Confidentiality RIP?

28 June 2000
More legal news

29 June 2000

A new bill could force companies to give police access to private business data. How damaging could this be for purchasing's relationships, asks David Arminas

Prime minister Tony Blair wants the UK to be the best place in the world for electronic trading by 2002. But if the soothsayers are correct about the imminent e-commerce interception bill, companies will shy away from doing business here.

The government promised, in a Cabinet Office report published last September, a "light regulatory touch" for e-commerce, in order to build business confidence.

The proposed Regulation of Investigatory Powers (RIP) bill, now being debated in the House of Lords, suggests the reality will be rather "heavier". If the bill is enacted without amendments in September, the police will be able to force companies to hand over encryption codes for reading confidential electronic documents for criminal investigations - even when they are not under suspicion.

Firms would also be obliged not to disclose to clients that the police have access to their e-mail activity. Code holders who refused to comply with a police demand would face up to two years in jail, while their company could face unlimited fines.

But what does the bill mean for a company's purchasing department? How will it affect purchasing staff and, crucially, relationships with suppliers and customers?

Shared concerns

In recent years, many UK companies have taken an interest in partnering, where the central tenet is sharing sensitive corporate information to drive both businesses forward.

Just as firms have got used to the concept of sharing, the RIP bill seems set to explode the trust necessary for partnering. Many e-commerce companies, Internet service providers and industry bodies, including CIPS, are fighting the RIP bill.

It comes down to confidentiality, said Will Roebuck of the legal advisory group at e centreUK, a promoter of standards and good practices in electronic trade with around 15,000 members. "If a company is looking after second or third-party information, it must part with it," he told SM.

Police will still need a warrant from the Home Office to enter premises and demand specific information. The difference is that, by giving police encryption codes, they will have "scattergun access" to a massive amount of information, explained Roebuck.

"We are deeply concerned that the bill appears to fundamentally compromise the confidentiality of transactions in the UK," said Melinda Johnson, CIPS's head of policy, who presented the institute's views to the select committee responsible for scrutinising the bill.

"Our members might be forced to facilitate covert surveillance," she said.

Calls by SM to a selection of purchasing professionals revealed that they are not as aware as they should be of the bill's potential impact on their supplier relationships.

A possible reason, according to Johnson, is that they do not believe they will be told that their company has given encryption keys to police.

Nevertheless, if purchasers do know this, how should they react when suppliers facing them at a table and forging a partnership arrangement with them are asked how secure and confidential their business data will be?

Another reason for buyers' lack of interest in the bill could be that many definitions are still to be determined. These include which type of company will be defined as a service provider for the purposes of the police's information requests and who will be liable to pay damages to a supplier if the confiscated business information finds its way into the public domain.

Bench resistance

There will be many ethical dilemmas for purchasing professionals, said Paul Abbiati, an e-commerce legal consultant with PMMS, adding: "Never have I seen so many industry bodies against a new law."

Most people would agree that there is a need for investigatory powers, he said - just not one that includes the handing over of encryption keys.

The battle over the investigatory powers won't end when the RIP bill is passed. Instead, it will shift to Brussels and the European Union, which is in the process of updating its e-commerce directive.

Any national legislation, such as the RIP bill, will have to comply with the EU directive when it comes into force. This may not be until late 2001, according to a spokesperson for the EU's Information Society.


East Riding of Yorkshire
GBP250 - GBP350 per day +
1st Executive
London (Central), London (Greater)
£60,000 pa
St Mungo’s
CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates