Bulk-Collection

The Investigatory Powers Act 2016, nicknamed the ‘Snoopers’ Charter’, consolidates and expands UK surveillance powers. Intelligence agencies (GCHQ, MI5, MI6) can conduct bulk interception of communications, retain bulk datasets, and hack devices (equipment interference). ISPs must retain ‘internet connection records’ showing which websites users visit for 12 months. The law requires communications providers to assist authorities in removing encryption where feasible and maintain permanent interception capabilities. Warrants for targeted interception require judicial approval, but bulk powers have less oversight. The law applies to both domestic and foreign communications accessible from UK territory. While the UK has strong data protection through UK GDPR, the IPA creates significant surveillance exposure, particularly for communications transiting UK infrastructure or stored with UK-accessible providers.

Executive Order 12333, signed by President Reagan in 1981 and amended multiple times since, authorizes US intelligence agencies to conduct signals intelligence collection outside US borders. This includes intercepting communications transiting international fiber optic cables (upstream collection) and accessing data stored in foreign datacenters. Unlike FISA, which involves judicial oversight, EO 12333 collection is governed primarily by executive branch policies with limited external review. The order was central to Schrems II because it enables bulk collection of European communications without individualized suspicion or meaningful redress. For data sovereignty, EO 12333 is particularly concerning because data need not be held by a US company—any data traversing US infrastructure or accessible from US territory may be subject to collection. PPD-28 and EO 14086 have added some safeguards for allied nations’ citizens, but fundamental collection authorities remain intact.