge.
My guess is that the Apple TCN issue will only be partially dealt with by the courts.
But we must recognise that pure "invasion of privacy" arguments only have cut-through with a minority of the population, who are likely to be impressed with the usual child protection/terrorism/serious organised crime blandishments (which, to be fair do have some merit). Additionally one must refer to the commercial and economic effects, and the problems for professionals such as doctors and lawyers who have obligations of data protection.
I should have added that there is a further requirement on IPCO when reviewing s 253 TCNs: an obligation to consider the privacy obligations in s 2 IPA.
Yes, thank you for adding this! This is very helpful. It is important context, which I hope to write more on later in the week. I am also really interested in the process of appeal.
It's hard to see how the N&P analysis works out here when you consider the commercial/economic effects as you've pointed out.
A further thought: s254 requires the judicial commissioner to review the TCN for necessity and proportionality. You might reach one sort of decision if the TCN is targeted against individuals under some sort of suspicion. But it would be interesting to review the thought processes if the TCN is directed at all Apple users of their cloud storage service.
The main route for questioning IPA decisions is the Investigatory Powers Tribunal.
This was another question that I was thinking about over the weekend. Very few UK users will have turned on this advanced data protection setting. Is this TCN meant to be future proofing or is there a specific targeted account that they are already after which has the encryption turned on?
Thanks for the posting:
s 253 IPA Technical Capability Notices as well as s 252 National Security Notices are subject to the "double lock" authorisation protocol - laid down in s 254. The authorisers are judicial commissioners at IPCO:
In deciding whether to approve a decision to give a relevant notice, a Judicial Commissioner must review the Secretary of State's conclusions as to the following matters—
(a)whether the notice is necessary as mentioned in section 252(1)(a) or (as the case may be) section 253(1)(a), and
(b)whether the conduct that would be required by the notice is proportionate to what is sought to be achieved by that conduct.
In doing so, the Judicial Commissioner must—
(a)apply the same principles as would be applied by a court on an application for judicial review, and
(b)consider the matters referred to in subsection (2) with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).
IPCO has the benefit of a Technical Advisory Board - TAB; its members and some of its work are referenced in the IPCO Annual reports, available at https://www.ipco.org.uk/publications/annual-reports/.
Inevitably their actual work is shrouded in secrecy but it's a reasonable question to ask about the competence of the commissioners and the TAB to undertake all that is asked of them. None of them, as far as I know, are in the least bit stupid but there is an issue of the extent of their knowledge.
My guess is that the Apple TCN issue will only be partially dealt with by the courts.
But we must recognise that pure "invasion of privacy" arguments only have cut-through with a minority of the population, who are likely to be impressed with the usual child protection/terrorism/serious organised crime blandishments (which, to be fair do have some merit). Additionally one must refer to the commercial and economic effects, and the problems for professionals such as doctors and lawyers who have obligations of data protection.
I should have added that there is a further requirement on IPCO when reviewing s 253 TCNs: an obligation to consider the privacy obligations in s 2 IPA.
Yes, thank you for adding this! This is very helpful. It is important context, which I hope to write more on later in the week. I am also really interested in the process of appeal.
It's hard to see how the N&P analysis works out here when you consider the commercial/economic effects as you've pointed out.
Fantastic analysis, thanks.