Regulation of intelligence gathering

A range of statutory obligations regulate the acquisition, retention, examination and dissemination of private material by public authorities for intelligence purposes. These include:

•
Investigatory Powers Act 2016 (IPA 2016)
•
Regulation of Investigatory Powers Act 2000 (RIPA 2000)
•
Human Rights Act 1998 (HRA 1998)
•
Intelligence Services Act 1994 (ISA 1994)
•
Security Service Act 1989 (SSA 1989)
•
Computer Misuse Act 1990 (CMA 1990)
•
Wireless Telegraphy Act 2006 (WTA 2006)
•
Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018, SI 2018/356

The purpose of IPA 2016 is to set out 'the extent to which certain investigatory powers may be used to interfere with privacy'.

IPA 2016 does not provide a statutory definition of ‘investigatory powers’, and there is no such definition in previous legislation. For practical purposes, however, the term ‘investigatory powers’ is generally taken to be equivalent to ‘surveillance powers’, with particular emphasis on surveillance that is covert (ie unknown

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

Key provisions of Data (Use and Access) Act 2025 to come into force on 5 February 2026

The Secretary of State has made the Data (Use and Access) Act 2025 (DUAA 2025) (Commencement No 6 and Transitional and Saving Provisions) Regulations 2026, SI 2026/82, which bring the majority of the DUAA 2025’s data protection reforms into force from 5 February 2026. These regulations commence provisions relating to research and statistical purposes, consent to processing for scientific research, the lawfulness of processing, purpose limitation, data subject requests, automated decision-making, data protection by design for children, and the transfers of personal data to third countries, among others. Further provisions concerning complaints by data subjects will come into force on 19 June 2026.

ICO opens formal investigations into X companies over Grok AI data processing

The Information Commissioner's Office (ICO) has opened formal investigations into X Internet Unlimited Company and X.AI LLC regarding their processing of personal data in relation to the Grok artificial intelligence system and its potential to produce harmful sexualised image and video content. The investigations follow reports that Grok has been used to generate non-consensual sexual imagery of individuals, including children. The ICO will assess whether personal data has been processed lawfully, fairly and transparently under UK data protection law, and whether appropriate safeguards were built into Grok's design and deployment to prevent the generation of harmful manipulated images using personal data. The investigation will examine the companies' legal bases, technical design choices, and safeguards applied to the Grok model. Under the UK GDPR and Data Protection Act 2018, the ICO can issue fines of up to £17.5m or 4% of an organisation's annual worldwide turnover. The ICO is coordinating with Ofcom and international regulators on the matter.

ICO publishes letter on progress against economic growth commitments and work planned for 2026

The Information Commissioner’s Office (ICO) has published a letter to the Prime Minister, the Chancellor of the Exchequer, and the Secretary of State for Business and Trade setting out a one-year update on its five economic growth commitments made in January 2025. These commitments are to: (1) give businesses regulatory certainty on artificial intelligence (AI); (2) cut costs for small and medium-sized enterprises (SMEs); (3) enable greater innovation through its Regulatory Sandbox and Innovation Advice services; (4) unlock privacy-preserving online advertising; and (5) make it quicker and easier to transfer data internationally. The letter confirms that the ICO is working with the government on legislation to introduce a statutory code of practice on AI and automated decision-making, and that its expanded data essentials platform for SMEs is due to launch in spring 2026. It also states that the ICO has secured funding to design an experimentation regime to support the testing of emerging technologies, with research findings due by mid-February 2026. In addition, the ICO says it is assessing low-risk online advertising activities that could operate without consent under the Privacy and Electronic Communications Regulations (PECR) and will provide evidence to the government in the spring. The letter also highlights that the ICO published updated guidance on international data transfers in January 2026, aimed at simplifying requirements and supporting cross-border data flows, which underpin around 40% of UK exports. The ICO adds that it will continue to issue further guidance and improve regulatory clarity throughout 2026.

Unjust enrichment, NOM clauses and advisory scope (RMK v Euronav)

Commercial analysis: In RMK Maritime (Europe) Ltd and another company v CMB.Tech NV (previously known as Euronav NV), the Commercial Court dismissed a quantum meruit claim for nearly US$11.7m brought by RMK seeking payment for alleged extra-contractual services. Mr Justice Henshaw held that: (1) The services fell within the scope of the parties’ advisory agreement, and (2) In any event, unjust enrichment could not be used to circumvent a detailed contractual framework reinforced by a no oral modification (NOM) clause and an express variation mechanism. The decision is a reaffirmation of contractual primacy in sophisticated commercial relationships. It provides important guidance on the interaction between unjust enrichment and contract, the legal effect of NOM clauses, and the risks of broadly drafted advisory scopes. For commercial practitioners, the case underscores a simple point: if additional services are to be paid for, they must be agreed and documented at the time. This article is written by Zara Yusuf, barrister at Three Stone.

View Information Law by content type :

News