After seven years in the political wilderness, the final and most controversial part of the Regulation of Investigatory Powers Act (RIPA) will come into force later this year, subject to Parliamentary approval. RIPA Part III is likely to become law on 1 October, in line with Home Secretary Jacqui Smith's vague assurances this month in the House of Commons that there would be "news on that soon".
The Home Office said in a statement: "The Government recognised concerns about how Part III would work in practice, and decided not to implement Part III before Parliament had the opportunity to consider and approve a code of practice."
The revised code of practice restricts the scope of public authorities' powers to access encrypted material and introduces additional security provisions for both key materials and disclosed decrypted data. The National Technical Assistance Centre (NTAC) is to be the central contact point for law enforcement and public queries.
"The key here is ensuring that NTAC is well scrutinised and well funded to build business trust," said Jamie Cowper, marketing manager at PGP Corporation. "How well RIPA III works with other pending legislation such as PCI and MiFID is potentially awkward, and might well lead to businesses having to cherry pick which legislation to conform to."
Part III has long been controversial, as it is the part of the Act that allows the seizure of data, and previously of encryption keys, although the latter has now been abandoned. Financial services and legal firms are particularly concerned about accidental disclosure of confidential material during this process.
Robert Bond, partner and head of IP, technology and commercial law at Speechly Bircham LLP said: "This code is a great improvement over previous drafts, and large organisations should be able to work with it. However, companies further down the food chain will have problems, such as having to meet the increased costs of these potentially invasive requests."