Read Bill Ministerial Extracts
(1 year, 1 month ago)
Lords Chamber(1 year, 1 month ago)
Lords ChamberThat the Bill be now read a second time.
My Lords, the number one priority of any Government is to keep our citizens and our country safe. The Investigatory Powers (Amendment) Bill seeks to make a set of targeted amendments to the Investigatory Powers Act 2016, which I shall refer to throughout as the IPA.
The measures in this Bill will support the security and intelligence services to keep pace with a range of evolving threats against a backdrop of accelerating technological advancements. Such advancements provide new opportunities for terrorists, hostile state actors, child abusers and criminal gangs. They also mean that data is generated in more places, in more formats and by more different entities than before. The security and intelligence services need to identify nuggets of threat in increasing quantities of data.
Importantly, the Bill will also ensure that we maintain and strengthen the world-leading safeguards that underpin the use of the powers in the IPA. The measures in the Bill are narrow and relatively modest in scope, which reflects the strength of the existing legislation, but they are none the less critical to the task of protecting national security and countering other serious threats.
It may be helpful to briefly remind the House of the parent legislation that this Bill seeks to amend. The IPA provides a clear legal framework for the security and intelligence services, law enforcement and other public authorities to obtain and utilise communications, and data about communications. These powers and the resulting capabilities are essential in supporting these public authorities in carrying out their statutory functions, including detecting and preventing terrorism, state threats and serious crime.
But since 2016 the nature of the threats we face has evolved, and we need to ensure that the UK’s investigatory powers framework remains fit for purpose. The use of these powers is underpinned by the IPA’s robust and world-leading safeguards—including the double lock for most of the powers, whereby a judicial commissioner must approve the decision by the Secretary of State to issue a warrant under the IPA. All use of the powers must be assessed as necessary and proportionate, with strong independent oversight by the Investigatory Powers Commissioner. The right to seek redress is available to anyone via the Investigatory Powers Tribunal.
I emphasise that this Bill is about delivering focused and targeted changes to the existing regime and not about creating new powers beyond those to which Parliament has previously given its agreement during passage of the IPA.
This Bill follows the publication of a statutory report on the implementation of the IPA in February this year by the previous Home Secretary, and a subsequent independent review by the noble Lord, Lord Anderson of Ipswich, which was published in June this year. These reports set out the operational case for change and have informed the contents of the Bill. I thank the noble Lord, Lord Anderson, for his considered review of the IPA; he was instrumental in its initial design as the author of A Question of Trust during his tenure as the Independent Reviewer of Terrorism Legislation.
Building on the areas of focus identified in the Home Office review, the noble Lord’s report focused on: the effectiveness of the bulk personal dataset regime; criteria for obtaining internet connection records; the suitability of certain definitions within the Act; and the resilience and agility of warrantry processes and the oversight regime. His review helpfully highlighted several areas in which the IPA could be improved, and we are pleased to say that this Bill aligns nigh on entirely with his recommendations.
Your Lordships may note that there is one area of the Bill that the review by the noble Lord, Lord Anderson, did not touch on: the changes to the notices regimes. This was subject to a separate public consultation, and the Government are grateful to those who responded for helping to shape this element of the Bill.
I will turn now to the main elements of the Bill. Part 1 deals with bulk personal datasets, more commonly known as BPDs, and makes changes to the way in which the intelligence services may use them. Building on the findings of the review by the noble Lord, Lord Anderson, the Bill provides a narrow group of provisions to: create a set of new safeguards for the retention and examination of BPDs where there is low or no reasonable expectation of privacy; allow for the extension of the duration of a BPD warrant under Part 7 of the Act from 6 to 12 months; and make clear that agency heads can delegate certain existing functions in relation to BPD warrants. Under the current regime, all BPDs—including those that are publicly or commercially available—must be subject to the double-lock warrantry process and strict examination safeguards.
While these safeguards are in many cases entirely appropriate, that is not always so, particularly where a dataset is publicly available and widely used. This has a detrimental effect on the agility of the agencies, particularly where these datasets could be used to develop new capabilities. It also inhibits their ability to work flexibly with allies and partners in academia or the private sector.
Creating a new regime for datasets that have low or no expectation of privacy will increase operational agility while ensuring that proportionate safeguards are in place, including prior judicial approval. This change will be an important step in preventing our agencies falling behind our adversaries.
The Bill also seeks to insert a new statutory oversight regime for examination by the intelligence services of third-party BPDs. Under the new measures, an intelligence service may examine a dataset on a third-party’s systems without taking control of the set itself. However, if the dataset is not publicly or commercially available to other users, the new warrantry process and requirements will apply. The regime will be subject to safeguards such as the double lock already in other parts of the IPA.
Part 2 will make changes to the role and remit of the Investigatory Powers Commissioner and their supporting functions. The Bill will enhance the world-leading oversight regime in the Act, including the role of the IPC. The changes will ensure that the regime is resilient and that the IPC can effectively carry out their functions. This will maintain and enhance the robust, transparent safeguards in the regime.
In addition to putting oversight of third-party BPDs on a statutory basis, the proposed amendments to the oversight regime aim to increase resilience and ensure that it remains fit for purpose. As highlighted in the then Home Secretary’s review, the IPA does not provide an easy mechanism to manage change. This has caused issues regarding the resilience and flexibility of the IPC and the wider IPA oversight regime, such as during the Covid-19 pandemic. The Bill therefore seeks to place the ability to appoint deputy investigatory powers commissioners and temporary judicial commissioners on to a statutory footing, to provide resilience where there is a shortage of judicial commissioners.
The Bill will also formalise some of the IPC’s non-statutory oversight functions—for example, their oversight of compliance by the Ministry of Defence of the use and conduct of surveillance and covert human intelligence sources outside the UK. The measures also provide greater legislative clarity in respect of the error-reporting obligations imposed on public authorities. The IPC has been consulted on all these measures and has endorsed the approach to ensuring that the oversight regime remains fit for purpose.
Part 3 makes changes to Part 3 of the IPA, which relates to powers for public authorities listed in Schedule 4 to the IPA to acquire communications data. CD is the data around the communication rather than the content of that communication. Section 11 of the IPA made it an offence for a relevant person within a relevant public authority to “knowingly or recklessly” obtain CD from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority. This will provide greater clarity to public authorities that they are not committing a Section 11 offence when acquiring CD from a telecommunications operator under those routes.
The Bill will additionally make targeted amendments to ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data in order to meet their statutory duties and obligations when administering public services or systems. Part 3 also makes a clarificatory amendment to the definition of CD in Section 261 of the IPA, to make it clear that subscriber data or data use to identify an entity will be CD.
Part 3 also makes changes to allow bodies with regulatory functions to acquire communications data. The use of regulatory powers under the IPA is limited to organisations such as Ofcom and the Information Commissioner’s Office for their regulation of telecoms operators. The Bill seeks to amend the IPA to expand the definition of regulatory powers to include public authorities with wider, lawfully established and recognised regulatory or supervisory responsibilities. The effect of this change will be such that authorities will be able to acquire CD using their own statutory powers and not rely on IPA powers. However, where the CD is being acquired with a view to using it for a criminal prosecution, authorities must use their IPA powers to acquire that CD.
Targeted changes will also be made to support the use of internet connection records by the NCA and intelligence agencies. The Bill will add a further condition which allows the service in use and time period to be specified within the application without the requirement that they are unequivocally known. This will enhance the ability of the NCA and the intelligence services to identify serious criminals, including paedophiles and people traffickers, helping to protect victims and counter threats to the UK’s national security.
Part 4 will ensure the efficacy of the existing notices regimes in the face of technological changes and the complex commercial structures associated with the modern digital economy. These measures have been carefully calibrated to address these issues in a proportionate way. Furthermore, the notices regimes have existed since the 1980s, and these reforms are just the latest iteration of that regime. This is not about introducing any new powers. The Bill will create a notification requirement which will allow the Secretary of State to place specific companies under an obligation to inform the Secretary of State of proposed changes to their telecommunications services or systems that could have an impact on lawful access. I wish to be clear that this is not a blanket obligation on the tech sector. It will be placed on companies on a case-by-case basis and with full consideration of the necessity and proportionality justifications of doing so each time.
Furthermore, the notification requirement does not give the Secretary of State any powers to intervene in the rollout of a product or a service or to veto such a rollout. It is intended to ensure that there is time for appropriate consideration of the operational impact and potentially for discussion with the company in question about possible mitigations. This notification requirement has replicated the existing notices standards wherever possible and is itself already part of the wider notices regime, where the Government are able to require companies under notice to inform us of relevant changes which affect their ability to provide assistance under any warrant, authorisation or notice.
The Bill also amends the effect of a notice during the review period. A notice must go through the full double-lock process before it may be issued to a company. On receipt of that notice, a company may request a review of that notice. Currently, the notice has no legal effect during the review period. The Bill amends this to require the company to maintain the status quo during the review period. This will mean that the company does not have to take any steps to comply with elements of the notice, other than to maintain its existing services at the point it is given the notice. The result will be that the company cannot take any action that will negatively affect the level of lawful access for our operational partners during the review period. This is without prejudice to the final outcome of the review and ensures that this outcome cannot be pre-judged.
The Bill also makes a clarificatory amendment to the definition of a telecommunications operator. This makes clear that large companies with complex corporate structures which together provide or control telecommunications services and systems fall within the remit of the IPA. It also clarifies that a notice may be given to one entity in relation to the capability of another entity. It does not seek to bring new companies into the scope of the IPA. Furthermore, the Bill creates a new safeguard for the renewal of notices. This will require a notice to be put through the full double-lock process after two years, if it has not been varied, renewed or revoked in that time.
Finally, Part 5 includes several minor changes to the IPA to ensure sufficient clarity and resilience within the regime. This includes increasing the resiliency of the triple lock, which is the additional safeguard for targeted interception and equipment interference warrants relating to members of relevant legislatures, such as this Parliament. Clauses in Part 5 will allow for the Prime Minister—in the event that they are unavailable—to delegate their responsibility for providing the triple lock to named Secretaries of State. This change is purely about ensuring resilience in the authorisation process and does nothing to alter the existing power or introduce any new power.
I conclude by highlighting the opportunity that the Bill affords us and the impact it will have on the safety and security of the UK and its citizens. Without making changes now, the ability of our agencies to tackle evolving threats—including terrorism, state threats, and serious crime—will be increasingly constrained. In the face of greater global instability and technological advancements, now is not the time for inaction. I welcome the further scrutiny that noble Lords will provide. From looking at the list of speakers, I am in no doubt that they will start with a typically insightful debate today. I beg to move.
My Lords, I am sure the Minister was referring to me. But, seriously, I thank him for that helpful introduction and for the briefings that he and his officials have organised, including in buildings nearby later this week.
This is an important Bill, and we all need to ensure that it delivers effectively what we all wish for as we seek to defend our country and our freedoms against outside threats. I say to noble Lords including the Minister that we fully support the passage of the Bill, for the reasons that he outlined in his conclusions, and recognise the changed security environment that necessitates the need for this piece of legislation updating and improving the Investigatory Powers Act 2016.
There have clearly been significant changes to the threat picture, with developments that had perhaps not been fully foreseen over the last few years. Of course we have to remain vigilant against any terrorist threat, but even that has been overshadowed by other factors—in particular, the pace of geopolitical change and the extent of its impact on the UK and its people. The invasion of Ukraine, the weaponisation of energy and food supplies, artificial intelligence, the actions of Iran and the more aggressive stance with China in the South China Sea and beyond are just some of many examples. Importantly, this also manifests, as the Minister will know better than anyone, as threats such as economic espionage, the buying of influence, cyberattacks, disinformation and indeed, as we saw, the Salisbury poisoning. In the face of that hostile state activity, we have to change.
I join the Minister, and no doubt many others, in saying that we are very fortunate in having had the extremely helpful—and for me, I might add, understandable—report by the noble Lord, Lord Anderson, to guide us in this. It is also good to see other Members of your Lordships’ House who have extensive experience in this area to inform our debate. In congratulating the noble Lord, Lord Anderson, I shall raise some general points from his report and then deal with specifics as appropriate for a Second Reading debate.
It is of huge significance and importance that the noble Lord, Lord Anderson, did not produce a classified annex to his report. In an area of this importance and sensitivity, you obviously need secrecy and confidentiality, but there has to be as wide a public and parliamentary debate as possible. There are real issues of principle being discussed here, not least the right to privacy and the protection of an individual’s information or personal data. As I say, there is a need for the security services, law enforcement and others to act and to have the intelligence tools that they need, but the balance between national security, tackling serious crime and an individual’s privacy should and must, quite rightly, be a matter for public debate. When fundamental rights are at stake, that needs to be cautiously challenged, and this House will need to do that in Committee, while, as I say, fully supporting the overall passage of the Bill.
Chapter 10 of the report asks what comes next. Such is the pace of change and challenge, the noble Lord, Lord Anderson, recommends that, once this amending legislation is on the statute book, we need to move on very quickly to what comes next.
I shall turn to the Bill with some general comments, with the more specific questions coming in Committee. Bulk personal datasets are clearly important, and the Bill will allow a lighter-touch regulatory regime. The threshold will be where individuals have a low or no expectation of privacy in respect of that data. The Bill seeks to set out examples of the sorts of cases where such a regime would apply for the examination of material by the UK intelligence community. I believe there will need to be a careful debate about what such a threshold means. What does “low” mean? Would all such activity be subject to the approval of a judicial commissioner? Some have already expressed particular concern about new subsection (3A)(e), inserted into Section 11 by Clause 11(3), which says that communications data can be obtained
“where the communications data had been published before the relevant person obtained it”.
Does that mean it is available simply by having been published?
On a more general point, how does all this relate to the Data Protection Act, where personal data may be protected but is potentially not so by the new Bill? Big Brother Watch gives the example of the potential concern over Clearview, which has a mass of facial images—approaching 30 billion—harvested from social media. That could be considered a low-privacy database since the photos had been made public by the individuals, but the Information Commissioner’s Office found Clearview in breach of the Data Protection Act. This argument could therefore potentially be extended to many areas, such as Facebook posts, and will therefore need careful scrutiny, along with the more general point about the relationship between this Act and the Data Protection Act.
There are to be new proposals for internet connection records; they are clearly important, but changes are again being made. In particular, on the justification for target discovery—which, in essence, is a more generalised surveillance, if I have understood it correctly—is it the case therefore that there may not necessarily be a need for suspicion to lead to a particular form of surveillance? It is also interesting to note that, according to the report by the noble Lord, Lord Anderson, as I understand it, this extension or facilitation of target discovery for internet connection records should be limited to UK intelligence. So why have the Government extended this to the National Crime Agency as well as to the UK intelligence community? In other words, why has it gone beyond the recommendations of the noble Lord’s report?
The need for the communications of legislators to be secure and confidential—say, in discussing matters with constituents or other bodies—except in the most exceptional circumstances, is of real importance. Following the IPT case in 2015, there was legislation in the 2016 Act that tried to protect this principle by allowing any interception or obtaining of any communication to be allowed only with the so-called triple lock—in other words, after Prime Ministerial authority was given. The question this Bill seeks to answer is: what happens if the PM is, in the Minister’s words, “unavailable”? This seems to me to be a reasonable question to ask. We need to probe Clause 21 carefully and ask whether the inclusion of any Secretary of State is too broad a definition, what the involvement should be of senior officials, as laid out in the clause, and whether the proposed definition is correct. For example, would it not be better to specify the Secretaries of State as the Home Secretary or the Defence Secretary, or other senior Secretaries of State, rather than the broad blanket of any Secretary of State? The senior officials are explained, to an extent, but we need to explore in Committee whether we need to be more circumspect with what we mean by that.
We have also received a briefing from Apple, and it is important for us to reflect on its concerns. As I have made clear, we support the passage of the Bill, subject to proper scrutiny, which we and others will give in Committee, but Apple’s concerns need to be addressed by the Government in a public forum, to ensure trust and confidence in the new system we seek to introduce. Why is Apple wrong to have concerns about pre-clearance requirements?
On extraterritoriality, the noble Lord, Lord Anderson, says on page 57 of his report that he makes “no recommendation” on a policy issue for DRNs or the importance of end-to-end encryption. End-to-end encryption is a key security tool for us all, but it is also one that can be used, and is used, by malicious actors. We understand that, so how do we strike a balance between the necessity for the privacy and protection of an individual’s data and the need for security services and others to have potential access to that data to uncover serious crime or terrorist activity? In Committee, we need to discuss where that balance should be made and where that line should be drawn; it is an important area of discussion.
Throughout the report by the noble Lord, Lord Anderson, and the subsequent Bill before us, we see various adaptions of warrant processes, judicial oversight and the role of the commissioner, with many proposals. While we are generally supportive, we will need to examine these in more detail in Committee, but I have a few general points to raise now. For example, does the Bill help to sort out confusion in government? Incredibly, on page 28 of the noble Lord’s report, the MoD cannot, even when co-located in a hostile environment, transfer some data to the UKIC. Does the Bill sort that out? That is an important question that I put on the table for an answer—not necessarily now, but certainly in Committee.
Domestically, on the same page, we are told that it was a revelation to UK intelligence community officers to see how easily other government departments subject only to normal data protection requirements could access, retain and process bulk personal data. This Bill should not go through without the corresponding changes to policy and practice, highlighted by the above two apparent anomalies. No doubt there are many more. It would be a wasted opportunity were we not to address some of those examples which seem to draw attention to anomalies within the existing system which many of us would expect a Bill such as this to sort out.
Co-operating should not be as difficult as it seems to be. Openness and transparency are crucial so that we can be sure that, as far as possible, the number of various warrants applied for and refused is made public. More generally, what role is there for parliamentary oversight as well as the intelligence commissioner and so on? The Intelligence and Security Committee is our important eyes and ears on this matter. What part will it play in all this? Are its terms of reference, which I have said in other debates are in need of review, sufficient to allow the necessary level of scrutiny? If it is not appropriate for the committee to be involved, where is the parliamentary scrutiny? Where is the mechanism for reporting to Parliament? It would be interesting to hear that from the Minister. Yes, there are various commissioners and there is senior ministerial involvement, but what of Parliament? Parliament cannot be seen in areas as important as this as an afterthought or an irritant. It should be a proper custodian of our values in this difficult area.
I have laid out some of the key issues, although there are many more. I conclude by saying that, as the noble Lord, Lord Anderson, pointed out in his report, we cannot allow the debate to be characterised as being between those who stand up for security, for our country, and who understand what needs to be done, versus a privacy lobby that does not live in the real world. Of course, operational security cannot be compromised and changed threats require policy to be developed. We support the Government in this through the changes which are needed in this Bill. The challenge is to do so in a way that is consistent with our principles of democracy and human rights. Sensible debate and discussion surely will help us towards something that we all want—to build a consensus as far as possible over protecting our nation and allies against those who would do us harm, and not to undermine privacy or freedoms unless it is essential to do so.
My Lords, it is a great pleasure to follow the noble Lord, Lord Coaker. I look forward to a fascinating and intimidatingly expert debate. Before commenting on the Bill, I feel that it is important to contextualise what we are discussing today.
Many of us enjoy books that depict the intelligence services. In the main, the George Smileys who appear within their covers are practising in a world that is very far from the lived experience of most people in this country. However, the reality is very different. The work of the intelligence services impacts very many people’s lives in the UK. It is not just bombs and guns but drugs, people trafficking and other exploitation, financial and cybercrime, extortion and many other crimes. The perpetrators are Governments, terrorist organisations, criminal gangs and lone individuals. Crime and terror merge and are socially unjust activities that prey on the weak. The victims are most often the vulnerable and those with the least ability to resist. Within this depressing tapestry, we rely on our intelligence services to help keep us safe and we need a police force that can cope with the complexities of those crimes. Liberal Democrats wholeheartedly support the services that seek to do this and we welcome this debate.
We also believe that these vital tasks have to be balanced against the freedoms and liberties at the heart of our country’s values. Every new power must be weighed in that balance and the noble Lord, Lord Coker, just explained that from his perspective. As we have heard, this Bill proposes some specific amendments to the original Investigatory Powers Act 2016. I was not involved in the scrutiny of the Bill at that time; that fell to my noble friend Lord Paddick, and the noble Baroness, Lady Williams, was in the ministerial chair, so it is a new set of eyes looking at this legislation.
I remind your Lordships’ House of some of the key priorities that my noble friends here and my colleagues in the Commons applied to the 2016 Bill. The first of these is that there should be no weakening of encryption. The second is the vital role of judicial authorisation and the third is that, when it comes to the bulk collection of information or mass surveillance, British residents have a right to expect privacy. These principles were central to our response to the last Bill and will be to this.
Today’s Bill, as we have heard, is the product of deliberation over years. Your Lordships should particularly thank the noble Lord, Lord Anderson, for his work on it. However, given the time taken to get this far, it is very disappointing that the Government chose to introduce the Bill in such a rush that it gave just eight working days for parliamentarians and civil society to prepare for the specific scrutiny of it. If the Government were seeking to ensure that they took people with them, this is a way to antagonise them. There are already comments about haste being an effort to railroad people.
I am afraid my speech today is quite a long one because I did not have time to write a short one. I turn to the Bill. As the Minister set out, the original Bill established a set of protections under Part 7; this Bill introduces two new levels of security, Parts 7A and 7B. Part 7A is introduced in Clause 2 and concerns bulk datasets, as we have heard, with
“low or no reasonable expectation of privacy”.
These so-called low/no datasets may be in three types, each with slightly different rules.
I have enjoyed helpful discussions with the Minister’s department and for that I appreciate his facilitation and engagement. During those discussions, the basic explanation has been that these datasets are needed to train tools using machine learning, that they already exist and are being used in the commercial world, but the Part 7 process makes them at best clumsy and at worst impractical to be used by the intelligence services. I take those points. Furthermore, the introduction to Part 7A includes a requirement for approval from judicial commissioners. Had it not, this discussion would have been much harder.
If training Al tools is the stated prime mover for Part 7A, the inclusion of urgent data as one of the three types of data clearly indicates it is also needed for ongoing investigations. I can imagine why urgent data might be needed, but it is the investigators who will define the urgency. Additionally, new Section 226BC refers to a relevant period of three working days between the acquisition of the urgent data and full judicial approval. Yet, after three days, the judicial commissioner may decline to permit the use of the data that has already been employed in an investigation using rapid Al-enabled analysis.
Taken together, I have my worries. There needs to be a duty to immediately notify the judicial commission. Secondly, there should be guardrails helping define “urgent” and finally we need to discuss how information discovered using data that is subsequently ruled ineligible is, shall we say, unremembered. Without these, the use of low/no datasets in this way for operational issues is concerning.
I have gone into this in some detail because I see it as a serious operational concern but also because I wanted to illustrate the sort of scrutiny the Government should expect from these Benches throughout this debate. There are other examples as we go through the Bill, but I will refer to those only broadly now. Clause 5 introduces a second new category of approval, Part 7B, this time for datasets held in third party assets to which the intelligence services have access. As far as I can deduce, this brings into the orbit of the IPA data which was previously not included and mandates both Secretary of State and judicial commission levels of approval. Unless I learn otherwise, that is a good starting point.
That said, we will seek to initiate explicit discussion around the use of medical, genetic and genomic data and how this can be protected. Here I note that anonymised data can be relatively easily reassigned, so anonymity in health databases is no actual protection. This is important on several levels, not least for public confidence in the digitisation and legitimate use of this very important information.
Part 2 allows the deputisation and delegation of some of the powers to broaden the number of people responsible involved. I just ask whether the Minister believes that this heralds a massive increase in workload.
In Part 3, I thank the Minister for his explanations around Clause 11, which I shall read carefully, and I will be coming back for some more details about how that will work in practice. Clause 14 creates a new condition for the use of internet connection records by the intelligence services and the NCA. Broadly, this removes the need for exact times when seeking connection records, substituting time ranges. This seems acceptable, as long as the Minister can assure your Lordships’ House that this will still require Secretary of State and judicial commission approval.
Part 4 moves into the area of retention notices and away from issues covered by the report of the noble Lord, Lord Anderson. I believe that Clause 15 is focused on bringing inbound roaming on foreign SIM cards into the frame, so I would appreciate details of how this will work. For example, if I am in the UK using a SIM that I bought in Dubai from a UAE-based telecoms provider, how does the intelligence officer proceed?
Clause 20, as we have already heard from the noble Lord, Lord Coaker, is one that has already raised eyebrows in the industry. Proposed new subsection 258A requires telecoms operators to inform the Secretary of State if they propose to make changes to their products or services that would negatively impact existing lawful access capabilities. In reality, this can include changes in encryption, a topic which has recently been on a rocky journey through the passage of the Online Safety Act. This Bill proposes a number of changes, building on the current regime set out in the 2016 Act, that relate to decryption of private messages for law enforcement purposes. In short, we believe the amendments would, or at least could, grant the Home Secretary more extensive powers to intervene in, and in some cases block, communications providers’ operational decisions, including enhancing privacy settings for users, with potential knock-on implications for end-to-end encryption on those services for everyone. I think more debate will be needed in this area.
There are other issues of timing, the possible length of a review, extraterritoriality and the level of judicial commission oversight at the notice level. I am sure I will be told by the Minister that this is a narrow interpretation, but it is an interpretation that has legs outside your Lordships’ Chamber. How will this power be used and what are the implications? Will we perhaps see British law officers beating a path to California to serve these notices? In a sense, how far does this go?
Finally, Part 5 invokes some interesting questions, some of which the noble Lord, Lord Coaker, has already asked and we will surely want to probe. We will want to introduce a requirement that the Investigatory Powers Commissioner is informed of, and records in their annual report, the number of warrants authorised each year to permit surveillance of Members of relevant domestic legislatures. For now, perhaps the Minister could tell your Lordships’ House what the process is for gaining permission to intercept and examine the Prime Minister’s communications.
We will also be probing two other important areas on which there is no time to expand today. The first is specific protections to avoid either cementing or introducing systemic bias against certain sections of the community from the AI models of the future that will be built as a result of this legislation. The second is the use of facial recognition technology on the back of the tools created using the low/no databases, a point that the noble Lord, Lord Coaker, raised.
To conclude, we are concerned that the Bill could push legislation further past the point of balance that we started to discuss. We need to ensure that judicial oversight extends right through the activities enabled by the Bill, and there should be no weakening on the encryption issue. I hope the Minister views this critique in the spirit of constructive support that I have sought to invoke, and I look forward to the rest of the debate and the further stages of the Bill. As he can see, our work will be built on the foundation that British residents have a right to expect privacy.
My Lords, I thank noble Lords who have referred kindly to my independent review of earlier this year, a short sequel to the much longer reviews, A Question of Trust and the Report of the Bulk Powers Review, that I was commissioned to conduct, with all-party agreement, in advance of the Investigatory Powers Act 2016.
Given the controversy surrounding electronic surveillance at that time, in the wake of Edward Snowden’s disclosures, the IPA had a remarkably smooth parliamentary passage—although I say that as someone who was outside Parliament at the time. I put that down to the detailed preparation that preceded that Bill, including reports from the ISC and from RUSI, and of course to the work of the draft Bill committee, chaired by the noble Lord, Lord Murphy of Torfaen, who I am delighted to see in his place. I remember being questioned by its members, including the noble Lord, Lord Strasburger, and Suella Fernandes MP, as she then was. That committee made 86 detailed recommendations, practically all of which found their way into the Act. How much time and testosterone can be saved—and was saved in that instance—by debating these important issues before a Bill is published in final form.
The IPA replicated and, indeed, enhanced the very considerable powers conferred by its predecessor, RIPA, on our intelligence agencies and police. However, its emphasis on transparency and effective oversight, in particular by the judge-led Investigatory Powers Commissioner’s Office—IPCO—with its excellent technical support, brought it into the modern age. I believe we have seen the tangible benefits of that in recent years; I will give three short examples.
The UN special rapporteur on the right to privacy, who had previously described our arrangements as “worse than scary”, reported in 2018 after an inspection visit to the UK that, thanks to the balance struck by the IPA, the UK
“can now justifiably reclaim its leadership role in Europe as well as globally”.
The English Court of Appeal overwhelmingly rejected an extensive series of challenges to the IPA in August this year, citing the authority of the European Court of Human Rights, which, rather more than the EU’s court in Luxembourg, has shown itself impressively ready to accept the use of bulk collection powers, properly safeguarded.
In addition, judicial approval of warrants, introduced here by the IPA but long familiar in North America, was instrumental in securing our data access agreement with the United States—a world first, which, given the American ownership of so many big internet platforms, is of particular significance to law enforcement on this side of the Atlantic.
Therefore, the IPA has been good for this country, including by helping to secure the international acceptance and co-operation that are ever more essential to the fight against organised crime and threats to national security.
However, the Minister is right to say that in limited areas, the IPA is in need of what I call running repairs. The Home Office invited me earlier this year to look at some of those areas which it had identified as in need of attention. Other parts of the Bill, including elements of Parts 1, 3 and 4, fell outside the scope of my review. In my report published in June, I largely accepted the Home Office diagnosis, although my prescriptions were in some respects different from its. In particular, in relation to the bulk dataset issues that occupy Part 1 of this Bill, I thought it important that the borderline between Part 7 and the proposed new Part 7A of the IPA, concerning datasets in which there is a low or no expectation of privacy, should be patrolled at the moment of decision not just by the intelligence agencies themselves but externally by independent judicial commissioners.
Since my report was submitted in April, there has been a convergence of views on this issue and on others, one of them in relation to the NCA and Clause 14, which was touched on by the noble Lord, Lord Coaker. I am grateful to the Security Minister and to the noble Lord, Lord Sharpe, for our discussions and the open spirit in which they took place.
The Minister knows that it has not always been my habit to give an unqualified welcome to Home Office Bills; judging from the Statement that was debated earlier this afternoon, I cannot guarantee that things will be any different in future.
I understand that Ministers like to come to this place with a few concessions in their back pocket, and there is no harm in that. But too often, elements of the Bills that arrive with us have a lopsided look; one suspects, rightly or wrongly, that they are the opening gambit in a concession strategy, whereby the energy of this House is occupied with the tabling and discussion of amendments, only for the Government eventually to concede what they had a good mind to do all along. This can be both frustrating and counterproductive; those who mistrust the Government see their worst fears confirmed by the initial version of the Bill, while those who trust them are reluctant to express that support, lest the ground be cut from under their feet.
It is to the credit of those concerned that I do not believe that such an approach has been taken with this Bill. No doubt it is capable of improvement; I welcome the challenges that have been made by NGOs and by the noble Lords, Lord Coaker and Lord Fox, not least because I was not able to consult in quite such specific terms as I would have liked on the proposals that were put to me by the Home Office. Indeed, there are a few points that I may seek to probe in Committee. But I consider that the Bill is an honest attempt to strike a fair balance in these difficult areas. We risk reversing the operational gains that it promises if we overload the Bill with unnecessary safeguards, or seek radically to reshape the judgments that it makes.
We need powerful weapons to combat the scourges of hostile state activity, terrorism, fraud, people trafficking and child sexual abuse, and we need to embed them in a strong framework that includes the gold standard of prior judicial authorisation for the most intrusive powers. This Bill gives us both those things, and we should not discard or devalue either.
History suggests that the lifespan of investigatory powers regimes is no more than 15 years or so, and technological developments mean that we are likely to be working towards a more fundamental revision of the IPA by the end of the decade, if not before. My report contains some ideas on what these technological developments are and how the process might be started, but for the time being I am glad that time has been found for this necessary Bill. I am happy to give it my support.
My Lords, I too thank the noble Lord, Lord Anderson of Ipswich, for his very helpful and excellent work in his area. With the rapid acceleration of technology and technological capacity, I recognise the need for this Bill to be updated. In this context, I welcome the Government’s sense of urgency in addressing the changing landscape in this area, and seeking to close those gaps that potentially endanger both the security and the safety of our nation. My right reverend friend the Bishop of Leeds had hoped to be here today, as he has taken a particular interest in this area, but he is detained elsewhere. We would both like to express two concerns that we believe must be addressed as this Bill is debated in your Lordships’ House.
First, the proposed amendments give the intelligence services vastly expanded powers not only to investigate individuals but to harvest and exploit vast amounts of personal data—not just of crime or terror suspects but of anyone. The collection of bulk datasets of personal details, including facial images and social media activity, is far reaching and potentially indiscriminate, so we must rightly be concerned about how effective any safeguards might be in controlling the power that such access gives to our intelligence services. The risks, particularly under a regime less ethically aware than those we are used to in this country thus far, are substantial. The weakening of safeguards risks endorsing the need for updating surveillance capacity, at the same time as threatening basic human freedoms.
Secondly, it has become clearer by the day that we are developing technical capacity well ahead of the ethical consideration of risk. Ethical thinking might well be deemed inconvenient by those who wish to forge ahead with greater advances and greater security provision. However, to fail to address ethical considerations now will simply leave us, at best, running fast to catch up later once the train has left the station and is already at full speed away in the far distance—and, at worst, having compromised personal and societal freedoms and having changed the nature of a free society.
The current proposals are likely to lead to a broad and vague definition of “public safety” in which the security and powers of the state in one area reduce essential personal freedoms. To that extent, I believe the helpful comments made by Big Brother Watch should be taken seriously and answered comprehensively if we are to be fully aware of the trade-off between two goods: public safety and personal privacy.
No one would wish to stand in the way of His Majesty’s Government’s intention to tackle terrorism, state threats, serious organised crime such as child sexual exploitation, illegal migration and fraud. These need to be faced head-on. The question is whether the proposed extensions contain sufficient safeguards to ensure that the mass of law-abiding citizens in a free society are not caught up in a form of mass surveillance in which they cannot trust that justice and privacy will be upheld.
When the Bill was first passed in 2016, the then Home Secretary said
“it is … right that these powers are subject to strict safeguards and rigorous oversight”.
It is essential that the Bill meets those conditions, but I worry that it does not do so in all places in its current form. We look forward to interrogating the Bill as we take it through its later stages.
That was an interesting speech by the right reverend Prelate the Bishop of St Albans, because he put his finger on the dilemma of any legislation like this: the balance between liberty as a subject on the one hand and the security of our citizens on the other. That has become increasingly complicated as the years have gone by.
As the noble Lord, Lord Anderson of Ipswich, has mentioned, I was asked by the then Home Secretary, Theresa May, to chair a Joint Committee of both Houses of Parliament to deal with the original Investigatory Powers Bill exactly eight years ago this week. She asked me because I had been chair of the Intelligence and Security Committee. We met for about three months and made 86 recommendations, nearly all of which were accepted by the Government. Those recommendations were nearly all about the balance between liberty and security, which the right reverend Prelate referred to. The committee had 57 witnesses, including the noble Lord, Lord Anderson, and 148 written submissions. The process that took place all those years ago was vital for this sort of Bill. For various reasons we have not had that, and perhaps we will come to that in Committee.
That balance is also reflected in the work of government. For example, when I was Northern Ireland Secretary I had to sign warrant after warrant to deprive our own citizens of their liberty. They did not know it, of course, but that is what we were doing. If we had not done so, the chances are that many hundreds if not thousands of people would have perished in Northern Ireland, and indeed in Britain, because of the way in which the intelligence services were able to infiltrate the IRA and the loyalist paramilitaries.
Of course, a major recommendation of that committee was to have a review of the legislation five years after the legislation had been finished in Parliament. We have been very fortunate that the noble Lord, Lord Anderson of Ipswich, has actually conducted that review. I read it on the weekend. It is a lot to read on a weekend—138 pages—but it is, although on a very difficult subject, a relatively easy read for lay people such as myself. It is thorough; it is full of common sense, and it is practical. In the absence of a pre-legislative committee of both Houses, the review has, in a way, replaced that. Without the noble Lord’s review, we might not have the same Bill in front of us as we do now.
I agree with every single one of the noble Lord’s recommendations and, indeed, in Committee, there may well be more recommendations that this House can put before the Government. I hope that we do not get into a situation where we have to vote on those, but that we can have proper discussions between Members of this House and the Government on what those might be. They could cover internet communications records, bulk personal datasets, the issue of telecommunications companies and their notification of changes in the way they operate—all these things are significant. I just want to touch on one, which is of interest to all of us in here, and that is how we deal with parliamentarians.
The Wilson doctrine is as old as Harold Wilson, of course: it was a long time ago that that happened. I understand that, because we now need three people, including the Prime Minister, to consider these matters, but if the Prime Minister is incapacitated—as Boris Johnson was when he had Covid at that time—what do you do? Presumably, you go to the Secretary of State to be able to deal with that issue. I think that is sensible, but I take my noble friend Lord Coaker’s point that it should not be just any Secretary of State. It should be confined to either the Foreign Secretary, the Home Secretary, the Defence Secretary or the Northern Ireland Secretary; in other words, Secretaries of State who have experience of dealing with warrants, because these are such hugely important matters.
I also want to take up the point that my noble friend made about the Intelligence and Security Committee itself. The Minister will answer whether the committee has been consulted on these proposals: if it has not, it should have been and if it has, it would be useful for us as parliamentarians to know what it said. That is of vital importance to us.
Clearly, we need to update how we deal with the evil and unpleasant people who threaten our security and our lives. The technological innovation in the past eight years has been absolutely dramatic and will get even more dramatic as the years go by. My noble friend mentioned China, the war in Ukraine and Russia, and all those other authoritarian countries that exist on our planet. That is going to get worse. He also mentioned how much more sophisticated criminals now are, so we have to keep up with all this. What struck me in the last six or seven weeks, in the horrific and terrible war that we now see in the Middle East, was that the intelligence services of Israel, which were notably good, obviously failed. It could have been that if they had worked, we might not have had the horror that we now see in the Holy Land. I support this Bill, but I also support it on the basis that it has had immense scrutiny from the noble Lord, Lord Anderson; but there is still work to be done and I look forward to debating it in Committee.
My Lords, I apologise before appearing—or, more precisely, not appearing—before your Lordships in this manner, but I understand that there has been a failure in the parliamentary network and I cannot appear in video; it was either by telephone or smoke signals, so I will settle for the phone.
I should begin by declaring my interest as chair of Big Brother Watch, which campaigns for the privacy and freedom of speech of the citizens of our country and seeks to protect them from unwarranted intrusion by the state into their lives and their data. Big Brother Watch has managed to rapidly prepare a briefing for parliamentarians about this Bill, and I commend it to Members of this House. It sets out five areas of concern, which I will cover later in my contribution.
However, Big Brother Watch had to work at pace to complete the briefing for this Second Reading because the Government published the Bill only on 8 November, just eight working days ago. I wonder what the reason could be for this rushed processing. Could it be that the Government want to avoid the thorough examination that this detailed and complex Bill needs? If so, the small number of Members who are ready to speak about it today—just 11, including the Minister—suggests that this strategy might have worked. Therefore, my first question for the Minister is to ask for an explanation of why so little time has been given to prepare for this Second Reading.
I sat on the Joint Committee that carried out the pre-legislative scrutiny of the original Investigatory Powers Bill in 2015 and 2016. The noble Lord, Lord Murphy of Torfaen, whom I am pleased to follow in this debate, was the chair of that committee and a very good job he did too. My view eight years ago was, and still is, that bulk data collection—that is, the interception or collection and indefinite storage of everybody’s innocent internet, phone and computer communication—is a serious intrusion on every citizen’s privacy and requires very strong judicial oversight.
Those who support this mass surveillance seek to reassure us by saying that if you have nothing to hide you have nothing to fear. However, in truth do we not all have something to hide that we would prefer to keep to ourselves? That is why we shut the toilet or bedroom door behind us. That is why we do not speak in public about troubling issues in our family or friendship circle such as addictions, unwanted pregnancies, financial woes and the like. There are some things that we just feel are private—the kind of information that, in the wrong hands, can be used to demean or blackmail any of us. That detailed knowledge about every individual in the country could be used by an unscrupulous Government—who are considering ignoring laws and treaties, for example, if that rings any bells. They could use it to identify all citizens of a particular religion, political persuasion, sexual proclivity or whatever, to single them out for disadvantageous treatment or worse—much worse.
The state is collecting this personal information about us all and we cannot predict who in a future Government will get their hands on it and might totally misuse it. All I can say with certainty is that East Germany’s Stasi would have thought that every day was Christmas if it could have laid its hands on such a rich source of intimate data about all its citizens. Therefore, we must achieve a balance between the privacy needs and rights of individual citizens and protection of those same citizens from terrorists and serious and organised crime. It is not an easy balance to get right. I fear that the Government are still erring in favour of capturing too much data about innocent citizens—of course, the vast majority of us.
There is another very strong reason for not engaging in the collection of everyone’s data. The problem is that the useful information about terrorism or organised crime gets buried in a blizzard of useless data about the vast majority of us who are innocently going about our lives. In 2016, the Joint Committee on the Draft Investigatory Powers Bill heard startling evidence about the problem that this causes for security services from a gentleman called Bill Binney, a retired technical director of the United States National Security Agency and a bit of a folk hero in the intelligence community because he predicted with great accuracy when the Russians would invade Afghanistan just by analysing the patterns of their military signals. However, later in his career Mr Binney concluded that the NSA’s policy of collecting the data of all American citizens was unconstitutional, so his team devised software called ThinThread. It used smart collection to pick out for inspection only the communications of known terrorists, those they were talking to—and who those people were talking to.
The management of the NSA instead chose to go down the road of collecting 100% of the data through a highly expensive project, Trailblazer—which was later abandoned—and ignoring Bill Binney’s method of giving the analysts a much smaller but richer and more relevant set of data. The consequence was that the NSA missed the data that it already had in its systems which would have alerted it to the plot to attack the twin towers on 9/11. If only the NSA had known that it had it and had looked at it. We know that the NSA did have it because shortly after 9/11, Mr Binney’s team ran its ThinThread software against the NSA’s database at the time of 9/11 and found six of the 9/11 conspirators and their command centres. Mr Binney shocked the committee by revealing that 9/11 could, and should, have been prevented—if only the American security analysts had not been swamped with useless information.
The price paid by the American people for their security services’ predilection for bulk data collection was very high indeed. Yet here we have in this Bill the continuation of that folly by our own intelligence services. I invite noble Lords to recall the terrorist attacks of the last 20 years and that, almost every time, it was later revealed that the perpetrators were known to the police or the intelligence services. Our people being swamped with irrelevant data must have contributed to the failure to further investigate these suspects before they acted.
The Government will no doubt argue that the advent of artificial intelligence makes it more possible for them to search for needles in haystacks. That may well be so, but some of that advantage will be negated by the massive explosion of data volumes they are now collecting from a wide variety of sources, especially social media and video. The fact remains that they are still holding, and have available for inquiry, huge amounts of data about all of us in this House and in this country—all of it at risk of being misused. Bill Binney’s solution was to immediately encrypt the 99.9% of the data that was of no interest to protect it from snooping, official or unofficial. In the UK we have none of that protection.
The Investigatory Powers Act, to the credit of the then Government, sought to reassure the public that there are limitations on the use of personal data by law enforcement and the security services, and how those limitations are policed. However, it is worth noting that it was also disclosed that several intrusive powers have been used on the British people for many years, without any such constraint. That was because they had been in use without the consent or even the knowledge of Parliament. If it had not been for the brave whistleblowing of Edward Snowden, the contractor to the American National Security Agency, the scandal of the UK’s surveillance powers would not have been revealed to Parliament and may never have been addressed.
We need an Edward Snowden-type whistleblower every few years to keep our security services and our Government honest, because the safeguards that are in place to ensure compliance by the security services and prevent misuse of these highly intrusive powers seem to be inadequate, as illustrated by the TechEn case. This was a very serious breach of the statutory safeguards in the Investigatory Powers Act and the Regulation of Investigatory Powers Act 2000. It was the subject of the scathing judgment against the Security Service and the Home Office by the Investigatory Powers Tribunal in January this year. MI5 admitted that it had been aware, since May 2016, that there was a very high risk it was in breach of its statutory obligations concerning the holding of personal data under both Acts. It also admitted that it should have immediately reported to the Investigatory Powers Tribunal but failed to do this for three years.
The Investigatory Powers Tribunal found that
“there were serious failings in compliance with the statutory obligations of MI5 from late 2014 onwards”—
that is, two years earlier than MI5 admitted—and that those failings should
“have been addressed … by the Management Board”.
It was also strongly critical of the Home Office’s failure to inquire further into MI5’s long-standing compliance failures, after being made aware of them several times since 2016. The tribunal found that the Secretary of State breached their duty to make adequate inquiries as to whether the statutory safeguards were being met, and that warrants were issued after late 2014, through to 5 April 2019, that were unlawful and did not meet the safeguarding requirements imposed by the Investigatory Powers Act and RIPA. Other breaches of the safeguards were alleged, but we do not know the tribunal’s verdict on them because they were covered only in the secret part of the judgment.
As the noble Lord, Lord Anderson, whom I also thank for this thorough review, points out:
“MI5’s previous non-compliance has led to it being the subject of particularly rigorous oversight by IPCO with four extraordinary inspections taking place in 2019”.
He later warns that the TechEn case is a
“salutary reminder of the principle underlying the IPA: that exceptional powers require strong and independent external oversight”.
We would do well to remember those words when we come to consider the Bill in detail. There is clear, authoritative evidence that all is not well with the compliance mechanism in the Investigatory Powers Act. Some of us predicted this during the Bill’s consideration in this House. We also called for judicial authorisation to manage the risk of these suspicionless electronic surveillance powers, which are on a scale never seen before in a democracy. Instead, the Government set up a much weaker double-lock system, and now we see the consequences. So my second and third questions for the Minister are: what are the Government’s plans to seriously improve compliance with the Investigatory Powers Act, and will they now recognise that the current supervision regime is failing and needs to be replaced with much stronger arrangements? On a related matter, my fourth question is: when will the Government introduce regulation of a highly intrusive technology that is running riot in policing and security with absolutely no rules, safeguards or oversight—namely, facial recognition?
I turn to this Bill. There are five primary concerns that will be covered in detail in future stages in this House. As has been discussed, it weakens the safeguards against the intelligence services collecting bulk datasets of personal information by potentially harvesting millions of facial images and mass social media data. The Bill’s creation of a vague and nebulous category of information where there is deemed to be a low or no reasonable expectation of privacy is a concerning departure from existing privacy law, in particular data protection law. Such an undefined category requires agencies that are motivated to process such data to adjust safeguards according to unqualified assertions about other people’s expectations of the privacy of their data. On the contrary, data protection law is constructed according to the sensitivity of the information rather than guesswork about the individual’s expectation of privacy concerning personal information. In my view, this provision needs to be worded more tightly.
It weakens safeguards when authorities harvest communications data—for example, membership of and Facebook posts to a racial equality group could be seen as data available to a section of the public as defined in this Bill, and therefore the authorities may wrongly believe that they consequently possess lawful authority to obtain associated communications data from the platform. Once again, more precise wording is needed.
Thirdly, it expressly permits the harvesting and processing of internet connection records for generalised mass surveillance, which is a much wider purpose than originally envisioned.
Fourthly, it increases the number of politicians who can authorise the surveillance of British parliamentarians and members of other domestic legislative bodies. Politicians are not above the law but, given their important constitutional role, spying on them must require the highest authority—namely, that of the Prime Minister.
Fifthly and finally, it attempts to force technology companies, including those overseas, to inform the Government of any plans to improve security or privacy measures on their platforms so that the Government can consider serving a notice to prevent such changes. I am sorry to say that the Government must be suffering from delusions of grandeur if they think that Apple, for example, will agree to desist from improving the privacy protection of its products or to produce an iPhone with downgraded privacy features especially for the UK. Superior privacy for its customers is one of Apple’s main selling features, and it is not going to forfeit that to please the current Government in a small part of its worldwide market.
We have much to discuss when this Bill reaches its Committee stage. In the meantime I look forward to hearing the Minister’s response to my four questions at the end of this debate.
Not at all.
My Lords, I do not intend to make a long speech. This Bill proposes an important but, I suggest, relatively modest updating of the existing authorisation regime for the use of surveillance powers. It is also based on the excellent and clear review undertaken by the noble Lord, Lord Anderson, who has been thanked many times already and to whom I also give my thanks. His expertise and good judgment in these areas is widely acknowledged, not least within the police and intelligence agencies themselves.
The Investigatory Powers Act 2016 was significant in that it brought the authorisation of surveillance powers into the modern, digital age. Before the 2016 Act, the legal justification for surveillance was achieved by stretching and interpreting laws from an earlier era to cope with new conditions. The 2016 Act addressed modern needs directly with an unprecedented degree of frankness about what was actually possible and necessary. The Act also recognised the highly intrusive nature of investigatory powers that were being authorised and therefore matched those intrusive powers with strong and independent oversight mechanisms.
I respectfully disagree with the right reverend Prelate the Bishop of St Albans: I do not believe the Bill vastly expands the powers of the intelligence agencies. In some areas, it introduces more controls, but it is also very careful to balance any powers with independent oversight. The noble Lord, Lord Strasburger, helpfully drew our attention to the effectiveness of independent oversight where problems have arisen, and he demonstrated that the agencies are drawing attention to areas of failure and that the oversight mechanisms are making the appropriate decisions as to what needs to be done about it. I reassure the right reverend Prelate the Bishop of St Albans that, certainly in my experience, the agencies are extremely conscious of the ethical dimension of their work. In terms of both their external relationship with oversight bodies and their internal discussions, ethical factors are strongly considered and taken seriously.
We are all aware of the speed with which data capabilities, new platforms and artificial intelligence as a whole are developing. It is important that the law should be updated from time to time to keep up with the art of the possible. Data is at least as important as interception when it comes to preventing the very real security threats that we face from causing damage. If we do not update the law, one of two things will happen: either security will be put at risk, or those using the powers will rely on an increasingly creative and elaborate interpretation of the law to keep up with a new situation. We cannot operate within old legislation; neither of those alternatives is desirable, so a new Act is needed.
The key proposals in the Bill seem to be the new regime for bulk datasets and the arrangements for bulk datasets held by third parties but to which the intelligence agencies have access. Neither of these proposals involves a significant increase of intrusion into individual privacy, and in each case, tough oversight controls remain in place. On bulk personal datasets, the 2016 Act created what, in retrospect, appears to be a rather odd situation where the intelligence agencies are not able to use completely open data—such as Wikipedia data—without quite stringent authorisation, but which any member of the public can access without permission. A police force can also access that data without restriction. Our close intelligence allies can do so too, but our own security and intelligence agencies cannot. The same constraints apply for historical or open datasets of the sort that are needed to train artificial intelligence systems to operate effectively.
I cannot think of any good reason why these constraints are needed in their current form, and they have a negative impact on the speed and flexibility with which the agencies can respond to threats. I am therefore glad to see that the Government’s proposals for a less restrictive approach to datasets where there is no or low expectation of privacy have been included. The Investigatory Powers Commissioner will continue to police the low/no boundary so that there is no risk that the less stringent regime will be misapplied or that there will be any form of mission creep. I therefore support the Government’s proposals.
On third-party datasets, the situation appears to some extent to have been reversed, in that access to sensitive data held by third parties is currently not covered by as stringent a regime. This appears to be a small loophole in the 2016 regime, and it is right that access to such datasets should be brought within the authorisation regime, as the Bill proposes. Events since the 2016 Act, including the war in Ukraine, increased state threats and political interference and recent terrible events in the Middle East all mean that the security threats that we face and from which the intelligence agencies help to protect us are at least as acute today as they were seven years ago. At the same time, the technical environment within which the agencies work has changed very fast, and it is right that we should update the legislation that enables them to succeed in their work. I therefore support the proposals in the Bill.
My Lords, I apologise to the noble Lord, Lord Evans: my enthusiasm to reinforce the contribution of the noble Lord, Lord Strasburger, who I think made many important points in this debate, got me carried away.
I am delighted to present the Green Party’s position on this Bill. I am very aware of the depth of expertise in this debate, but I reinforce the comments of the noble Lord, Lord Strasburger, in reflecting on the narrowness of the contributions and the short time your Lordships’ House has had to absorb this Bill. I note that I am the only female contributor on the speakers’ list for this debate, which is perhaps one measure of the lack of diversity of views that have been able to participate. I also note that we are talking about further strengthening the Investigatory Powers Act, which, when it was brought in in 2016, was known universally as the snoopers’ charter. Liberty described it as
“the most intrusive mass surveillance regime of any democratic country”.
Since then, a number of court cases brought by Liberty have brought in some restrictions in terms of the operations of the Act, which I very much applaud, but the Act was also subject to a petition from 130,000 people to speak out against the snoopers’ charter. Of course, the speed at which we are operating now makes it very difficult to get such level of public engagement as we saw in 2016.
We are talking about a further erosion of privacy and, as many noble Lords have said, this is a question of balance, but we are tilting the balance very clearly with these amendments to the snoopers’ charter. What is particularly worrying is that this Bill is about granting the security services access to bulk data, which will clearly be used to build what are known as artificial intelligence machine learning models. In essence, the Bill lays the foundation for the Government to use rapidly developing artificial intelligence—so-called; I prefer to call it big data wrangling—in mass surveillance. Not only does this have huge ethical ramifications, but its adoption in surveillance would be extremely irresponsible, given that we do not know how these technologies are going to evolve in future. We have talked about trying to keep up with where they are, but we are potentially opening the door to let them race ahead much further than we can currently comprehend, as we stand in the House today.
In other contexts I have drawn to your Lordships’ attention the rapid increase of privatised medical testing and the widespread advertising of it that we have seen. The noble Lord, Lord Fox, referred to genomic data. What is being assembled is a huge amount of intensely private information about individuals, and if that is then to be opened and exposed to the state on a mass, untargeted basis, that surely is cause for grave concern.
The Bill gives the Government unprecedented powers to monitor and target the entire British population and lays the foundation for use of artificial intelligence in surveillance. This is indiscriminate surveillance. Anyone can be monitored, regardless of whether they are a suspect. This is a complete assault on our right to privacy and raises a real question to ask about the Universal Declaration of Human Rights.
Coming down to some of the detail, Clauses 1 to 4 allow for the mass trawling of social media and for the Government to collect data from every person’s web use, and Clause 14 allows the Government to obtain information from companies around every person’s web use—whereas, before, they were able to look only at specific data. In addition, the potential use of artificial intelligence as part of this Bill means that the Government could in theory identify everyone who is behind every single anonymous social media account, meaning that nobody would have anonymity online.
I am well aware that many people express concerns about anonymity and the behaviour of anonymous accounts online. Here I declare my position as co-chair of the All-Party Parliamentary Group on Hong Kong. I am delighted that the UK has welcomed many exiles from Hong Kong who have sought refuge in the UK, but they remain deeply fearful about the very long arm of the Chinese state. Similarly, we have seen that many Russians have had good cause for concern about the long arm of the Russia state, which, despite the best efforts of our intelligence service, has proved itself capable of reaching within our borders. Anonymity is crucial to some people’s safety in the world. Lest we think of this as being just about states regarded as hostile by the UK Government, let us all remember the fate of Jamal Khashoggi and the actions of our friend and ally Saudi Arabia in his horrific death.
The widespread use of surveillance means that this Bill would push the UK further away from what are considered democratic norms. What is more, as a number of other speakers have already said, this blanket surveillance is not necessarily effective. There is a real risk that, the more information you collect, the harder it is to see the needles in the haystack. This Bill erases some of the checks and balances already in place.
We have seen how far this can go. Again, looking on the international stage—what China is doing to its Uighur population, what it has done in Tibet, and what is happening in Burma—these are situations where the more surveillance there is, the more issues arise. If the UK is heading in the wrong direction, what kind of model are we creating on the international stage? The UK likes to present itself as a leader, a model of democracy, speaking up for democracy in international contexts. We must not be a leader in allowing further steps towards autocracy.
I think it was the noble Lord, Lord Coaker, who spoke of how these technologies have often been used in discriminatory ways. We know that the police, certainly, have unfairly singled out people based on their identity, and that has had dangerous, damaging consequences, both in relation to the treatment of individuals and in relation to communities’ views of the police and our security services. If artificial intelligence is added into this mix, we know that there are built-in biases in the way in which the databases have been developed, and that is a real issue.
We also know—I declare an interest here—that the police and security services in the UK have made disproportionate efforts to monitor politically active individuals, trade unionists and whistleblowers. Providing the police and the security services with greater surveillance capacities means that people who are acting democratically in our society could be—in fact, almost certainly will be—subjected to further unwarranted surveillance. As a number of other noble Lords have said, the fact that Part 5 of the Bill allows further extension of the Prime Minister’s powers to approve interception and examination of MPs’ communications is a cause for grave concern.
To conclude, I will share an experience from the weekend. On Saturday, I was at a protest against the proposed new coal mine in Whitehaven in Cumbria, which is opposed by, among others in your Lordships’ House, the noble Lord, Lord Stern of Brentford. He made similar points to mine about the messages we are sending to the international community. The slogan was “No Time for a Coal Mine”. At that protest, there were 100 or so supporters, and the four of us who were speaking had all advertised this fact on social media beforehand. For nearly all the two and a half hours we were there, flying above us was what I am told was a police drone. There were at this protest of 100 people—all advertised and entirely peaceful with no plans for direct action—at least six police officers, one of whom filmed my contribution and all the other contributions. That is the experience of people peacefully protesting within the UK.
There was another story at the weekend that 15 government departments are monitoring the social media activity of potential critics and compiling files to block them from speaking at public events. This is the experience that people have of the UK state today. We have savage reductions in the right to protest; we have deeply concerning directions of travel, and the Bill is a further step in that direction.
My Lords, stimulation comes in many forms, so I think I can say, without any disingenuousness, that it is stimulating to follow the noble Baroness, Lady Bennett. Having heard her and the noble Lord, Lord Strasburger, I feel that I should start with a bit of my own experience, that of dealing with those extraordinary and usually highly intelligent people who work in the various security services. It is outrageous to assume that they would look into an individual’s credit card transactions or anything like that in the way that has been implied by at least two speeches that we have heard. I believe—indeed, I know—that their contributions have been key to the introduction of this Bill and that they have done it with intellectual integrity and with only one thing in their mind: the interests of their country, in which they live. Listening to the noble Baroness, I have a fear that she and I, at least in our minds, live in completely different countries.
The noble Lord, Lord Strasburger, expressed some extraordinary conspiracy theories which just do not exist and which, in my judgment, are—I hesitate to use the word, but I will—misleading. Both the speakers to whom I have referred have been on a safari into irrelevant issues which are not pertinent to the reality of what we are discussing. In the years since 9/11, the date on which I became the Independent Reviewer of Terrorism Legislation—to be succeeded some years later by the brilliance of the noble Lord, Lord Anderson of Ipswich—various Governments all over the world have been challenged repeatedly by both evolving change and unexpected events affecting the terrorist threat landscape.
I suggest that the amount of legislation we have had since 9/11 has reached the point at which the Government should give consideration to a consolidation Bill, a codification in which all counterterrorism, interception and counterextremism legislation is included so that we have a living instrument to which lawyers, police officers, the security services and, of course, parliamentarians concerned can refer—a single place in which all this legislation is kept. This Bill is an example in some parts of the way in which extra legislation is being added piecemeal, although it is fair to say that legislation.gov.uk at least tries to include in Bills, if looked up online, the additional parts that have been created. It really is a time for codification, and the template for that is the Sentencing Code, which was created by Professor Ormerod when he was at the Law Commission.
I used the phrase “terrorism threat landscape” deliberately. Terrorism and related forms of extremism have morphed into one of the major and enduring geopolitical issues. It started with the word “terrorism”, but, since 9/11, these issues have become part of the defence and national security policies in every single country, including our own. It was a surprise when national security originally appeared as part of the defence strategy, but it is now completely established in that context.
Attempts to disrupt the stability of sovereign Governments, sovereign Governments themselves disrupting other Governments and the rise of new international factions are all matters that affect our debate; we have to understand the context of what we are considering. I thank the Minister for ensuring that your Lordships have been fully informed and have been given plenty of time; this has been a matter of discussion for a long time. My noble friend Lord Anderson reported some time ago on the background and primary considerations behind the Bill; I too add my special thanks to him for his excellent, detailed report, which is the foundation of the Bill.
Let us consider the context. The first responsibility of our Government is to keep their citizens safe and free to go about their legitimate business and interests. When we go to a concert, as in Manchester, for example, or to a shopping centre, again, as in Manchester, or come and go to this Parliament, along the streets outside without disturbance, which has not been everyone’s experience in recent days, we should be kept as free and safe from the terrorism threat as is possible within the legitimate constraints we set ourselves as a free society. That does not mean that we should resile for one minute from what we rightly regard as fundamental freedoms, but how fundamental those freedoms are is open to argument based on the assessment of proportionality that was mentioned earlier.
In that context—specifically in connection with bulk data, a major part of the Bill—we need to be realistic. In the years since some of us first handled house brick-sized mobile telephones that slotted into racks in our cars—at the time, I was a Member of the other place—we have ourselves given away, to a wide audience, private matters that, in the past, were closely protected. When we—the middle-aged and older men here, for example—buy clothes online, we give away details of our anatomy, including our shoe and waist sizes. That the security services have any interest in that sort of thing is a myth, but we have given away a huge amount of our information. To allow the state to use that information to catch terrorists seems to me to be a reasonable balance, if that use is circumscribed by the high level of judicial protection that the Bill provides and, in some respects, enhances.
When we speak about bulk data, we should bear in the mind the donation we have made of information, sometimes our most intimate details, and we should reflect on the public interest in allowing the authorities, subject to the protections built into the Bill, to use that bulk data—even the meta data that tells them when we made our calls and to whom, and from whom, they have occurred—to carry out their prime duty to protect the public. Maybe, from time to time, there will be people whose information has been mistakenly or improperly prepared, but they are provided, in this country and in this Bill, with greater legal protections than in any other country that I know.
This is an appropriate and good Bill. The Committee should not be distracted by mythology; it should seek to make the Bill better—but within its existing context.
Will your Lordships allow me to speak in the gap? I had not intended to speak in this debate because I knew that my noble friend Lord Evans is more up to date than me. I think my noble friend Lord Anderson has had enough praise already, but I shall add a bit. I promote the noble Baroness, Lady Bennett, because nobody else of her gender was going to speak in this debate. I shall make a few comments on the things that have been said. The noble Lord, Lord Murphy, talked about the balance between liberty and security. Of course that is an issue, but there is no liberty without security. Without making sure that our electoral proceedings, our secrets and our citizens, whether shopping or going on the Tube, have safety in their lives, there is no real liberty. I think sometimes it is an artificial distinction.
I noticed that my noble friend Lord Evans and my successor but one, Ken McCallum, the current head of MI5, gave a public speech in California recently at the Five Eyes conference—a first—and it was reported. There were three things he talked about as really at the top of his concerns: first, whether arising out of the tragic events in the Middle East there would be a resurgence of terrorism in that area; secondly, cyber; and thirdly, the threat to our democracy, including our electoral process, from various states. It is not an accident that the law governing the Security Service emphasises that it is there to protect parliamentary democracy. I find quite strange the idea that it is a threat to it.
I would also like to, I am afraid, dismiss as ignorant the spurious argument that having too much information means that you do not find the people you should have found. As my noble friend has said, you can know of people in this country, and MI5 will know some about whom it has significant concerns, but it does not know what they will do. It is also constrained, rightly so, by the law, and cannot suggest to the police that they arrest people unless there is a good case to do so, any more than it can mount intrusive surveillance unless there is a good case to do so.
The final point I would make in endorsing again what my noble friend has said is that my colleagues in the service and in the other agencies were very conscious that the law gives us powers that are not given to the normal citizen. The Murdoch press occasionally took them with the interception of phones, but they are not given to the normal citizen. They are given to the agencies and the police within the law. Precisely because they are not normal abilities to intrude into people’s privacy, that work has to be done with great care to the highest ethical standards and only when proportionate and necessary. Excuse me for delaying the conclusion of this important debate, but I did not think I could sit patiently and not make those remarks.
My Lords, I think the whole House will be grateful for the noble Baroness’s intervention speaking in the gap. I thank the Minister for facilitating the briefings which we have had and will have in the coming days on the Bill.
The Bill makes changes to the 2016 Act, as we have heard. The 2016 Act provides a framework for the use of investigatory powers by the security and intelligence agencies, law enforcement and other public authorities. They include the power to obtain and retain communications. It also created the post of Investigatory Powers Commissioner and includes a number of safeguards for the use of such investigatory powers, including a two-stage procedure for obtaining authorisations. Many of the powers in the 2016 Act were pre-existing, as we have heard, and already being used by intelligence and law enforcement agencies. The Government stated that one of the intentions behind introducing the 2016 Act was to bring together and build on the statutory powers already available. The Government explained that the Act was also required to replace emergency legislation passed in 2014, the Data Retention and Investigatory Powers Act, which was subject to a sunset clause.
I agreed with the point made by the noble Lord, Lord Carlile, about the desirability of developing some sort of living instrument and a consolidation Bill to try to bring these pieces of legislation together.
The Bill before us proposes changes which include the creation of a new condition for the use of internet connection records to aid target detection, introducing a less stringent regulatory regime for the retention and examination of bulk personal datasets where individuals have little or no expectation of privacy, and a new notification requirement that can be issued to selected telecommunications operators, requiring them to inform the Government of proposed changes to their products and services that could negatively impact the current ability of agencies to lawfully access data.
I was going to say something about the contributions of the noble Lord, Lord Anderson, to the review of this legislation. My understanding is that all the noble Lord’s recommendations have been accepted by the Government, and I too express the Opposition Front Bench’s gratitude for the work he has done on this.
The Bill is a relatively short Bill of six parts, 31 clauses, and two schedules. I was going to step through its various elements, but I will not do that because it has been adequately covered by speakers earlier in this debate.
Like other noble Lords, I have received emails from industry and advocacy groups raising concerns about the Bill. On 7 November, a Financial Times piece reported that firms, including Apple and Meta, have signalled that they may withdraw from the UK market if they can no longer offer end-to-end encryption to their customers. I will quote from the concluding paragraph of a letter I received from Apple:
“The Home Office’s proposals to expand the IPA’s extraterritorial reach and to grant itself the power to pre-clear and block emerging security technologies constitute a serious and direct threat to data security and information privacy. To ensure that individuals have the tools to respond to the ever-increasing threats to information security, the Home Office’s proposal should be rejected”.
The piece, which I am sure we all received, then went on to explain their concerns about providing what they refer to as a back door into end-to-end encryption, and how that undermines the firms’ business model and the security of many other groups operating elsewhere in the world. It is right that we take the points raised by these commercial providers seriously, and maybe we will address them as the Bill progresses.
Similarly, online privacy advocacy groups such as Open Rights Group and Big Brother Watch have expressed their concerns, and we have heard from the noble Lord, Lord Strasburger, and the noble Baroness, Lady Bennett, today. It is worth saying that I agreed with every word of the noble Lord, Lord Carlile, when he said that he and I live in a different country from that spoken about by the noble Lord and the noble Baroness. We need to consider the concerns being addressed in the Bill, but also the wider context that other countries and other very large companies have access to bulk datasets—maybe not our bulk datasets—and are using that data in ways that we need to understand and pre-empt, if they are working against our national interest.
I conclude by talking about my own experience as an engineer, which is relevant to the debate we have just had. It used to be my working life to deal with very large datasets, make predictions based on them, and inform management about those predictions. One of my experiences was that it is very easy to mislead oneself because one is analysing large amounts of data. One needs to be realistic and at the same time see the possibilities of these extremely large datasets. It is a huge challenge. Huge amounts of data are used just to process them, and the maths and the imagination behind it is developing as we speak. The Bill in front of us now is a relatively modest step in the road, and we need to keep reviewing the processes available to us and reviewing the legislation to try to underpin them.
My Lords, I thank all noble Lords who have spoken. There have been many expert and valuable contributions to today’s debate. I particularly thank the noble Lords, Lord Coaker, Lord Ponsonby and Lord Fox, for their broad and very constructive support for the Bill. Obviously, I very much thank—again—the noble Lord, Lord Anderson, for his work. I also thank the noble Lords, Lord Murphy and Lord Evans, and particularly the noble Lord, Lord Carlile, who I thought was very eloquent, for their contributions. I thank the noble Baroness, Lady Bennett, for provoking the noble Baroness, Lady Manningham-Buller—a thing I am always very reluctant to do.
The support was more qualified from the right reverend Prelate the Bishop of St Albans, but I hope to assuage his concerns in my remarks and will certainly endeavour to deal with some of the concerns of the noble Lord, Lord Strasburger, who asked whether we were trying to avoid detailed scrutiny. The answer is: absolutely not. The Bill was ready, having followed the detailed and expert scrutiny of the noble Lord, Lord Anderson—as noted by the noble Lord, Lord Carlile—and, of course, we could not pre-empt what might be in the King’s Speech. In the case of this Bill, parliamentary time currently allows. We have engaged extremely extensively and, frankly, the country needs it. That is a very compelling set of circumstances behind introducing the Bill now.
I feel I ought to take issue with the fact that the noble Lord, Lord Strasburger, said that the country, or all countries, “need a Snowden” occasionally. As I understand it, it has been alleged that people died because of the activities of Snowden, so I am not sure that that is a generally fair point.
I will deal with the questions raised in as much detail as I can in the time available and will start with bulk personal datasets and, in particular, privacy. I thought the noble Lord, Lord Carlile, gave an excellent speech on this subject, but obviously there are concerns so let me do my best to assuage them. The Bill creates a new regime for the retention and examination of bulk personal datasets where there is a low or no reasonable expectation of privacy. The nature of these datasets means that individuals to whom the data relates would have low or no reasonable expectation of privacy in relation to the datasets so, for example, an individual may have consented to the data being made public or the data has already been manifestly made public by the individual. That includes categories of datasets such as public and official records, news articles, content derived from online video-sharing platforms, and publicly available information about public bodies.
For example, a dataset that is likely to meet the test of having no or only a low expectation of privacy is the Companies House register, a government register of company information that is open to the public to search online and download. I have noted the recommendation of Big Brother Watch and I read it in some detail. I think it is based on a misunderstanding but perhaps it is worth going back into the reason why we are making these changes now. The way the existing regime was designed did not foresee the exponential increase in the use of, complexity of and changing nature of data. The scale and different kinds of data that are now available is unrecognisable in comparison to the picture in 2016. It did not foresee the extent to which cloud and commercially available tools would make analysis of datasets possible, the extent to which publicly available data would increase in value for the intelligence agencies compared to sensitive data which used to be obtained through traditional covert powers, and the extent to which intelligence agencies would need vast quantities of publicly available data to train machine learning models.
The intelligence agencies have been inhibited from maximising opportunities when compared with the private sector and academia, as well as our adversaries, as a result of the gold-plating of some of the Part 7 regime. It is important to note that the datasets would not necessarily be authorised under the new regime in Part 7A solely by virtue of their being publicly or commercially available, and that is particularly important when considering datasets which have been hacked and/or leaked.
On the subject of safeguards, there are of course safeguards in place to prevent misuse of the powers in the Bill. The safeguards that will apply to bulk personal datasets with low or no expectation of privacy will be calibrated to reflect the intrusion that is likely to arise from their retention and examination, ensuring that the rights of the individuals to whom the data relates is adequately protected while also enabling the intelligence services to make more effective use of these datasets. This will include requiring prior judicial authorisation on whether a category of datasets or an individual dataset can be considered to meet the test for authorisation under the new Part 7A regime; that is, that they meet the test for low or no expectation of privacy.
In answer to the noble Lord, Lord Fox, the Bill creates an obligation on the head of an intelligence service to stop any activity that relies on any data discovered in a BPD where the low or no reasonable expectation of privacy assessment no longer applies. The safeguards are being recalibrated to ensure that the regime better reflects the threats and opportunities of the modern world, but they remain robust, with the important protection of judicial approval at their heart.
Internet connection records were referred to by the noble Lords, Lord Coaker and Lord Strasburger, among others. They asked why there are no specified time limits for the period that internet connection records can be sought under the new condition. The driver for this change is to enable the intelligence services and the National Crime Agency alone—I will come back to the National Crime Agency—to carry out target detection to identify previously unknown high-harm offenders. The current requirement for unequivocal knowledge of the time a service is accessed, which service is accessed, or the identity of a person, before an internet connection record can be sought is preventing this from happening. So, it is important we do not create similar conditions under this proposal which will continue to restrict this critical investigative work.
These investigations will be targeted and case-specific, so it is not possible to include a time limit which could work across the range of investigations being undertaken. However, I can reassure noble Lords that requests will be time-bound based on the specifics of the case and they will be driven by intelligence, not used as speculative fishing exercises. Furthermore, the new condition is also limited in terms of the purposes it can be utilised for. It can, and I stress this, be used only for national security and serious crime purposes. It is important to note that there are several other safeguards in place, including a requirement for the request to be both necessary and proportionate. A request that sought records over a very long period of time is highly likely to be neither necessary nor proportionate, and all ICR requests are subject to independent ex post facto oversight. All ICR requests are valid for only one month and an application must be renewed at the end of that period.
The noble Lord, Lord Coaker, asked why this is being extended to the NCA. I recognise that the noble Lord, Lord Anderson, initially proposed that the new condition should extend only to the intelligence services, although I understand that he now sees value in it being extended to the NCA because the NCA plays a vital role in protecting children from sexual exploitation and abuse, so it is essential that it has all the tools at its disposal to counter that particular threat.
The noble Lord, Lord Fox, asked about roaming data, and in particular subjects of interest using a foreign SIM card. On that example, in the circumstances where a subject of interest was using a SIM card obtained in a third country and was therefore using international roaming while in the UK, under the proposed amendments an exception for this data will be made, allowing UK telecoms operators to retain it under a retention notice which has been double locked. This will then allow operational partners with the appropriate authorisation to access the retained data when necessary for the purpose of prevention and detection of crime and, again, protecting national security.
On the subject of the notices reforms and the tech companies, which I think most noble Lords referred to, some tech companies have expressed concerns in public fora in advance of the Bill’s publication that these measures may place onerous or burdensome obligations on an operator, could undermine security or could allow the Secretary of State to prevent technical or relevant changes. I assure all noble Lords that these concerns are misplaced. The Bill does not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures by companies, contrary to what some tech companies have incorrectly speculated. Rather, we are making a series of adjustments to ensure that the notices regime continues to be effective in the face of modern technologies and the structures of companies in the modern digital economy.
None of the measures in the Bill seeks to reduce the competitiveness of UK tech firms, or indeed to discourage innovation. Careful consideration has been given with regard to these measures, striking a balance to ensure that the law enables us to mitigate the risks posed by changing technology, while still promoting technological innovation and the legitimate interest in increased privacy of the majority of our citizens.
These measures do not create any new acquisition powers but will maintain the efficacy of long-standing powers. We therefore do not anticipate that they will put disproportionate burdens on businesses. Rather, they formalise processes that are already in place.
The Government support technological innovation and advances and have always been clear that we support strong end-to-end encryption, as long as it does not come at a cost to public safety. Together with our international partners, we believe that tech companies have a moral duty to ensure that they are not blindfolding themselves and law enforcement to abhorrent crimes such as child abuse and terrorism on their platforms. These amendments will not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures.
On a question asked of me by the noble Lord, Lord Fox, with regard to notices and the pre-clearance requirement, these amendments do not introduce a requirement for pre-clearance for the Secretary of State regarding the rollout of new technologies and security measures by companies. Fundamentally, the changes to the notice regime are about ensuring that the decisions on public safety are made by Ministers and are subject to judicial oversight as Parliament intended and as the public would expect, to keep them safe.
On the triple lock, noble Lords—in particular the noble Lords, Lord Coaker and Lord Murphy—asked for clarification as to whether the Prime Minister could delegate an authorisation requiring the triple lock to anyone they wanted to. I can reassure noble Lords that that is not the case. The Bill proposes that the Prime Minister will designate in advance a group of Secretaries of State who could authorise the warrant on his or her behalf. The alternative approver would need to be a Secretary of State and not the same Secretary of State who authorised the warrant at the earlier stage of the triple lock. I hope that provides the necessary reassurance on the restrictions that will be in place under this clause. Restricting the decision on suitable deputies is for the Prime Minister to decide, but it is clear that there needs to be sufficient resilience in the system to ensure that there are enough alternative approvers with the necessary experience.
The noble Lord, Lord Coaker, also asked me about ISC oversight and parliamentary oversight. He will be aware that the Intelligence and Security Committee examines the policies, expenditure, administration and operations of the UK intelligence community, and sets its own agenda and work programme. Obviously, it will maintain that oversight function for the measures in the Bill, but I can tell the noble Lord that the Security Minister will spend some time with him on the subject of the Bill next week, which I hope will assuage any concerns.
I need to go into the subject of safeguards in more detail in light of the speeches given by the noble Lord, Lord Strasburger, the noble Baroness, Lady Bennett, and the right reverend Prelate the Bishop of St Albans. I assure noble Lords that the measures contained in the Bill, and in the IPA, are underpinned by a robust and world-leading safeguards regime. They are not failing.
Numerous safeguards exist to prevent the misuse of investigatory powers, ensuring that they are used in accordance with the law and in the public interest. The Bill contains measures that will introduce new safeguards and improve the resilience of the Investigatory Powers Commissioner. We are improving oversight and increasing safeguards to ensure that powers in the IPA are not misused.
Strong safeguards are already in place to ensure that investigatory powers are used in a necessary and proportionate way. That includes independent oversight by the Investigatory Powers Commissioner’s Office and a right of redress through the Investigatory Powers Tribunal.
The powers can be used only for the statutory purposes set out in the Act, including in connection with the most serious crimes and national security. We are also taking the opportunity to strengthen safeguards in other parts of the regime—for example, by creating a new statutory oversight regime for the intelligence agencies’ access to datasets held by third parties rather than retained by the agencies themselves.
On the subject of retention, the noble Lord, Lord Strasburger, talked about data being held indefinitely. However, retention of data is subject to stringent safeguards under the IPA. It can be retained only provided it is necessary and proportionate, and it is not authorised indefinitely. This is regularly reviewed, and records of holdings are subject to inspection by the Investigatory Powers Commissioner’s Office.
The noble Lord, Lord Strasburger, also referenced the recent TechEn judgment. The investigations carried out by the Investigatory Powers Commissioner and his team in response to TechEn are evidence that the oversight, transparency and safeguarding arrangements provided for in the IPA are working as they should. In the Liberty judgment of 2019, the High Court found that
“The safeguards contained within that Act are capable of preventing abuse”.
While the TechEn case outlined widespread corporate failings between the Home Office and MI5, these issues are historic and the Home Office has taken steps internally to increase collaboration with MI5 and ensure that there is appropriate resourcing in place within the relevant Home Office teams responsible for investigatory powers.
I also wish to be clear that there has been no finding by the tribunal that MI5 misused the data in question nor any suggestion of this at any time during this process. As the then Home Secretary, Sajid Javid, noted in 2019,
“none of the risks identified relate in any way to the conduct and integrity of the staff of MI5”.—[Official Report, Commons, 9/5/19; col. 30WS.].
Finally, I reference the endorsement that the tribunal has provided on the robustness of the oversight regime and safeguards contained within the IPA, including the adequacy of the measures available to the Investigatory Powers Commissioner. TechEn does not, therefore, suggest that the system is fundamentally flawed but shows that it works as intended when non-compliance occurs.
Many noble Lords have made important points about balance in this debate, particularly regarding privacy. I particularly note the noble Baroness, Lady Manningham-Buller, whose comments were spot on. It is fair to express concern about the impact that the Bill will have. Privacy is at the heart of the IPA, and this will remain the case under this Bill. The IPA contains robust, transparent and world-leading safeguards centred around considerations of intrusion into privacy. This includes a requirement for investigatory powers to be used in a necessary and proportionate way, with independent oversight by the Investigatory Powers Commissioner and redress through the Investigatory Powers Tribunal. The Bill builds upon these already world-leading safeguards, further strengthening the oversight regime, as I have just outlined. I also note that in 2018, the then UN special rapporteur on the right to privacy noted that the introduction of the IPA allowed the UK to claim a global leadership role in the protection of civil liberties. I note that this was not referenced by the noble Lord, Lord Strasburger, but I am sure that he would like to read that notification.
The noble Lord, Lord Carlile, made some very good points about codification of the various laws in this space. I defer to his extensive knowledge. I will also ensure that his thoughtful remarks are noted in the appropriate parts of government. Obviously there is very little that I can comment on regarding this now, however.
I have endeavoured to address the contributions made by noble Lords today. I apologise if I have missed any questions that were asked of me. I will scour the record and write if that is the case. I express my commitment to further engagement with noble Lords. I look forward to further discussions as the Bill continues its passage, as we seek to ensure it achieves the crucial objective of making our country and our citizens safer. For now, I commend this Bill to the House.
That the Bill be committed to a Committee of the Whole House, and that it be an instruction to the Committee of the Whole House that they consider the Bill in the following order:
Clauses 1 to 13, The Schedule, Clauses 14 to 31, Title.
(1 year ago)
Lords ChamberMy Lords, before I get to the specifics of my Amendment 1, I will make some general remarks. I thank the Minister and all his officials for their very helpful briefing and the collaborative way in which they have approached the Bill. As he knows, we support the Bill, but we will seek clarification and further information about a number of clauses and the details in them.
It is important for me to say that this is the Committee stage, so some significant details will be explored that will be helpful to us. Indeed, on my own part, there may be one or two misunderstandings as to the actual meaning of certain parts of the Bill. None the less, it is an important Bill and an important step forward for our country and its security; I think we all want to see it be as successful as it can be.
This group of amendments deals with bulk personal datasets. These include personal data where a large majority of people included will not necessarily be relevant to an intelligence investigation. Currently, all BPD warrants must go through a double-lock process of approval via the Secretary of State and then a judicial commissioner, and must be renewed every six months. Agency heads must also perform certain functions associated with the warrant.
As the importance of data-based intelligence grows, the Bill rightly includes several measures to make it easier and quicker to analyse various datasets. Individual BPDs considered to have a low or no expectation of privacy could be approved by intelligence agency heads if urgent or if they fall into a category approved by a judicial commissioner. For urgent cases, judicial commissioners have three days to review the warrant.
BPD warrants will need to be renewed only after 12 months, instead of six, which seems sensible. Some functions can be delegated from heads of agencies to an official while maintaining overall responsibility. The Bill also ensures that third-party BPDs—mostly commercially held data—are regulated similarly to other BPDs. The double lock of the Secretary of State and the judicial commissioner would remain for all BPDs, apart from ones considered urgent by the Secretary of State. For urgent cases, a judicial commissioner would have three days to review the warrant. Again, much of that is very sensible and improves the current situation.
I tabled my amendments in the spirit of probing what the Government mean, and I will ask some questions for clarity. Amendment 1 probes why the definition of low-privacy datasets differs from existing data protection legislation. Being the sort of person I am, yesterday I read the relevant section of the Data Protection Act 2018. It differs from Clause 2, where the Minister lays out:
“Low or no reasonable expectation of privacy”
for authorisations and the various factors to be taken into account. Given that the Data Protection Act also talks about access to data, about intelligence services having to have consent and about intelligence agencies having various conditions applied to them when seeking authorisations to access data, it would be helpful to the Committee to understand which applies to the authorisations and how the various pieces of legislation interact with each other. Otherwise, we have what is included in this Bill as well as what is included in the Data Protection Act 2018. Amendment 1 seeks to understand where and how the two relate to each other, whether one supersedes the other and whether the Data Protection Act is now irrelevant to the authorisations laid out in the Bill. It would be helpful for us to understand that.
I rise to speak to Amendment 2 and several others in this group in my name. This amendment probes the extent to which paragraphs (d) and (e) of proposed new Section 226A(3) depart from current privacy laws. Like the noble Lord, Lord Coaker, we seek clarification. Also like the noble Lord, as far as we are concerned the purpose of this Committee is to probe, get information and understand how the Government interpret some of the measures in the Bill.
Bulk personal datasets represent the largest part of the Bill, and this amendment primarily probes the differences in the definitions in the Bill and those set out in Schedule 10 to the Data Protection Act 2018. The Bill creates a new and essentially undefined category of information where there is deemed to be low or no reasonable expectation of privacy: so-called low/no datasets. This is a departure from existing privacy law, in particular data protection law. With regard to low-privacy bulk datasets, the relevant circumstance, in Schedule 10 to the DPA, is that
“information contained in the personal data has been made public as a result of steps deliberately taken by the data subject”.
This is a different standard from the expectation of privacy in the new BPD category, whereby information is considered low privacy according to
“the extent to which the data is widely known about”
and if it
“has already been used in the public domain”.
As your Lordships will observe, there is a big difference between those two definitions. For example, whereas facial images from public CCTV may be considered low-privacy BPD under the Bill, they would be considered personal data and possibly subject to sensitive processing under the DPA. As the Minister knows, this is a contentious area of law, and a real-life example is Clearview AI’s database of 30 billion facial images harvested from social media platforms for highly facial recognition searches. Some could have been classified as low privacy, as the photos have already been made public by the individuals, but the Information Commissioner’s Office found Clearview AI in breach of the DPA.
Similarly, a database of all public Facebook or other social media posts could be argued to be a low-privacy database, despite the fact that it will be a comprehensive database of billions of people’s social networks, sexual orientations, political opinions, religion, health status and so on. Under the DPA, much of this data qualifies as sensitive personal data, incurring extra protections when it comes to retention and processing, regardless of whether the information can be considered to have been made public.
The DPA would still apply to the intelligence agencies in processing—at least, that is our view, and we would like to like the Minister to comment on that—but under the Bill as drafted the contradictory standards would also apply. How do these two standards work together? I assume the department has looked at the likelihood of possible challenges to this new category of data, and indeed the likelihood of such challenges being successful, so it would be helpful if the Minister could enlighten us in that regard.
Schedule 10 to the DPA sets out circumstances in which the agencies can conduct sensitive processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; data concerning health or sexual orientation; biometric or genetic data that uniquely identifies an individual; and data regarding an alleged offence by an individual. Does Schedule 10 apply in the case of data identified as “low” or “no” by the Bill?
An example highlighting the potential divergence is data that has been hacked and then leaked out. While not deliberately made public, as per the DPA requirement, it is arguably public and available in the public domain. What is the Minister’s view as to how the Bill regards that sort of data in a low/no context? To test this, the amendment seeks to strengthen the condition in proposed new Section 226A(3)(b) by aligning it with the test in the Data Protection Act for sensitive processing. Data protection law is currently constructed according to the sensitivity of information rather than the individual’s expectations of privacy concerning personal information. As we know, expectations differ greatly from reality, and from person to person. The central questions this poses are: why does the new Bill deviate from Schedule 10 to the DPA, and how will the DPA and the IP work together using the new definition of this Bill?
We are debating a small number of quite large groups today which, unfortunately, means that quite a number of my amendments appear one after another. I will speak as briefly as I can, but I am afraid there is quite a lot of detail coming up. I will speak first to Amendments 4, 5, 6 and 7. Amendment 4 probes the purpose for which bulk datasets will be used by the intelligence services. Amendments 5 and 6 probe the circumstances in which an authorisation is urgent and therefore not authorised in advance by a judicial commissioner. Amendment 7 would require the person granting an authorisation in urgent cases to immediately notify the judicial commissioner that they have done so.
These amendments are similar in purpose and spirit to Amendment 3 from the noble Lord, Lord Anderson, which I have co-signed and support. The basic explanation from the Government for proposed new Part 7A has been that these datasets are needed to train tools using machine learning and that they already exist and are being used in the commercial world, but the Part 7 process makes them difficult for the intelligence services to use. If training AI tools is the stated prime mover for Part 7A, the inclusion of urgent data as one of the three types of data clearly indicates it is also needed for ongoing investigations.
In that regard, proposed new Section 226BC refers to a “relevant period” of three working days between the acquisition of the urgent data and the granting of full judicial approval, giving the relevant service three days to work with data and information that might eventually be ruled out of bounds by the judicial commissioner. All the amendments are intended to understand how Part 7A is to be used in operations, rather than tool training, and what urgent circumstances are envisioned that would negate the need for prior JC approval of an authorisation.
Amendment 4 seeks to restrict the application of Part 7A powers to training and learning functions of the intelligence services, meaning that operational purposes would be excluded. This is designed to get the Minister to explain the operational needs which define an urgent need.
Amendment 5 removes the ability of a person to grant an authorisation if there is an urgent need. Clearly, this gives the Minister a chance to justify why such data might be operationally needed. Amendment 6 provides a definition of what might be considered “urgent circumstances”. The Minister might want to contribute a different definition, but we feel the definition of “urgent” should be included in the Bill. Amendment 7 provides an additional safeguard by requiring a JC to be notified immediately where an authorisation has been granted in an urgent case. This essentially creates an opportunity to close the potential gap between when the data is deployed and when the JC rules on its admissibility—but not, of course, removing the gap entirely.
My Lords, I welcomed this Bill at Second Reading, and the warmth of my welcome has not diminished. However, I am pleased to see so many amendments down to Part 1. As the noble Lord, Lord Fox, has said, the new rules for certain bulk personal datasets do not displace or dilute the currently applicable protections under the Data Protection Act, but they are probably the most operationally significant of the changes that we are looking at, and therefore can only benefit from careful scrutiny of the kind that noble Lords have so enthusiastically invited.
I have one general comment. Despite some of the kind words that were said about my report at Second Reading, I was not asked to design this Bill from scratch, nor to comment on anything as precise as a provisional text. Rather, my task was to assess proposals that were put forward by government and that in some cases evolved during the currency of my review. Although I did run a consultation as part of my review, its value was reduced by the rather limited amount I was able to say about the Part 1 proposals and some of the others. So although I did receive a handful of very helpful responses, there will certainly be points that did not occur to me and to which others were not able to alert me. The Bill is also, of course, in some respects more detailed than my recommendations. I look forward to hearing the Minister’s response to the various amendments in this group.
I will say a quick word about each of the amendments in my own name; there are only two. My probing Amendment 3 I offer to the Government as a Christmas present, as I thought it might suit them. If for any reason they do not like it—and I suspect they may not—then that is up to them; we can hardly force it on them. The background is this: it seemed to me that the question of whether individuals have a low, or no, expectation of privacy might depend in part on the use to which the datasets will be put. If, for example, an agency were prepared to commit to using a dataset only for training a large language model and not for operational purposes, perhaps that might be one of the factors pointing towards a low/no classification. The agencies and the Government politely explained to me—if I paraphrase correctly—that this was not a very practical suggestion, so I did not push it further, save to mention the point in paragraph 3.51 of my report.
Sure enough, the anticipated use of a dataset is not one of the factors listed in new Section 226A(3), where the factors are set out. But turn over the page to new Section 226BA, which deals with category authorisations, and there you see in subsection (3) that a category authorisation may describe a category of BPDs by reference to—among other things—
“the use to which the data will be put”.
My question to the Minister is simply this: if the use to which a dataset will be put can be relevant to the formulation of a category of low/no datasets, then why is it not relevant to the assessment of an individual dataset as low/no or otherwise? The Minister’s answer may be that the list in new Section 226A(3) is not exhaustive and that there is no reason why intended use should not be one of the circumstances taken into account under subsection (2) when considering whether a BPD is low/no. In that case, can he explain why intended use is not mentioned in new Section 226A when it is mentioned in new Section 226BA?
My Lords, if I suddenly fall over, it is not excitement over my amendments but that I have a brand new starboard knee, which is still slightly wobbly, so I might look a little wobbly at times.
Noble Lords will recall that the Investigatory Powers Act was introduced as a result of the Intelligence and Security Committee of Parliament’s 2015 report, Privacy and Security, which recommended that a new Act of Parliament be created to
“clearly set out the intrusive powers available to the Agencies, the purposes for which they may use them, and the authorisation required”.
However, as the noble Lord, Lord Anderson, recognised in his recent report, which he referred to, there have been a number of changes since the Act was introduced. We now face a very different threat picture from that which we did in 2016, with an increased threat from state actors such as China, Russia and Iran, and a significant rise in internet-enabled crime, including ransomware and child exploitation. The pace of technological change has been incredible. Developments in the fields of data generation, cloud services, end-to-end encryption, artificial intelligence and machine learning have all created challenges, as well as opportunities, for law enforcement and the intelligence community.
The Intelligence and Security Committee, of which I am a member, therefore welcomes the introduction of this Bill. The ISC has considered classified evidence relating to the Bill and questioned all parts of the intelligence community and Ministers on the need for change. However, as ever, the devil is in the detail. The committee considers that there are several areas in which the Bill must be improved and, in particular, safeguards strengthened.
Parliament must ensure that the balance between privacy and security is appropriate, and that there is sufficient independent oversight of the work of the intelligence community, given the potential intrusiveness of its powers. The Bill seeks an expansion in the investigatory powers available to the intelligence services. While this expansion is warranted, any increase in investigatory powers must be accompanied by a concomitant increase in oversight. I have previously spoken about the refusal of the Government to update the remit of the ISC, or to provide the necessary resources for its functioning, such that it has
“oversight of substantively all of central Government’s intelligence and security activities to be realised now and in the future”,—[Official Report, Commons, Justice and Security Bill Committee, 31/1/13; col. 98.]
as was the commitment given by the then Security Minister in the other place during the passage of the Justice and Security Act.
The House has made known its views on this long-standing failure during debates on several recent national security Bills, including the National Security and Investment Act, the Telecommunications (Security) Act and the National Security Act. However, despite repeated attempts by this House to ensure effective oversight, this has been ignored by the Government. The Government cannot continually expand and reinforce the powers and responsibilities of national security teams across departments and not expand and reinforce parliamentary oversight of those teams as well. The committee expects the Government to take this opportunity to bolster the effective oversight they say they value. If they do not, then they should expect that Parliament will. I therefore call upon the Government once more to update the ISC’s memorandum of understanding to ensure sufficient oversight of all intelligence and security activities across government. Indeed, this was the quid pro quo that Parliament expected during the passage of the Justice and Security Act 2013, and I trust that Parliament will take the same view now.
I turn to Amendment 10, which is designed to close a gap in oversight. Proposed new Section 226DA requires that each intelligence service provide an annual report to the Secretary of State detailing the individual bulk personal datasets that they retained and examined under either a “category authorisation” or an “individual authorisation” during the period in question. My amendment would ensure that there is independent oversight of this information, rather than just political oversight. The amendment would provide that the annual report be sent also to the Intelligence and Security Committee of Parliament and the Investigatory Powers Commissioner. IPCO has a degree of oversight included in the Bill already, since judicial commissioners approve both individual and category authorisations at the point of issue and approve the renewal of any authorisations after 12 months. This is not full oversight. Further, there is currently no democratic oversight at all of category authorisation, which is not appropriate. My amendment would ensure that IPCO and the ISC have oversight of the overall operation of this new regime.
Noble Lords will note that I have also tabled an amendment to notify IPCO of any new individual datasets that are added to category authorisations by the intelligence services. That amendment would work alongside this, and the ISC considers that the combination would provide an appropriate balance of real-time and retrospective oversight for these new powers. It is vital that the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation are not watered down by the changes under this new Bill. Instead, they must be enhanced in line with the increasing investigatory powers. This is what the ISC seeks to achieve by the amendments I have tabled today.
Amendment 12 is consequential on the amendments that I have just talked about.
I speak now to Amendment 13. Part 7A of the Bill provides for a lighter-touch regulatory regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of the data is deemed to have a low or no reasonable expectation of privacy. Approval to use such a dataset may either be sought under a category authorisation—which encompasses a number of individual datasets that have similar content or may be used for a similar purpose—or by an individual authorisation, where the authorisation covers a single dataset that does not fall neatly within a category authorisation or is subject to other complicating factors. In the case of a category authorisation, a judicial commissioner will approve the overall description of any category authorisation before it can be used. A judicial commissioner will also approve any renewal of a category authorisation after 12 months and the relevant Secretary of State will receive a retrospective annual report on the use of all category and individual authorisations.
This oversight is all retrospective. What is currently missing from the regime is any form of real-time oversight. Under the current regime, once a category authorisation has been approved, the intelligence services then have the ability to add any individual datasets to that authorisation through internal processes alone, without any political or judicial oversight. This would mean relying on the intelligence service to spot and rectify any mission creep, whereby datasets might be added to a category authorisation in a way that was not consistent with the definition of the original authorisation, which lasts up until the 12-month marker for renewals.
While we have every faith in the good intentions of the intelligence services—and I do not mean that in a joking way, because we have been amazingly impressed by them—no legislation should be dependent on the good will of its subjects to prevent misuse of the powers granted therein, particularly where those powers concern national security. The ISC therefore seeks to fill that very worrying gap.
My amendment proposes a new section in Clause 2—proposed new Section 226DAA—which would ensure that the IPCO was notified whenever a new individual bulk personal dataset was added by the agencies to an existing category authorisation. Notification would simply involve the agencies sending to the Investigatory Powers Commissioner the name and description of the specific bulk personal dataset as soon as reasonably practicable after the dataset was approved internally for retention and examination by the intelligence services.
The amendment would require not that the use of the dataset be approved by the IPCO but merely that the commissioner be notified that it had been included under the authorisation. It therefore does not create extra bureaucracy or process. Indeed, it provides for a flow of real-time information between the intelligence services and IPCO, to allow for the identification of any concerning activity or trends in advance of the 12-month renewal period. Any such activity could then be investigated by the commissioner as part of its usual inspections. The ISC believes that this amendment strikes the right balance between protecting the operational agility of the intelligence services and safeguarding personal data at any level of sensitivity.
Noble Lords have already considered my related amendment, to provide the annual report to the IPCO and the ISC, as well as to the Secretary of State. The committee believes that this combination of real-time oversight through the notification stipulated in this amendment and retrospective oversight, through the involvement of judicial and political oversight bodies, is necessary to provide Parliament and the public with the reassurance that data is being stored and examined in an appropriate manner by the intelligence services.
I repeat my entreaty to the House: the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation must not be watered down by the changes under this new Bill; they must be enhanced in line with the increasing investigatory powers.
My Lords, I have added my name to Amendments 3 and 15 in the name of the noble Lord, Lord Anderson. I have nothing to add to what he said in support of Amendment 15, but I shall add a word about Amendment 3, which was the subject of the Christmas present of the noble Lord, Lord Anderson. It requires one to look a little more carefully at proposed new Section 226A(2), which provides as follows:
“In considering whether this section applies to a bulk personal dataset, regard must be had to all the circumstances, including in particular the factors in subsection (3)”.
What the noble Lord, Lord Anderson, is seeking to offer the Minister the invitation to include is the use to which the datasets are to be put. He draws strength for that proposition from what one finds in new Section 226BA(3), in which express reference is made to the use to which the datasets will be put. It can be said in support of this proposal that it seems a little strange not to include the use to which the datasets are to be put, if they are mentioned expressly in new Section 226BA(3). I suppose that one could say that, since new Section 226A(2) is very widely phrased and includes all the circumstances, that the Christmas present of noble Lord, Lord Anderson, is already there as already there as one of the circumstances, but it is probably happier to include it expressly, just for the avoidance of doubt. It is for the avoidance of doubt that the strength can be found in the proposal that he has put forward.
My Lords, I support my noble friends Lord Coaker and Lord West with regard to the Intelligence and Security Committee amendments. In 2005, when I became the chair of the Intelligence and Security Committee, nearly two decades had passed since the committee originally started life, when people did not really understand what it was all about. It had not been accepted, particularly, by agencies or by the Government, but over those 20 years, it became accepted. After I left, in 2007, even more changes to the powers and responsibilities of the committee were made, to such an extent that the ISC is now a significant and serious part of our constitutional landscape. But I fear that, over the last number of years, that has slightly declined.
I understand, for example, that the ISC has not met a Prime Minister—there have been lots of them, of course—over the last number of years, nearly a decade. Certainly, when I chaired it, we met the Prime Minister every year or so. It is an indication, I suspect, of what the Government think about it if they do not see it as so important as to meet the head of the Government now and again. I hope that is wrong, but I am sure the Minister will enlighten the House later as to what he and the Government think about the importance of the ISC. It is hugely significant; it is serious.
I shall move briefly on to the significance of the ISC with regard to the passage of the original Investigatory Powers Act, some years ago now, in 2015-16. I had the privilege of chairing the Joint Committee of both Houses on that Bill, and the ISC simultaneously was taking a huge interest in what it contained. For example, I met the then chair of the ISC, Dominic Grieve KC, and the committee itself produced a report on how it thought the original Act could be improved. I just hope that this small but important Bill—which I entirely support, by the way—mirrors what happened to the original Bill, so that the Government can indeed meet the ISC, at a ministerial level and at an official level, and have a proper dialogue as to how they see the ISC working after the Bill goes into law. I hope I can get some assurances from the Minister that that will happen.
It is an important Bill, the ISC is an important body, and they should operate together in a very special way. I wholly support the Bill, but I support the amendments from my two noble friends.
My Lords, it is a pleasure to follow the noble Lord, Lord Murphy, who has served with such distinction on the issues we are discussing this afternoon. I do not want to repeat what I said at Second Reading; I spoke in support of the Bill in general terms, and I remain in support of it. The only additional thing I would say is that we should not allow unnecessary amendment of the Bill to create a sort of legislative game of Dungeons and Dragons in which a bureaucratic labyrinth would be created which can be met in a much more practical way. On the whole, the Bill is pretty practical about a modern problem—a more modern problem than existed, say, 10 years ago—which has to be addressed in real time and sometimes with great urgency in that real time.
I want to say something that follows from what the noble Lords, Lord Murphy and Lord West, said about the ISC. I hope that we can tease a little more information out of the Minister, who has been extremely helpful to all of us who are interested in the Bill. I can see, and I would be grateful if the Minister would tell us, that there might be some practical problems relating to national security in the way in which the ISC was informed about problems arising under the provisions in the Bill when it becomes an Act. It would be helpful to the Committee if the Minister were to say from the Dispatch Box that the Government certainly do not exclude the involvement of the ISC in the consideration of the Bill. I should also be very grateful if he would say that the Home Secretary would regard it as a duty to inform the ISC on his personal responsibility if issues arose which ought, in the national interest, to be the subject of information to the ISC. Thus, the ISC might be able to report on these issues without too much bureaucracy being involved and any arguments about what is or is not disclosable in a wider way concerning national security.
My Lords, I do not know whether I can help the noble Lord, Lord Fox, on his question of urgency. One of the things that the Security Service and the other intelligence agencies do is deal with matters of life and death, of imminent terrorist threats, of states pursuing one of their dissidents. There is many an occasion when moving at vast speed outside the hours when IPCO is available is necessary and proportionate. I am out of date, so it is hard to give lots of current examples, but many a time there is an urgent need to move fast to try to save life.
On the point from the noble Lord, Lord Murphy, about the ISC—we will come on to look at these amendments in more detail—as far as my service is concerned, we did not need to get used to the ISC in that we had been demanding its creation for a number of years, with resistance from the Prime Minister of the day until it actually came into being. And when it did, we very much welcomed it.
I have hardly had more pleasure since I have been in this House than from the amendment in the name of the noble Lord, Lord Fox, on seeking to forget stuff. Like some noble Lords, I have difficulty in remembering things—I am sorry, I should speak only for myself—but if I was legislated to forget something, it is almost certain that I would be capable of remembering it.
My Lords, I am grateful for the contributions to this debate, which have been very interesting. I thank all noble Lords for the points raised. I shall do my very best to address all of them and apologise in advance for going into significant detail. I also thank everyone in the Committee for their broad support for the Bill.
I will start with the low/no privacy factors on bulk personal datasets, which I will henceforth call BPDs, and the various amendments relating to the test set out in Clause 2, to be applied when an intelligence service is considering whether a particular dataset is one that can be retained, or retained and examined, under new Section 226A in the new Part 7A. This test requires that regard must be had to all the circumstances, and that particular regard must be had to the factors set out in new subsection (3). The list of factors is not exhaustive and other factors may be considered, where relevant.
Schedule 10 to the Data Protection Act is related to Section 86 of that Act, which is concerned with sensitive processing of personal data by the intelligence services. Schedule 10 sets out a list of conditions which must be met for such processing to be lawful for the purposes of the Data Protection Act. There is a risk that applying these words here, in a different context and for a different purpose, may be seen to create a link, albeit fallacious, between the type of datasets that will be retained and examined under new Part 7A and sensitive processing under the Data Protection Act. For that reason, their inclusion here risks doing more harm than good, as the noble and learned Lord, Lord Hope of Craighead, noted.
In any case, the safeguards in new Part 7A are already sufficient to ensure due regard for privacy. Every dataset proposed to be retained, or retained and examined, must be individually authorised. In addition to the test at new Section 226A, as new Section 226B makes clear, an individual authorisation may be granted only if it is both necessary and proportionate.
The factors have been chosen because they are most relevant to the context in which the test will be applied and have been drawn from existing case law. They provide a guide to the decision-maker in reaching a conclusion as to the nature of the dataset. Furthermore, a form of prior judicial approval will apply to all authorisations so that there is independent oversight of the conclusions reached.
Amendment 1, tabled by the noble Lord, Lord Coaker, seeks to replace factor (b) with language drawn from Schedule 10 to the Data Protection Act 2018. Factor (b) is concerned with the extent to which an individual has made public the data in the dataset, or has consented to the data being made public. The Government do not consider the amendment necessary. I am sure the noble Lord’s aim is to improve the safeguards in the Bill, and he has drawn inspiration from existing precedent to do so in an effort to bring consistency across statute. However, the amendment fails to achieve that aim, and risks creating an unclear and unnecessary link between this Bill and the Data Protection Act, which I have already explained. I will return to the Data Protection Act in due course.
Amendment 2, tabled by the noble Lord, Lord Fox, probes the inclusion of factors (d) and (e), relating to publicly available datasets that are already widely known about or are already used in the public domain—for example, in data science or academia. As I mentioned, the test in new Section 226A is one in which
“regard must be had to all the circumstances”.
The removal of factors from new subsection (3) would not, therefore, fundamentally change the test; it would mean simply that the decision-maker would not be bound to have particular regard to the absent factors. This amendment would, in fact, result in less transparency in the considerations the intelligence services apply when assessing expectation of privacy in relation to Part 7A authorisations.
The Government consider it important that particular regard is had to these factors. I know that noble Lords particularly enjoy the example of the “Titanic” manifest. It is a useful example of where such factors would be relevant, as it is a dataset that is widely known about and widely used, and contains real data about real people who would, unfortunately, no longer have an expectation of privacy. I also point to the helpful example in the independent review by the noble Lord, Lord Anderson: the Enron corpus. This is a large dataset of emails that came into the public domain following the investigation into the collapse of the Enron Corporation. Although initially sensitive, the dataset has been available in various forms for almost 20 years and is widely used in data science. It is right that such datasets are in scope of the new regime.
The noble Lord, Lord Fox, asked specifically about the extent to which these factors depart from existing privacy laws. The law concerning the reasonable expectation of privacy is likely to develop over time, and new Section 226A is intended to be sufficiently flexible to accommodate future changes. Rather than departing from the law, new Section 226A is intended to ensure that the intelligence services can continue to apply the law as it develops.
On Amendment 3, I thank the noble Lord, Lord Anderson, for tabling this helpful probing amendment. I am afraid the Government do not think it is necessary in order to achieve what we understand the intended effect of the amendment to be. The amendment does, however, provide an opportunity to better explain the difference between what the Bill calls “individual authorisations” and “category authorisations”. An individual authorisation will authorise the retention, or retention and examination, of a dataset under the new Part 7A being inserted into the Investigatory Powers Act—which I will henceforth refer to as the IPA—by this Bill.
All datasets that are to be retained under Part 7A must have an individual authorisation. Individual authorisations are subject to prior approval by a judicial commissioner unless the dataset described falls within an existing category. A category authorisation will not authorise the retention, or retention and examination, of a dataset. Instead, it is a mechanism through which a judicial commissioner’s permission may be sought in order to depart from the normal rule on prior approval, but only in respect of datasets that meet a particular description.
If the Minister and indeed the noble Baroness had listened to what I said, they would know that I do not think it is forgettable; I just wanted the Minister to confirm that point.
Thank you; point taken.
Section 226D provides a mechanism to achieve what I understand the intent of the amendment to be. It is clear that remedial action must be taken if it is discovered that Section 226A does not apply or no longer applies to part of a dataset authorised under Part 7A. Anything in the process of being done must be stopped as soon as possible, and that part of the authorisation is treated as cancelled. The effect of that part of the authorisation being treated as cancelled is that the data to which it relates must be deleted unless there is some other lawful basis for its retention. It may well be that it is appropriate for the intelligence service to continue to retain the data. That is why subsection (3), in effect, puts that part of the dataset back into the decision-making machinery in Section 220 of Part 7 of the IPA—so that such a decision can be made. We provide a fuller explanation of that in the draft code of practice for Part 7A, at paragraphs 4.26 and 5.39.
In conclusion on this amendment, if the noble Lord is suggesting that any actionable intelligence that has been identified while the agency was operating on the basis of that retention and examination being lawful under Part 7A should not be acted on, I am afraid I must playfully suggest that it is he who ought to forget his amendment.
I turn now to the various amendments on reporting on BPDs, including several that seek to amend the provisions set out in Clause 2, under Section 226DA, which require the heads of the intelligence services to provide an annual report on Part 7A to the Secretary of State. The first amendment proposed by the noble Lord, Lord Fox, Amendment 11, seeks to mandate that certain statistical information in a given year—specifically, the numbers of authorisations sought and granted—be provided to the relevant Secretary of State. This amendment is not necessary or appropriate. First, those Secretaries of State who are politically accountable for the intelligence services will have in place arrangements to that end and may demand of the relevant intelligence service any additional information he or she feels necessary. This may go beyond the level of detail the noble Lord has proposed be included in the annual report and may be more frequent. This is not a matter for the Bill, because the exact information the Secretary of State requires may evolve over time. Secondly, if this sort of specific reporting requirement is found to be necessary or desirable, it is more appropriate for inclusion in a code of practice, rather than being in the legislation. Indeed, the draft code of practice for Part 7A sets out some relevant details under paragraph 7.4.
I turn now to Amendments 10 and 12, proposed by the noble Lord, Lord West, and I take this opportunity to reassure him and the noble Lord, Lord Murphy. On behalf of the Security Minister, we thank them for their valuable work on the ISC and for the constructive engagement with the Bill Committee to date. I am pleased to see the noble Lord, Lord West, in his place today, and I am glad that he is on a more or less even keel.
The amendments the noble Lord has tabled would require the intelligence services to provide the same annual report that they provide to their Secretary of State, on the operation of Part 7A, to the ISC and the Investigatory Powers Commissioner. I do not believe that this additional requirement would provide the enhanced oversight of the regime that the amendments purport to provide. The annual reporting requirement is a formal statutory mechanism by means of which the Secretaries of State will receive information from the intelligence services about their use of Part 7A on an annual basis. This is a mechanism intended to ensure effective political oversight by the Secretary of State.
The ISC is a committee of Parliament. Oversight by the ISC is neither of the same nature as, nor a replacement for, the oversight of the Secretary of State. The ISC, as a committee of Parliament, already has a long-standing and well-established role in the oversight of the intelligence services to which these provisions will apply, and that role will continue here.
Sending the annual report to the Investigatory Powers Commissioner will not increase the level of independent oversight provided, for the following reasons. First, the Investigatory Powers Commissioner will be required to keep this new regime under review, as he does with the current Part 7 regime, and he will continue to report annually on his findings. Secondly, the information these amendments seek to include in the annual report is already information that the draft code of practice will require the intelligence services to keep, as is clear from paragraphs 7.1. and 7.2. The commissioner, and anyone acting on his behalf, has access to all locations, documentation and information systems as necessary to carry out a full and thorough inspection regime. The intelligence services are legally obliged to provide all necessary assistance to the commissioner, or anyone acting on his behalf, including by providing documents and information.
The noble Lords, Lord Fox, Lord Murphy and Lord West, asked about the continued engagement with the ISC. On both the policy proposals informing the Bill and the Bill itself, through a combination of ministerial, operational and official engagement, we have maintained continual engagement, which includes recent sessions with the Security Minister and the agency heads. As I said earlier, we are grateful to the committee for its engagement and scrutiny of the Bill. We will continue to involve it throughout the Bill’s passage, and I am more than happy to take the noble Lords’ comments back to the Home Office and make sure they are widely understood.
Amendment 13 would see the intelligence agencies notify the Investigatory Powers Commissioner every time an individual authorisation is granted in reliance on a category authorisation. I have already set out the distinct processes for individual and category authorisations under new Part 7A. As I set out earlier, categories will be authorised only with the prior approval of a judicial commissioner. IPCO inspectors will then be able to review the individual authorisation granted in reliance on a category authorisation during their regular inspections of the intelligence services throughout that time. Category authorisations will expire at 12 months and will then need to be renewed and that decision reapproved by a judicial commissioner.
My Lords, that was an extremely helpful response from the Minister and shows the importance of tabling probing amendment sometimes: to get things read into Hansard that can be referred to.
With respect to the point around children, I would be grateful for the letter to be made available to other Members of the Committee. Again, that was a helpful point and helpful clarification, should it be needed. I also very much agree with him—to show my point about the importance of things being read into Hansard—about my Amendment 17, but it was helpful for the Minister to read into the record the definition of serious crime to be used throughout the Bill, so that there is no ambiguity with respect to that.
I totally agree with what the noble and learned Lord, Lord Hope, said about my Amendment 1. I think the wording in the Bill is better than that contained in Schedule 10 to the Data Protection Act 2018, but I wanted that to be read into the record so that we had it there. I agree with his criticism of my Amendment 1, but the reason I tabled it was exactly to get the point that he made in criticising my amendment, which the Minister reinforced—if the noble and learned Lord understands my logic.
The points made by the noble Lord, Lord Anderson, with respect to Amendment 3 raise an issue. The Minister’s response to that was, “Well, it’s a non-exhaustive list so it’s not necessary, but I’m happy to talk to the noble Lord about it”. One wonders where that will get to. It will be interesting for the Committee to see the outcome of that. I thought that Amendment 3, of all the various amendments, was particularly useful and again drew out whether the factors listed in Clause 2 are the right ones, or whether they need adding to. It was important that the Minister clarified that it is not an exhaustive list.
There is one area that I think may need to be looked at further, as mentioned by my noble friends Lord Murphy and Lord West, and the noble Lord, Lord Carlile, if I understood his remarks properly. We need to clarify the role of the Intelligence and Security Committee. I note the Minister’s reassurances, but what is its role? The clear point of difference between what I would say and what my noble friends Lord Murphy and Lord West and others would say is that we are talking here about parliamentary oversight. The Government have an annual report which goes to the Secretary of State. That is political oversight of a sort but it is not parliamentary oversight. The whole point of the ISC being set up was to give parliamentary oversight to all these sorts of matters. We have a Bill before us called the Investigatory Powers (Amendment) Bill, which deals with all sorts of issues of national security and the powers that the intelligence agencies and others should have on our behalf. It is only right and proper that the Intelligence and Security Committee should have a role that is properly defined within the legislation before us. That is one aspect that I need to reflect on and discuss with other Members of your Lordships’ House and with my noble friend Lord West, as our member of that committee.
That is the one area where, to be honest, I was not satisfied with what the Minister had to say. Notwithstanding Amendment 3, and all the other points made to the noble Lord, Lord Fox, and many others, the definitions the Minister has helped clarify and the various ways he has sought to ensure that people understand the Government’s intent have been extremely helpful to the Committee. With that, I seek leave to withdraw the amendment.
My Lords, Amendment 20 is intended to probe the legal basis for surveillance of the type of data described in new Section 11(3A)(e). This amendment would prevent public authorities—councils, police forces, intelligence agencies, government departments including the DWP and HMRC, the Gambling Commission, the Food Standards Agency, and many more—having “lawful authority” to obtain and use communications data from a telecommunications or postal operator solely because the information is available to the public or a section of the public even if only on a commercial basis.
Communications data is defined in the IPA as data that may be used to identify, or assist in identifying, the sender, recipient, time, duration, type, method, pattern, or fact of a communication, along with the system used to make a communication, its location and the IP address or other identifier of any apparatus used. The broad list of public authorities able to obtain communications data is set out in Schedule 4 to the IPA.
Clause 11 of the Bill before us now amends the Section 11 IPA offence of unlawfully obtaining communications data from a telecommunications or postal operator. Whereas the IPA currently defines an offender as,
“A relevant person who, without lawful authority, knowingly or recklessly obtains communications data from a telecommunications operator”,
this Bill would add a list of examples to the Act of what constitutes lawful authority.
My Lords, I stand to address the clause stand part notice for Clause 13 and also Amendments 21, 22, 24 and 26. The aim of looking at the clause relates to the communication data disclosure powers. The current IPA wisely restricted the number of public authorities that are able to compel the disclosure of communications data from telecommunications operators, given the potentially intrusive nature of this power. Consequently, authorities such as the Environment Agency or Health and Safety Executive are currently required to take further procedural steps in order to compel disclosure of communications data. They must obtain either an authorisation under the current IPA, a court order or other judicial authorisation, or regulatory powers in relation to telecommunications or postal operators, or they must obtain the communications data as secondary data as part of a valid interception or equipment interference warrant.
However, the Bill before us seeks to remove these restrictions for a wide range of public regulatory authorities and restore their ability to compel the disclosure of communications data from telecommunications operators in service of their statutory regulatory or supervisory functions. The Government’s argument for removing these restrictions is that a broader array of communications now fall into the category of communications data, and that a wider number of organisations now constitute telecommunications operators. As a result, the current restrictions prevent some regulatory authorities from acquiring the information necessary to exercise their statutory functions, in a way that was not anticipated at the time of the original legislation.
It is argued that this is particularly relevant to bodies with a recognised regulatory or supervisory function, which would collect communications data as part of their lawful functions but would be restricted under the current Act if their collection was not in service of a criminal investigation. In particular, the change is focused on improving the position of certain public authorities responsible for tax and financial regulation, whose powers were removed in 2018 as a result of the rulings of the European Court of Justice.
Clearly, such bodies must be able to perform their statutory functions effectively, but we have been told that this Bill delivers only “urgent, targeted changes needed”. That is not the case here. These sections represent a sweeping restoration of powers across a wide number of public bodies, most of which have no national security or serious crime function.
The original Act was very particular about the purposes for which communications data could be gathered under the legislation and by which bodies. It ensured that this power was tied to national security and serious crime purposes only, to avoid impinging on the right to privacy without very good reason. Clause 13 and its related schedule fly in the face of this very deliberate policy in the original Act, and overturn Parliament’s careful deliberation of the point.
Will the Minister confirm which bodies will have their powers restored under this legislation? Which of those bodies have reported a significant reduction in their ability to perform statutory functions as a result of the IPA? Have some bodies been more effective than others? Might it be possible and appropriate to significantly pare back this list of organisations?
At present, the case has not been made. We need to be satisfied that these powers are given to those bodies which cannot adequately function without them. It cannot be the case that some are simply given these powers back by default. I am prepared not to take this amendment to a vote if the Minister can assure the House the Government will bring forward their own amendment, which restores these powers in a more limited and targeted way.
The next stand part notice is consequential on that one being taken.
I move on to Amendments 21, 22, 24 and 26. These seek to remove the ability of the agencies to internally authorise the use of a new broader power to obtain internet connection records for target discovery. The agencies would instead be required to seek approval from IPCO, thereby creating an element of independent judicial oversight.
As I noted previously, Clause 14 creates a new broader power for the agencies and the NCA to obtain ICRs for the purpose of target discovery. It represents a significant change from the current position, removing the current demand that the exact service used and the precise time of use be known. Instead, the agencies will be able to obtain ICRs to identify which persons or apparatus are using one or more specified internet services in a specified period—a far broader formulation.
After consideration of the relevant classified evidence, the ISC agrees with the intent. However, the newly expanded power is potentially very intrusive. It allows the agencies to obtain ICRs from a range of internet services over a potentially long period of time and could, therefore, potentially intrude on a large number of innocent people. Parliament must therefore ensure that there are appropriate safeguards in place.
The ISC acknowledges that there are safeguards in place relating to the obtaining of ICRs. However, in all cases relating to national security and economic well-being, the agencies are able to authorise use of this newly expanded power internally. They make the assessment as to whether it is necessary and whether it is proportionate. There is no independent oversight of the agencies’ assessment.
The Government may argue that the ability of the agencies to authorise use of this power internally replicates the existing provisions when authorising the obtaining of ICRs for target discovery or target development. They will also no doubt refer to how the noble Lord, Lord Anderson, said in his report that “arguably” the potential intrusiveness of this newly expanded target detection power is no greater than the existing provisions for obtaining ICRs.
In the ISC’s view, the new provision—which is considerably broader than the existing target discovery power, removing the need to know the exact service used and the precise time of use—is significantly more intrusive than existing provisions. Consequently, greater oversight is required to ensure that the power is always used appropriately. This is not because we expect the agencies to act in bad faith but because independent oversight is essential, acting as a counterbalance to the intelligence community’s intrusive powers and providing vital assurance to Parliament and the public.
This amendment and the two linked Amendments 24 and 26 therefore remove the ability of the agencies to authorise use of this power internally. The agencies would instead be required to seek the approval of an independent judicial commissioner from IPCO in order to authorise the obtaining of ICRs under this new broader power.
Incorporating this independent judicial oversight would ensure that use of this power is always necessary and proportionate and strikes the right balance between security and privacy. It also aims to minimise any burden on the agencies. It does not, for example, incorporate the “double lock” mechanism, which is used for the most intrusive powers under the Investigatory Powers Act.
We recognise that the Government may wish to bring forward their own amendment to include provision for urgent cases; therefore, I do not propose to move this amendment to a vote at this stage. It should, however, indicate to the Government the ISC’s firm view that independent judicial oversight in this area is essential.
I will say a little more about Amendment 22. This amendment seeks to limit the purposes for which the new, broader target discovery power, which has been introduced under Clause 14, could be used. Clause 14 creates a new, broader power for the agencies, and the NCA, to obtain internet connection records for the purposes of target discovery. Target discovery is a great deal more intrusive than target development, potentially intruding on the privacy of a great number of innocent individuals. This is why we must tread very cautiously in this area and be quite satisfied of the need for the power, and that it is tightly drawn and properly overseen.
Currently, in order to obtain ICRs for target discovery, the agencies must unequivocally know the precise service used and the precise time of use by the unidentified individual. It is, therefore, very tightly drawn. The new target discovery power removes these requirements, allowing the agencies to obtain ICRs to identify which persons or apparatuses are using one or more specified internet services in a specified period. Noble Lords will recognise how potentially broad this is by comparison.
My Lords, I will make a brief comment on two aspects of Clause 14 which have been developed today and which were considered in my report. Amendments 23 and 25 in the name of the noble Lord, Lord Fox, would restrict the changes relating to internet connection records in Clause 14 to the intelligence services only. The noble Lord correctly noticed that, while I support the use of ICRs for the new target detection purpose in condition D1, I mentioned at paragraph 4.18 of my report that it would be
“open to Parliament to require further safeguards”
and suggested that those safeguards include
“making the extra condition available only to UKIC”—
in other words, the intelligence services—
“at least in the first instance”.
I pointed out a range of safeguards that already apply to ICRs. These are fully set out in the draft addition to section 9 of the code of practice that was helpfully provided in advance of these debates. I also pointed out, by way of mitigation to my proposal that only UKIC should have access, that
“working arrangements … could facilitate the use of UKIC powers in the service of NCA or CTP in particular”.
That is as much as I am told I can say on working arrangements, though noble Lords may be able to use their imaginations.
Clause 14, instead of going for this workaround, opted to give the NCA, though not counterterrorism policing, its own direct access to the new power. It is certainly true that the NCA has primary responsibility for many of the crimes where the new power may prove most useful—in particular, child sexual abuse, where it has strong potential. I will listen to what the Minister says about that, but I think there is no great division of opinion between us on this issue. We are really debating different mechanisms by which the NCA might get access to this material, and although it is not precisely what I suggested, I have no objection to the more direct route taken in the Bill.
I turn to Amendments 21, 24 and 26 in the name of the noble Lord, Lord West of Spithead, which would introduce a requirement for requests by the intelligence services and the NCA to be independently authorised by the Office for Communications Data Authorisations. This would be an exceptional state of affairs for communications data requests by the intelligence agencies. Existing ICR requests are internally authorised and some of those, in particular under condition B and C, will be arguably, as I said in my report, as intrusive as requests under the new condition.
However, the noble Lord has emphasised the undoubted intrusiveness of the new condition and I know from my own correspondence with the ISC that, very much to its credit, it has looked at this issue in considerable detail. Furthermore, I raised the possibility of independent authorisation for such requests in my report. While I said that the full double-lock procedure would be disproportionately burdensome, independent authorisation by OCDA, which is not a possibility on which I commented expressly, sounds as though it could be a more manageable proposition. I have some sympathy with Amendments, 21, 24 and 26. They raise an important issue on any view, and I look forward to hearing what the Minister has to say about them.
My Lords, I thank the three previous speakers in the short debate on this group. There are no opposition amendments in it, so I shall set out some more general questions that arise out of the amendments spoken to.
Why have the Government brought forward the widening powers to obtain communications data when the original Bill did the opposite? Can the Government provide an exhaustive list of the bodies that will be able to use these communications data collection powers? Why are they not in the Bill or the Explanatory Notes? Giving bodies such powers during any criminal investigation appears out of step with the rest of the Bill, which covers investigatory powers for national security or serious crime reasons. Why is this power so broad as to cover any criminal investigation? Given that the double lock exists for most of the powers in the Bill, why have the Government given wide-ranging powers for intelligence authorities and the NCA to self-authorise accessing internet connection records while undertaking subject discovery work? How does this compare to the powers for conditions A, B and C, which cover access to ICRs, for more restrictive purposes? Finally, what will the role of the IPC and the ISC be in monitoring how the new powers are used?
I was particularly interested in what the noble Lord, Lord Anderson, said when he was commenting on the two other speakers in this short group. I, too, will listen with great interest to what the Minister has to say on this, but this is all done in the spirit of exploration, as my noble friend Lord Coaker said. I look forward to the Minister's comments.
I thank all noble Lords who have spoken in this group. I will first speak to Amendment 20, tabled by the noble Lord, Lord Fox, which would amend Clause 11. I want first to make it clear that Clause 11 does not enable any new activity under the Investigatory Powers Act but places into primary legislation the existing position set out at paragraph 15.11 of the Communications Data Code of Practice.
Paragraph 15.11 clearly sets out that it is not an offence to obtain communications data where it is made publicly or commercially available by the telecommunications operator or postal operator or otherwise, where that body freely consents to its disclosure. In such circumstances, the consent of the operator provides the lawful authority for the obtaining of the data on which public authorities can rely. Making this position explicit within primary legislation will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in Section 11. As such, there will be no doubt that acquiring communications data in this way means that an offence will not be committed in such circumstances.
The purpose of new subsection (3A)(e) is not permitting so-called surveillance, as the noble Lord’s amendment asserts. Rather, it is about clarifying the basis for lawful access to material which has already been published and should not require additional authority for its disclosure by a telecommunications operator, with the consent of that operator, to a public authority. I can assure noble Lords that telecommunications and postal operators will still need to satisfy themselves that any communications data disclosure is in accordance with the Data Protection Act, and any subsequent processing by public authorities must also be compliant.
The inclusion of this paragraph in the definition of “lawful authority” in the IPA will provide reassurance to public authorities on the basis for which they have lawful authority to acquire communications data where this authority falls outside the IPA itself. Inserting a definition of lawful authority does not remove the offence of knowing or recklessly obtaining communications data without lawful authority; it is still possible to commit this offence if the disclosure by the telecommunications operator is not lawful or if the public authority knowingly or recklessly acquires the communications data without lawful authority. The inclusion of this definition of lawful authority will encourage public authorities to ensure that they have lawful authority before they acquire communications data. I therefore respectfully ask the noble Lord to withdraw his amendment.
I turn to Clause 13 and the proposal from the noble Lord, Lord West, to remove this provision and the associated schedule from the Bill. The purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited in performing the roles expected of them by Parliament. It restores their important pre-existing statutory powers to acquire communications data in support of those functions. When the IPA was passed in 2016, it made specific provision, at Section 61(7)(f) and (j), for acquisition of communications data for the purposes of taxation and oversight of financial services, markets and financial stability.
As a result of the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, a number of changes were then made to the IPA. Crucially, not all the changes made at that time were a direct response to the judgment itself, but instead the opportunity was taken to streamline the statute book. This included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers. At that point, much of the relevant data fell outside the definition of communications data and therefore outside the provisions of the IPA. However, as businesses increasingly move their services online, so many have become, in part at least, telecommunications operators under the definition in the IPA. Therefore, more of the data they collect, and which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers, now falls within the IPA’s definition of communications data, and regulatory and supervisory bodies are, inadvertently, unable to acquire it.
The Financial Conduct Authority, His Majesty’s Revenue and Customs and Border Force are all examples of public authorities in Schedule 4 to the IPA and already have the power to acquire communications data using a Part 3 request. However, many of the matters that these bodies regulate or supervise fall short of serious crime, as defined in the Investigatory Powers Act at both Section 263(1) and Section 86(2A), which means that they are unable to acquire a Part 3 authorisation to get the data they need to perform the statutory functions expected of them.
The UK is not alone on this issue; European colleagues have identified similar issues for their equivalent bodies with regulatory and supervisory functions. The functions these bodies perform on behalf of the UK are simply too important to let this situation continue. They go to the heart of our safety in preventing terrorist funding, seeking to ensure financial stability, and the oversight of banking and financial markets, among other matters. For example, the Financial Conduct Authority has responsibility for supervising some 50,000 regulated firms to ensure they have systems and controls in place concerning the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Border Force has the responsibility of quickly identifying from the huge volumes of packages crossing our borders each day, those that may contain illegal items such as drugs, firearms and other illicit goods that present a risk to the UK. It is vitally important that these bodies are not inhibited in carrying out their core functions because of the way the world has changed since 2016.
The changes to the IPA brought about by Clause 13 strike an appropriate balance between necessity and proportionality, making clear as it does that the acquisition by these regulatory bodies should only be in support of their civil functions and not used in support of criminal prosecutions. Additional safeguards are provided for within codes of practice governing how this should work in practice. To be clear, this applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions; it is not creating a way to circumvent the safeguards of the IPA. It instead ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential.
My Lords, this has been a really worthwhile part of our debate, and I thank those who have tabled amendments and the Minister for his response. I was particularly interested to hear both the substance of and response to the amendments of the noble Lord, Lord West of Spithead. I think it best that we spend some time reviewing this in Hansard in deciding what, if anything, needs to come back. With that said, I beg leave to withdraw Amendment 20.
My Lords, in opposing that Clause 16 stand part of the Bill, I shall also speak to the clause stand part notices on Clauses 17 and 20.
This is one part of the Bill that has attracted a huge amount of external interest and deserves some positioning to understand why external parties might be suspicious of what they see. We should recognise that one of the most important security features available to protect personal information, both on a device and in the cloud, is end-to-end encryption. That encryption technology ensures that only users, and not the companies which provide the cloud services, can access their personal data and communications. Computer scientists and cryptographers have argued for many years that there is no safe way to decrypt one person’s messages without compromising the whole system’s security infrastructure. As soon as a backdoor, as it is called, is created to scan private messages, a security vulnerability is created that can be exploited by bad actors as well as good actors. I assume that that was why the Online Safety Bill left things hanging, waiting for a technological breakthrough, though I was not party to the processes of that Bill.
I remind your Lordships that once the company has created a backdoor key for encrypted systems, even for a single user in a single case, and certainly for any mass scanning, it has created a vulnerability that can eventually be abused by bad actors as well as law enforcement. I also remind your Lordships that the Home Office already can and presumably, on occasion, does require companies to weaken their security apparatus in the interests of law enforcement and national security.
To a great extent, the proximity of this Bill to the debate in the Online Safety Bill, has not helped matters: sensitivities were raised during that debate, and this is a chance for the Minister to try to calm them. As I mentioned earlier, the impending arrival of the Data Protection and Digital Information Bill is also putting people’s nerves on edge. There is a deal of management required here.
End-to-end encrypted messaging service providers were vociferous in their concerns during the passage of the Online Safety Bill, yet Section 121 of the Online Safety Act remains. However, Ministers clarified that Ofcom could only require scanning once it becomes technically feasible to do so—that is, when the technology is invented and allows scanning without violating encryption. But Ofcom retains the power to order service providers to use their “best endeavours” to develop that technology.
It is not surprising that some of those same encrypted message service providers were raising flags when it came to some of the clauses in the Bill. The IPA, as it stands, already enables the Home Office to instruct service providers to remove electronic protection for communications of interest to the police or security services by issuing them with a technical capability notice—a TCN. This effectively empowers the Home Secretary to require the removal of end-to-end encryption on those services across any number of suspects and criminal offences. Currently, for the Home Secretary to issue a TCN to a service provider under the IPA, they have to satisfy a number of considerations, which your Lordships will be pleased to hear I am not going to list. Even if the answers to all those conditions is positive and leads to a TCN, a process of checks and balances sits alongside the request, including informal and formal consultation between the Home Office and a service provider before the TCN is issued, oversight by the independent judicial commissioner assessing the request’s proportionality and, of course, recourse for the service provider to request a review of the TCN, allowing it and the Home Secretary to make representations to the judicial commissioner and the technical advisory board for assessment. Crucially, the service provider is not required to start acting on the notice until the review process is concluded.
My Lords, I will briefly speak to the five amendments in this group in the name of my noble friend Lord Coaker. Amendments 35 and 37 would introduce a double-lock process to notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for the three existing types of notices that can be issued to telecommunications operators. Amendment 36 would add a further factor that the Secretary of State must consider when deciding to give a notice under this section, bringing this type of notice into line with the three existing types of notices that can be issued to telecommunications operators. Amendments 38 and 39, along with the others in my noble friend’s name, would introduce a potential double-lock process to the variation of notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for variation of the three existing types of notices that can be issued to telecommunications operators.
In introducing this group, the noble Lord, Lord Fox, set out very comprehensively the concerns of the various tech companies. I have read the same briefings that he has. He was right to see this as an opportunity for the Minister to address those concerns.
I have a few questions arising out of these amendments. First, why have the Government not included a double-lock structure of approval to this new type of notice, given that the three other types of notices that telecom companies can be issued have the same structure, along with many of the provisions in this Bill and the IPA? Further, why does it not have the same review structure as the other notices? What will companies be able to do to challenge this decision? New Section 258A states that companies must respond within “a reasonable time”. What would the Government consider a reasonable time to be in this regard? What assessment has been made of what other companies are doing to ensure they are aware of changes that would potentially impact national security? Finally, can the Government be more specific about the types of changes that would be considered relevant for this new notification of the proposed changes?
My Lords, once again, I thank noble Lords for their amendments and the points they have raised in this debate. I will do my very best to answer the questions that have been asked. Again, I am afraid I am going to do so in some detail.
The noble Lord, Lord Fox, has proposed removing Clause 16 from the Bill in its entirety. Clause 16 concerns the extraterritorial enforcement of retention notices. Under subsections (9) to (11) of Section 255 of the IPA, any technical capability notice—TCN—is already enforceable by civil proceedings against a person in the UK. Only TCNs that provide for interception and targeted communications data acquisition capabilities are enforceable against a person overseas. Section 95 of the IPA also provides that a data retention notice—DRN—is enforceable by civil proceedings against a person in the UK. DRNs already have extraterritorial applicability within the IPA, meaning that they can already be given to a person outside the UK. However, unlike TCNs, the current legislation does not permit the enforcement of a DRN against a person outside the UK.
Clause 16 therefore seeks to amend Sections 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs to strengthen policy options and the legal levers available when addressing emerging technology, bringing them in line with TCNs. As technology advances, data is increasingly held overseas. The clause will ensure that, if required, there is a further legal lever to protect and maintain investigatory powers capabilities overseas. This will ensure that law enforcement and the intelligence agencies have access to the communications-related data that they need to tackle serious crime and protect national security. It will also ensure consistency across the regime.
My Lords, I thank the Minister for an admirably comprehensive response. That was what we were looking for—perhaps not everyone, but certainly our Front Benches. There is a lot to get our heads around, so we will take this away and look into it.
There are a number of observations I would make. First, the Minister emphasised co-operation, collaboration and discussion. Of course, the legislation does not look like that, so it would help if the Government could find some confidence-boosting measures, be they from the code or the draft annexe, or something that enables the Government to signal their continued intention to co-operate and collaborate.
The Minister talked about an interconnected data world—that is exactly the point the operators are making. Because of that interconnection, a hiatus in delivering a service in the UK could also be a hiatus in delivering that service to the rest of the world, given that everyone is using the same service. That is one of the points that was not picked up by the Minister at the time. That interconnectedness is the very issue that some operators have: if they are prevented from doing it in one place, how do they do it elsewhere?
The issue of corporate entities is interesting. What the Minister described was something I used to call “corporate veil”, and I am interested to know how robust that is in corporate law. With corporate veil, it became very difficult, even at court level in the United States, to break down the corporate entities and their interconnections. For no other reason than making an observation, I am interested to see how that works. I certainly see why the Government are putting it forward in their legislation.
There is a lot for us to digest, which we certainly will, between now and the next stage; it gives us something to get our teeth into over Christmas. That said, I beg to withdraw my proposal that Clause 16 stands part of the Bill.
I am afraid that the noble Lord is not in a position to do that. This is a clause; one votes for it or against it.
(1 year ago)
Lords ChamberMy Lords, this is the first of three amendments I have tabled to Clause 21 relating to the so-called triple lock for targeted interception and targeted examination of communications relating to Members of the relevant legislatures. These changes are replicated in the three amendments which I have laid to Clause 22, which we will come to later, which relate to the triple lock around the targeted equipment interference warrants.
The communications of Members of the relevant legislatures, including noble Lords in this House, should not be intercepted and read unless it is absolutely essential to do so in the most serious of circumstances. That is why Parliament added a third layer of safeguards to approve of any such warrant in the IPA, ensuring that these warrants will not only be issued by a Secretary of State and reviewed by a judicial commissioner but approved by the Prime Minister personally. This is a robust and necessary oversight mechanism, and it is important that any changes as a result of this Bill do not undermine the central three layers of approval.
Nevertheless, the ISC recognises that, on occasion, the requirement that a warrant be approved by the Prime Minister personally may disproportionately affect the operation of the intelligence agencies, where they are seeking a targeted interference or equipment interference warrant that is very time sensitive. We therefore support the intention to provide some resilience, whereby in truly exceptional circumstances, an appropriately empowered Secretary of State may temporarily deputise for the Prime Minister on these matters. However, the clauses before us go too far.
My three amendments seek to ensure that decisions are delegated only in the most exceptional circumstances, that the decision may be designated only to a limited number of Secretaries of State who are already responsible for authorising relevant warrants, and that the Prime Minister retains oversight of all warrants which have been authorised in their name through a retrospective review of the decision.
The first of those relates to the circumstances in which a decision may be delegated by the Prime Minister to a Secretary of State. This should be clearly defined and limited only to situations where the Prime Minister is genuinely unable to take a decision. My amendment specifies that the Prime Minister must be “unable”, rather than simply “unavailable”—which is a rather subjective test—to decide whether to give the necessary approvals. It sets out that the only situations in which this applies are due to incapacity or inability to access secure communications—for example, if the Prime Minister is extremely ill or is abroad and unable to securely access the relevant classified documentation. This provides what the agencies require, but, when combined with the requirement that there is an urgent need for the decision, also provides the necessary assurance to Parliament that the Prime Minister’s responsibility will be deputised only in specified exceptional circumstances, and ensures that the use of a delegate does not become routine.
My second amendment to Clause 21 is to specify those Secretaries of State who can act as a designate for the Prime Minister in these circumstances. As currently drafted, the Bill includes all Secretaries of State as potential designates for the Prime Minister in relation to triple-lock warrantry. However, only a limited number of Secretaries of State have any statutory responsibility for warrantry for investigatory powers: for example, the Secretaries of State for the Home Office, the Ministry of Defence, and the Foreign, Commonwealth and Development Office. Given that the authorising of a warrant that relates to a Member of the relevant legislature must be taken seriously, it is both sensible and desirable that any Secretary of State deputising for the Prime Minister on these matters should already be familiar with the process and framework for targeted interception and targeted equipment interference warrants as part of their routine responsibilities, as those are the warrants we are talking about.
This amendment therefore limits the Prime Minister to up to two designated Secretaries of State and specifies that they should be Secretaries of State who are already required in their routine duty to issue warrants under Sections 19 or 102 of the IPA. I note that my noble friend Lord Coaker has tabled a similar amendment, which would list a number of specific Secretaries of State who could be designated as deputies to the Prime Minister. We wholeheartedly support the intention behind this amendment, and our amendment seeks to achieve a similar outcome. However, I note the possible scenario whereby the evolution of departmental names, seen relatively recently with the renaming and restructuring of the Foreign, Commonwealth and Development Office, may sow confusion as to which Secretaries of State are included under Clause 21. My amendment seeks to avoid any such confusion by linking the role to existing statutory responsibilities for warrantry in the original Investigatory Powers Act. In this way, it should achieve a very similar outcome to that which was wisely proposed by my noble friend Lord Coaker.
My third amendment to Clause 21 would ensure that the Prime Minister retains ultimate responsibility for any targeted interception and targeted examination warrants which involve communications to or from Members of the relevant legislature. As I outlined earlier, the Intelligence and Security Committee considers it essential that the three planks of the triple lock not be weakened by any changes made by the Bill. Therefore, we must ensure that the Prime Minister’s overall oversight of and involvement in these warrants is retained, even if, in designated cases, it could be retrospective. I have therefore tabled an amendment to provide that the Prime Minister review the decision taken by a designated Secretary of State on their behalf as soon as the circumstances have passed which prevented the Prime Minister approving the warrantry in the first place.
My Lords, I wish to speak to Amendments 44 and 51A, which are in the name of the noble Lord, Lord Anderson, and to which the noble Lord, Lord Fox, and I have added our names. They very neatly follow on from Amendment 43, which has just been moved by the noble Lord, Lord West of Spithead, and are based on a recommendation in the report by the noble Lord, Lord Anderson, in which he says at paragraph 8.20:
“I recommend the use of a deputy to be permitted for the purposes of the triple lock when the Prime Minister is unable”—
I stress the word “unable”—
“to approve a warrant to the required timescale (in particular through incapacity, conflict of interest or inability to communicate securely)”.
These amendments are prompted by the fact that, instead of the word “unable”, which was that chosen by the noble Lord, Lord Anderson, for the recommendation in his report, and which is also used in Amendment 43, the word that appears in Clause 21 for condition A in the new subsection (3) of Section 26 is “unavailable”. The same point arises with the wording of the triple lock in relation to equipment interference which Clause 22 seeks to introduce, under Section 111 of the 2016 Act. The word “unavailable” would be replaced with the word “unable” in both places by the amendments from the noble Lord, Lord Anderson.
This is all about the meaning of words. The aim must surely be to find the right word to use for describing the situation in which the Prime Minister’s function of giving the necessary approval must be passed to another individual, other than the Secretary of State who has applied for the warrant. This is, of course, a very sensitive matter, and that in itself indicates the importance of choosing the right word.
The question is whether the phrase
“unavailable to decide whether to give approval”
covers all possible situations. The word “unable” includes “unavailable”, but “unavailable” does not always mean the same as “unable”. The word “unavailable” sets too low a bar. The Prime Minister could be unavailable simply because he or she is doing something else—whatever it might be—that is occupying their mind or demanding their attention elsewhere.
On 11 December 2023, the Minister sent a letter to the noble Baroness, Lady Drake, in response to points raised on this Bill by the Constitution Committee, which gave examples of prime ministerial unavailability. Attached to that letter was a commentary on the proposed amendments to Sections 26 and 111, in which the point is made that the word “unavailable” should be understood to mean situations—of which two examples are given— in which the Prime Minister is “genuinely unavailable” to consider the application. The introduction of the word “genuinely” demonstrates the problem with the word “unavailable” on its own, to which the noble Lord, Lord Anderson, draws attention: it needs to be narrowed down and clarified. That is what the word “genuinely” does, but it is not in the Bill.
It is worth noting that, in each of the two examples given in the commentary, “unable” is used to describe situations Prime Ministers may find themselves in which they cannot perform the function to which the statute refers:
“5.1 The Prime Minister is overseas in a location where they are unable to receive the warrant application due to the security requirements and classification of the documents.
5.2. The Prime Minister is medically incapacitated and therefore unable to consider the warrant.”
The fact that “unable” is used here suggests that the word the noble Lord, Lord Anderson, used in his report really is the right one for the situations referred to in these two sections.
There is a further point that the noble Lord, Lord Anderson, would make: “unavailable” does not cover the situation in which there may be a conflict of interest. This surely is a reason why a Prime Minister, although available, should not exercise the power. Here especially, the greater clarity that the word “unable” brings to the situation really is needed.
I know that the Minister has discussed this issue of the wording with the noble Lord, Lord Anderson, perhaps several times and will, no doubt, refer to the position he and his Bill team have adopted so far during these discussions when he replies. But I hope he will feel able, especially in view of the points I have made about the commentary attached to his letter of 11 December, to agree to another meeting with the noble Lord, and possibly myself, before the Bill reaches Report. I hope that, when he comes to reply, he will be able to respond to that request.
My Lords, I am pleased to follow my noble friend Lord West and, indeed, the noble and learned Lord, Lord Hope. They have raised some important questions for the Committee to consider and for the Minister to respond to.
It may be helpful to remind the Committee and others present that Clauses 21 and 22 amend the section of the IPA that deals with targeted interception and examination warrants regarding Members of both Houses of Parliament and the devolved legislatures. These are clearly very important pieces of legislation. The safeguard on such warrants is referred to as the triple lock. As with other warrants in the IPA, the Secretary of State and the judicial commissioner must approve the warrant. But with respect to this issue, the Prime Minister must also approve warrants for the communications of Members of UK Parliaments, hence the difficulty that my noble friend, the noble and learned Lord and others have referred to. What happens with the triple lock if the Prime Minister is not available to authorise that warrant with respect to the communications of parliamentarians, not only in Westminster but the devolved legislatures?
One can see the seriousness of this problem. The Government have rightly felt it necessary to bring this measure forward, given the unfortunate situation when the Prime Minister was dangerously ill in hospital with Covid; thankfully, he recovered. This is clearly a very important issue which we need to consider.
My noble friend Lord West outlined an issue, as did the noble and learned Lord, Lord Hope, that I will speak briefly to. I say respectfully to all noble Lords that the points the noble and learned Lord made are not dancing on the head of a pin: they are very real questions for the Minister about the difference between “unavailable” and “unable” and what that means. The Government need to clarify that for us. My noble friend Lord West’s amendment and my Amendment 47, on which Amendment 45 is consequential, question the wide scope the Government have within the legislation, whereby it almost seems as if any Secretary of State will be able to deputise for the Prime Minister. My noble friend Lord Murphy made the point at Second Reading, which my noble friend Lord West has just made again, that it would surely be better if that scope were narrowed to Secretaries of State with experience of dealing with warrants. My and my noble friend Lord West’s amendments seek to narrow that scope to Secretaries of State who have that experience.
I take the point of my noble friend Lord West. His amendment as it stands is probing. Maybe drafting improvements could be made. The thrust of what he and others said, however, is that we need to do something to deal with the issue.
I have just a couple of questions before I move on to Amendment 55A. Who decides whether the Prime Minister is available or unavailable, or if indeed we have the Bill amended? Who decides that the Prime Minister is unable to take the decision for that triple lock? What is the process by which the decision is made that this is the case?
On Amendment 45, it is unclear to me who the senior officials are that could also make the decision. We have other Secretaries of State who could take the decision if the Prime Minister is “unavailable” or “unable”—if an amendment is passed—to take the decision. Then we have senior officials who might be allowed to take this decision. It is not dancing on the head of pin to ask “What does a “senior official” mean?” and “Who are the officials?”, hence my probing Amendment 45 on who they are and in what circumstances they could take these permissions.
In preparing for Committee, I asked about what sorts of situations might arise. Of course we can think of different situations, and the Government, in the code of practice that they publish, outline a couple of scenarios that may require urgent warrants and the Prime Minister to be involved and so on. In 2011, the noble Lord, Lord Hennessy, apparently did a helpful piece of work on Prime Ministerial powers. He talked of what happens if the Prime Minister is unable to take a decision with respect to shooting down a hijacked aircraft or an unidentified civil aircraft. What happens in those circumstances? Is that the sort of circumstance that the Bill seeks to deal with as well? What we are discussing is obviously also really important because this may involve the authorisation of the use of nuclear weapons. The Minister will be limited in what he can say about that.
I do not want to create a TV drama-type situation, but these are really important questions and the Government are right to address the situation of a Prime Minister being unavailable or unable to take these decisions in some of these circumstances. Again, this gives us the opportunity to think about what areas of national security the Bill would cover.
As is said in the explanatory statement, Amendment 55A
“is designed to probe the extent to which powers in the Investigatory Powers Act 2016 have been used in relation to Members of Parliament”.
As I have mentioned, I was particularly disturbed that, under Section 230 of the Investigatory Powers Act, the Prime Minister can deal directly with the Investigatory Powers Commissioner to keep under review the discharge of the functions of the Armed Forces with regard to intelligence activities. Can the Minister say what the role of Defence Intelligence is in all this? The reason that I raise the matter in this debate on parliamentary communications is due to the report in the Mail on Sunday on 25 November, which spoke of Defence Intelligence being involved in in the Government’s response to Covid. It was involved in looking at communications—and, according to the report in the Mail on Sunday, some of the communications involved parliamentarians.
My Lords, I rise to speak to the amendments in my name in this group. First, I shall make some brief and broadly supportive comments regarding the amendments proposed by the noble and learned Lord, Lord Hope, and the noble Lords, Lord West and Lord Coaker.
As we have heard, all these amendments are designed to tighten up or clarify the triple lock and the changes introduced in the Bill. As your Lordships know, the triple lock relates to circumstances where UKIC and law enforcement may obtain and read the communications of MPs, et cetera; we will talk about the “et cetera” in a minute. Currently, the usual double lock is supplemented by an unqualified requirement that the Secretary of State may not issue the warrant without the Prime Minister’s approval.
As we heard from the noble and learned Lord, Lord Hope, the report from the noble Lord, Lord Anderson, explores the circumstances in 2020 when the Prime Minister was hospitalised and the triple lock was therefore rendered unavailable. The noble Lord recommends the use of a deputy for the purposes of the triple lock when the Prime Minister in unable to approve a warrant in the required timescale, particularly through incapacity, conflict of interest or an inability to communicate securely. As we heard from the noble and learned Lord, “unable” has been substituted with “unavailable” in the Bill. I really am not sure why—perhaps the Minister can explain why—but that is a different context. In his normal, forensic way, the noble and learned Lord explained the difference between those words; that is why I was happy to sign Amendment 51A, which reverts back to the originally recommended “unable”.
The amendments in the name of the noble Lord, Lord West, are more probing but interesting. We will be interested to hear how the Minister responds to them; I look forward to that.
Amendment 47 in the name of the noble Lord, Lord Coaker, seeks to limit the number of Secretaries of State who can be designated in that deputy role. This seems a reasonable suggestion. Others may want to change the list, but a senior group of Ministers should be listed; surely having three or four of them on that list should be sufficient to deal with the issue.
The noble Lord, Lord Coaker, spoke to Amendment 55A. There are elements of reporting there that are reflected in my Amendment 55, which I will come to shortly.
I will now speak to Amendments 50, 54 and 55 in my name. Amendments 50 and 54
“would require that members of a relevant legislation who are targets of interception are notified after the fact, as long as it does not compromise any ongoing investigation”.
Amendment 55 seeks to ensure that the Investigatory Powers Commissioner reports annually on the operation of surveillance warrants and safeguards in relation to parliamentarians. This should include records in the annual report of the number of warrants authorised each year to permit surveillance of the Members of relevant domestic legislatures. This would ensure transparency, at least over the rate at which the power is being used.
Before talking a little more about this, it is worth recapping the history of political wiretap legislation. I am sure there are others who know it better than I, but it was helpful for me to understand the context. As we have heard, the IPA permits the interception or hacking of parliamentarians or the Members of other domestic legislative bodies via this triple-lock system, whereby the Secretary of State can issue a warrant with the approval of the Prime Minister, as per Sections 26(2) and 111(3). Until October 2015, it was widely understood that the communications of MPs were protected from interception by the so-called Wilson doctrine. This protection extended to Members of the House of Lords in 1966, and was repeated in unequivocal terms by successive Prime Ministers. Tony Blair clarified in 1997 that the policy
“applies in relation to telephone interception and to the use of electronic surveillance by any of the three security and intelligence agencies”.—[Official Report, Commons, 4/12/1997; col. 321W.]
Despite this clear and unambiguous statement that MPs and Peers would not be placed under electronic surveillance, an October 2015 decision by the Investigatory Powers Tribunal held that the doctrine had been unilaterally rescinded by the Executive. We pick up from there, so it is an interesting evolving power and we are part of that evolution in this Bill.
This evolution has also coincided with the meteoric rise in electronic communication that now offers the possibility of vastly more information being unearthed than was the case with a simple wiretap back in the Wilson days. First, there are clearly times when this sort of interception is necessary, and that is why the triple lock is such an important safeguard. But I have a couple of modest suggestions contained in these amendments. I must say now that I am in a state of deep trepidation, as not only has the noble Baroness, Lady Manningham-Buller, given me notice that she is on my case but she has actually moved five Benches closer than she was on Monday, so my boots are shaking.
These amendments would introduce a post-notification procedure to inform parliamentarians where they have been affected by targeted surveillance powers, but only if it does not compromise any ongoing investigation. Clearly, they would have to be deemed innocent or beyond suspicion for that notification to happen. I agree that it would be unfortunate, to say the least, if, for example, the announcement of any investigation revealed confidential sources that led to the initial investigation. I had hoped that my wording implied that, but I will be very happy to work with the noble Baroness on improving the wording on Report if she deems it necessary.
We got to the fourth group of amendments to the Bill without my raising the European Convention on Human Rights. Now is the time. Happily, I am sure that the Minister has been reading up on this for other reasons, and he will no doubt be familiar with this important bastion of freedom. I refer in particular, in this case, to Article 8: the right to respect for private and family life, home and correspondence. I feel sure that most surveillance interventions would meet the terms of Article 8, which are summarised as:
“There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.
As I say, it is unlikely that the activities we have been describing will break that.
In the unlikely event that they do and there is a misstep, in order to bring a case under the Article 8 right it is necessary for a person to know that their privacy was breached in the first place, hence Amendments 50 and 54. I refer the Minister to two Article 8 rights cases heard by the European Court of Human Rights: Klass v Germany in 1978, which was reiterated in Weber and Saravia v Germany in 2006.
Amendment 55 is a bit simpler. It would ensure that the Investigatory Powers Commissioner’s annual report provides information about the operation of safeguards in relation to surveillance of Members of Parliament et cetera, as is already required for journalists. It would mandate that
“information in particular about warrants … considered or approved”
that are targeted at MPs et cetera is included, further to the requirement to provide information on general targeted interception and hacking warrants. I believe that is not a controversial ask, and I hope the Minister agrees.
I would like to use these amendments to do some probing as well as changing words, by confirming the “et cetera” part of MPs et cetera. My understanding, which I am sure is correct, is that as things stand that includes Lords and elected Members of the devolved authorities. But our democratic system is changing and evolving as we go. We now have very powerful elected mayors with very large electorates—much larger than any MP’s. I wonder whether there is an argument that they too should be included within the triple-lock umbrella going forward. I have one additional question in this vein. Once out of office, do all these individuals no longer attract triple-lock protection? Are ex-First Ministers, ex-MPs and ex-Prime Ministers all no longer subject to the triple-lock safeguards?
This sort of legislation breeds suspicion. The two measures I propose here are sincere attempts to help tackle some of these suspicions and create sufficient transparency to allay the fears that there is widespread and extensive activity of this type—assuming, of course, that this activity is indeed a rare occurrence.
My Lords, the noble Lord, Lord Fox, is quite safe; I am not going to come and hit him, but I am going to try to demolish a few of his arguments.
I will start with the word “transparency”, which appears again in some of the amendments in the name of the noble Lord, Lord Coaker. The work of the security and intelligence agencies can never be transparent. It is in the interests of those agencies that as much as can safely be known of what is done in their name is known, which is why my organisation sought law in the 1980s. But there will always be things that cannot be made public because, if they are, we might as well pack up and go home.
Appealing as the amendments in the name of the noble Lord, Lord Fox, might be on the surface, for a start, telling people that they have been subject to interception would require us to alter earlier parts of the IPA because it would be illegal. To do so would also risk sources and methods. Of course, they would not be itemised, but let us consider a speculative case of a Member of the other House who has a relationship with a young Chinese lady. Let me emphasise strongly that this is not based on any knowledge of anything. Indeed, when I was director-general of MI5, we still operated the Wilson doctrine. Somebody in that MP’s office approaches my former colleagues and raises concerns with them. A warrant is obtained, signed by the Prime Minister, and subsequently it becomes clear that the concerns of the individual in the office—the source of the information—were absolutely justified. Now, we cannot tell that individual at any stage whether he or she is acquitted of any wrongdoing or ends up care of His Majesty’s jails. We cannot at any stage tell him because it risks sources and methods.
No, this is what I want to establish. Just saying that he has been intercepted will lead that person to wonder how, so we cannot act covertly if there is any danger of sources being revealed or future operations being compromised.
Additionally, it raises the question of why Members of legislatures should have the privilege of being told that they have been subject to interception when members of the public never are. It is wrong, as it was, to treat parliamentarians as a particularly special case. Of course, such cases are highly sensitive, hence the triple lock; hence, I suggest, the rarity of this, but I think Amendments 50 and 54 are potentially damaging. I will shut up now.
My Lords, I apologise that I did not speak at Second Reading, but I was here. Perhaps for the same reasons, I strongly support what the noble Baroness, Lady Manningham-Buller, has just said. It is secret that telephone interception is in place. If someone is aware, directly or indirectly, that the only way the Security Service or the police will discover a certain piece of information is by a telephone call, then it could be revealed, so it would require the law to be changed.
I have four worries about this amendment. First, at the point at which an interception is stopped, it is very difficult to predict whether the investigation will continue and/or be resumed. If the suspect is advised of the existence of the investigation, it gives them the potential to destroy evidence, which may frustrate the investigation in the long run, so I do not think it is wise to advise any suspect that they have been under investigation.
Secondly, there are two types of investigation: overt ones, where the person knows they are under investigation, and covert ones, where they do not. There is a general convention whereby if an investigation concludes without a charge, we have never told the person that they were under investigation. I am not sure why we would breach that principle merely because intrusive surveillance was in place.
Thirdly, as the noble Baroness mentioned, why would we do that only for Members of the legislature? It could be put in place, but there have to be some strong reasons. I do not think Members of a legislature can just say, “We deserve extra protection”. There has to be a stronger reason, because, otherwise, the rest of the public could rightly say, “Well, why can’t we have that protection?” For that reason alone, you would have to think very seriously about it.
Finally, sometimes Members of the legislature might be under investigation for things in their private capacity and sometimes for a mixture of the two; it might overlap into their legislative acts. Before anything like this was considered, I would take an awful lot of persuasion and I do not think the argument was made for why this needed to happen only for Members of the legislature.
My Lords, I support the points the noble Baroness, Lady Manningham-Buller, made about Amendment 50 regarding the revelation of whether someone who is in a legislature has been tapped. I do not think that is possible. I think it has all sorts of practical difficulties which she rightly outlined, and that situation is something that I could not in any way support.
I want to come back to the issue of “unable” or “unavailable” with regard to the Prime Minister. I think that it is right that it should be “unable”, because of the gravity of the business of tapping the phone of a Member of Parliament or a devolved legislature. I suspect that such a possibility is hugely remote; it might not happen for years and years. However, when it does happen, it is exceptionally serious, because you are not only depriving that Member of Parliament of liberty—you are in many ways saying that the person who has been elected by his or her constituents as a Member of Parliament or of the Senedd, or whatever it may be, is now in some doubt as a public representative. That is hugely serious, so the triple lock is important, but the word “unable” is more serious a word than “unavailable”, and I support changing the word in the Bill.
I also very much agree with the noble Lords, Lord West and Lord Coaker, about the nature of the Secretaries of State who should be the substitute for the Prime Minister if the Prime Minister was unable to perform his or her duty with regard to tapping the phone of a parliamentarian. I tapped phones for three or four years almost every day, except at weekends—occasionally at the weekend, but mainly on weekdays—and I took it very seriously. I knew that I was depriving someone of their liberty and privacy; generally speaking, they deserved to be deprived of their liberty because of the horrible things that they might do. Sometimes, although very rarely, I would not sign them, because I was not convinced of the argument put to me.
Someone who has the experience over the years of dealing with warrants has an idea of the nature of the act of signing the warrant and how important it is. It is not simply about reading it and putting your name at the bottom—you have to think about it very seriously. Your experience develops as time goes by. In fact, when I was unable or, more likely, unavailable to sign warrants as Northern Ireland Secretary—if I was on the beach somewhere in the Vendée, as I occasionally was—somebody else would sign the warrants that I would normally have signed. It was generally the noble Lord, Lord Blunkett, who was then the Home Secretary—and when he went on holiday somewhere, I signed his. The point about that was that, technically, almost every member of the Cabinet—because by then nearly every member was a Secretary of State—could have signed. But I knew, when the noble Lord, Lord Blunkett, signed mine, that he knew what he was doing—and vice versa, I hope. Therefore, there should be some way in which we designate Secretaries of State who are used to signing warrants to be a substitute for the Prime Minister.
The other issue, on which I shall conclude, is that the debate so far is evidence of why it is so important that the Intelligence and Security Committee puts its views to this House, through the noble Lord, Lord West, and that the committee should look carefully at these matters.
My Lords, I thank all noble Lords who have spoken in this debate, which was fascinating. I shall start by addressing the amendments and points raised on the circumstances in which the alternative approvals process would be used—that is, for urgent warrants when the Prime Minister is not available. First, it is worth reminding noble Lords that we have set out a non-exhaustive list of such circumstances in the draft excerpt of the relevant code of practice published last week. I shall come back to that in a moment.
I start with Amendments 44 and 51A, tabled by the noble Lord, Lord Anderson of Ipswich, and spoken to by the noble and learned Lord, Lord Hope of Craighead, which seek to widen the situations in which the alternative approvals process could be used to include situations where the Prime Minister is “unable” to consider a warrant—not only when they are “unavailable”. As the noble and learned Lord indicated, the amendments would extend the circumstances where the alternative approvals process could be utilised to expressly include instances where the Prime Minister has a conflict of interest in considering a warrant application.
I remind noble Lords that the Prime Minister, like all Ministers, is expected to maintain conduct in line with the Nolan principles in public life: selflessness, integrity, objectivity, accountability, openness, honesty, and leadership. When a Prime Minister has a conflict of interest in approving a warrant, due to any personal or professional connection to the subject of the warrant, they are expected to continue to act in the public interest. Therefore, in these situations, the Government consider that the alternative approvals process is not required.
When drafting the Bill, the Government considered at some length whether to make further provision for conflict of interest, along the lines of the noble Lord’s amendment, and concluded that they should not. The primary reason is that, in order for a conflict of interest provision to function, a Secretary of State or unelected official involved in the warrantry process would have to be granted the ability, in certain situations, to take from the Prime Minister a personal power given to them alone by Parliament. Unlike the provisions in Clause 21, which permit the Prime Minister to delegate their power to approve these warrants if they are unavailable, this would require a subjective decision to be made on whether the Prime Minister could, in theory, be judged able to approve the warrant. A conflict of interest provision would also have significant implications for Cabinet hierarchy and the constitution. This is because a Secretary of State or an unelected official would have to determine that the Prime Minister had a conflict in approving the warrant and was therefore “unable” to be made aware of the warrant request. It is for these reasons that the Government decided that a conflict of interest provision should not be included in the Bill.
I have referred to the draft code of practice, and the noble and learned Lord, Lord Hope of Craighead, referred to my letter. I can confirm that many of the words in that letter appear to have reappeared in the code. Paragraphs 5, 5.1 and 5.2 state that:
“Prime Ministerial unavailability should be understood to mean situations in which the Prime Minister is genuinely unavailable to consider the application. For example (non-exhaustive) … The Prime Minister is overseas in a location where they are unable to receive the warrant application due to the security requirements and classification of the documents … The Prime Minister is medically incapacitated and therefore unable to consider the warrant”.
I am very happy to share the code of practice further with all noble Lords, if they would like to see a copy.
I have noted that this conflict of interest provision is specifically not included in the similar Amendments 43 and 51, tabled by the noble Lord, Lord West, which seek to limit the circumstances in which the alternative approvals process can be used due to
“incapacity (ill-health) or lack of access to secure communications”.
As the code of practice sets out, these are two of the key scenarios for which the measure is required, but an amendment of this nature would not cater for unforeseeable events and would leave an unacceptable level of vulnerability in the system. Given that the aim is to increase the resilience of the process, these amendments feel opposite in intent. The moment that a circumstance arises in which the Prime Minister is unable, for a reason other than the two given, to authorise an urgent warrant application, the system would provide a blocker to the intelligence agencies being able to conduct their vital work, which is of course keeping parliamentarians and the public at large safe and secure. I therefore ask noble Lords not to press their amendments. However, I note the views expressed today and am very happy to continue discussions and to meet the noble and learned Lord, Lord Hope, and the noble Lord, Lord Anderson, again to discuss this further.
I turn to Amendments 48 and 53, also tabled by the noble Lord, Lord West. These would introduce a review by the Prime Minister of warrants authorised via the alternative approvals process for interception and equipment interference. Clauses 21 and 22 are set up in such a way that the Prime Minister’s power is afforded to the Secretary of State for the purposes of triple-locked warrantry in specific circumstances; in effect, they are acting as the Prime Minister for the purposes of the Act, not as a deputy. As such, including a requirement for the Prime Minister to review the decision after the fact would not provide additional meaningful oversight beyond that which is provided by the alternative approver on their behalf. The decisions made by the initial Secretary of State and the alternative approver would still be subject to review by the judicial commissioner, so would have already been subject to significant scrutiny. The Government therefore cannot support these amendments.
I turn to the issue of to whom the Prime Minister can delegate this process. Amendments 47 and 49, tabled by the noble Lord, Lord Coaker, and Amendments 46 and 52, tabled by the noble Lord, Lord West, all seek to limit the Secretaries of State whom the Prime Minister can designate as alternative approvers. Directing the actions of the current and any future Prime Minister by limiting the Secretaries of State to only those mentioned in statute is short-sighted, in that it does not consider potential changes to the machinery of government, as the noble Lord, Lord West, noted.
Furthermore, I invite noble Lords to consider the scenario where, for example, the Home Secretary has provided the initial approval for the application before it is considered as part of the alternative approvals process. The Home Secretary should not then consider the application on behalf of the Prime Minister; this is because it would remove a stage of scrutiny in the triple lock process. Additionally, given the potential for there to be concurrent overseas travel of the Prime Minister and at least one other relevant Secretary of State, limiting the process in this way could fail to provide the necessary resilience. While there should not be an unlimited number of designates, it is important that there are enough alternative approvers to be prepared for these scenarios.
I am anticipating the Minister sitting down shortly. I remind the Minister that I asked a specific question on directly elected regional mayors, their rise, and the role that they play in democracy, which is so different to when the IPA was originally conceived. The Minister may not have an answer now, but a written answer would be very helpful.
I am happy to acknowledge that the noble Lord is right: their powers have expanded, as have their influence and celebrity over the years. I do not have an answer now, but I will come back to the noble Lord on that.
The objective of these clauses is to provide greater resilience in the process. It is critical that we do not undermine this from the off. I therefore hope noble Lords feel reassured by the explanations given, and the information set out in the draft code of practice, which is the appropriate place to set out the detail of this alternative process.
May I say to the noble Lord that the answer he gave to me with respect to the Mail on Sunday story was a really good answer? I am seeking transparency, which we will come on to in the next set of amendments, where Ministers can provide it without compromising operational security, as the noble Baroness, Lady Manningham-Buller, rightly pointed out. The Minister went as far as he could to say that the story needs to be looked at, it raises particular issues and I can pursue those outside of the Chamber. That was an extremely helpful comment and shows what I am trying to get at with respect to transparency—rather than just dismissing it and saying we cannot talk about it. I am very grateful for the response and thought it was very helpful.
My Lords, I absolutely support what my noble friend has said. I was about to leap up and say that this should not be discussed in this forum because some of it is so sensitive. The Minister handled it extremely well, but we are getting quite close to the margins.
I thank both noble Lords for their thanks. I have forgotten where I was, but I had pretty much finished.
My Lords, I will speak to government Amendments 56, 59 and 60. As I set out in my letter to all noble Lords on 4 December, these small amendments will ensure that the legislation works effectively.
Government Amendment 56 amends Schedule 3 to the Investigatory Powers Act 2016 to provide exceptions for disclosures of intercepted materials to inquiries or inquests in Northern Ireland and Scotland into a person’s death. This will create parity with existing provisions for coroners in England and Wales by putting relevant coroners in Northern Ireland and sheriffs investigating deaths in Scotland on the same footing as their counterparts in England and Wales. Where necessary in the interests of justice, intercepted materials can be considered in connection with their inquiry or inquest.
Government Amendments 59 and 60 will maintain the extent of the IPA 2016, as set out in Section 272 of that Act. They amend this existing power to ensure that the measures in the 2016 Act, as amended by this Bill, can be extended to the Isle of Man or the British Overseas Territories, thus ensuring consistency across the legislation. If the Government sought to extend any provision to the Isle of Man or any of the British Overseas Territories, this would require an Order in Council and the Government would, of course, consult the relevant Administrations well in advance. I ask noble Lords to support these amendments.
My Lords, I will speak to my Amendments 57 and 58. They are obviously probing amendments but may generate a little discussion because they are none the less important.
Let me begin by saying that I accept absolutely what the noble Baroness, Lady Manningham-Buller, said about the important of ensuring the secrecy of much of what our security services and others do. That is an important statement of principle, and it was reinforced by my noble friend Lord Murphy when he recounted, as far as he could, some of the responsibility he had in his posts, particularly as Secretary of State for Northern Ireland. It is important to establish that I accept that principle.
My Lords, I want to make a couple of comments in response to what the noble Lord, Lord Coaker, has just said. I can speak only for MI5, but, for many years, it certainly has been a desire of the organisation that, as far as safely possible, the British public—it needs their support every day of the week to do operations—have an understanding of what is done in their name to protect democracy.
I want to counter slightly the comment—I cannot now remember who made it—that there was much suspicion of this sort of activity. I may have misheard, because I am rather deaf. In my experience, when members of the public are approached by MI5 for help—such as, “Can I sit in your bedroom with a camera?”; something I would have deep suspicion of—they nearly always say yes and agree to co-operate. In my experience, when we are talking about transparency in this area, the public who I have encountered completely understand the role of secrecy. They do not want their role exposed, and, in particular, the identities of those brave men and women who we now clunkily call covert human intelligence sources need to be protected for ever. I want to counter the idea about public opinion. Of course there are concerns, but a lot of people are extremely supportive and deserve our thanks on a day-to-day basis.
My Lords, when I started life in politics a long time ago—50 years or so ago—when the general public, or people who had political ideas, thought about the security services they were generally criticised because they were spying on people who should not be spied on, such as political activists and all the rest of it. By the time the noble Baroness, Lady Manningham-Buller, and myself worked together with the intelligence and security agencies, the criticism that would come was whether the intelligence services had not done enough to protect us. That is the way in which things have changed over the last 40 or 50 years, so we have to be very careful how we balance this idea of accountability on the one hand and inevitable secrecy on the other. How do we do it?
There are reports by the Investigatory Powers Commissioner and the intercept commissioners. When I had to intercept, I was overseen by a commissioner every year. I had a meeting with him—a former judge—on whether I did this or that right, and on whether this or that was important. I come back to the point I have made in the last two days of Committee about the Intelligence and Security Committee itself. That is the vehicle by which Parliament holds the security services accountable. My noble friend Lord Coaker has been making that distinction all the time: the services being accountable to Government for what they do is very different from being available to Parliament.
Of course, details of who has been tapped and details of intelligence operations cannot come here, to this House or the other House—of course not. However, they can go through the committee which both Houses have set up, which meets in private, is non-partisan, and which has Members of both Houses who have great experience on it, to deal with these issues. That is why I appeal to the Minister—we had the debate on the issue on Tuesday—to think again about using the ISC to answer some of the issues that my noble friend Lord Coaker quite rightly raised.
My Lords, I shall be brief. Just on the subject of suspicion, which I think I raised it, I was thinking—perhaps I did not articulate it well—that it was at the political-class level. It is not hard to construct a suspicious scenario where a Westminster-based Executive are hacking an Edinburgh-based politician—I am sure that suspicion would apply there. However, the noble Baroness is right about the public.
The amendment in the name of the noble Lord, Lord Coaker, is important, not because this sort of thing needs to go into primary legislation, but because his point around emphasising public understanding and support which has come out is really important. He picked out the fact that a number of officeholders have worked hard at generating a positive profile for the services, and for that they should be thanked and congratulated. I would add GCHQ, the public profile of which probably did not even exist a decade or so ago. I have several very sad friends who can hardly wait with excitement for the annual GCHQ quiz to arrive. Things like that essentially draw attention to the nature of the work that such organisations do. I laugh at those friends but then I cannot solve it and they can, so perhaps they are the winners there. Those sorts of things do not shed light and throw open the doors on the things the noble Baroness and others fear should not be public, but they create an ambience around those services which is important.
Nobody has mentioned the amendments in the name of the noble Lord, Lord Sharpe, which I guess is exactly what he wanted, and I have nothing to add to them either.
My Lords, I thank the Committee very much indeed for the points raised in this short debate, which eloquently explained the fine balance that needs to be struck in this area. As this is the last group, I take this opportunity to thank all the men and women in all the security services, who do so much to keep us safe.
It is nice to hear that the Committee reflects that sentiment.
I appreciate the sentiment behind the amendments in the name of the noble Lord, Lord Coaker, but the Government cannot accept them. He is right that public trust and confidence in public authorities’ use of investigatory powers is of course essential. The Investigatory Powers Commissioner, along with his judicial commissioners, fulfils that very important function, as does the Investigatory Powers Tribunal. The IPC provides independent, robust and transparent oversight of public authorities’ use of investigatory powers. The safeguards in the Act are world-leading in that regard. The IPT, meanwhile, provides for a redress mechanism for anyone who wishes to complain about the use of investigatory powers, even if they have no evidence of potential wrongdoing.
As the noble Lord is aware, the Investigatory Powers Commissioner is already required to produce an annual report, which is published and laid in Parliament. One of the purposes of this public report is to provide transparency around how the powers are used, any errors that have been reported on public authorities’ compliance with the legislation, and where he considers that improvements need to be made. Amendment 57 would not really provide meaningful or additional oversight over and above what is already in place, and would in many areas be duplicative.
On Amendment 58, the noble Lord, Lord Coaker, is seeking to introduce a similar requirement to that in the original Act, in that case requiring a report on the operation of the Act to be produced five years after it entered into force. That report was published by the Home Secretary in February this year and formed the basis for the Bill, along with the report from the noble Lord, Lord Anderson. As set out in the Home Secretary’s report—and noted by the noble Lord, Lord Anderson—it is the Government’s view that future legislative reform is likely to need to keep pace with advancements in technology and changes in global threats.
It is not necessarily helpful to put a time limit on when these updates should be made. The Bill makes urgent and targeted amendments to the IPA, and it is important that there is adequate time to implement those changes and assess over an appropriate period whether they are sufficient. As I said, the Government are well aware that future legislative reform is likely and, if I may channel my inner Ronan Keating, “Life is a rollercoaster”. I hope that my explanations have reassured the noble Lord, Lord Coaker, on the existing process in place and invite him to not press his amendment.
(10 months, 4 weeks ago)
Lords ChamberMy Lords, I will speak also to Amendment 7, which is in my name. These amendments require a person granting an authorisation in urgent cases to notify a judicial commissioner within, at most, 24 hours. This amendment would make it mandatory that, when the intelligence services use type 7A and 7B data for urgent operational purposes, they must report this to a judicial commissioner within 24 hours.
As your Lordships know, the current proposal in the Bill is three days. As it stands, the intelligence services can use those three days to interrogate a dataset that is ultimately ruled offside by the judicial council—three days to deploy AI models that work very quickly, in moments. The Minister responded, highlighting extra cost as a possible reason not to pursue this. Plainly, with all due respect, that is not true, because the data has to be reported anyway, and bringing it forward by a couple of days is not a relevant concern.
The spectre of weekends has also been raised. I assume that, given that this process is to facilitate urgent investigations, the intelligence services themselves will be working on Saturday and Sunday, and it is up to them to report their activity. Amendments 1 and 7 do not change the time duty for the judiciary to respond, so this would not affect the operation of the urgent inquiry. Should they not respond until Monday or otherwise, it is not the concern of the services. Clearly, it puts pressure on the judicial commission to some extent, but the intelligence services will have met their side of the obligation and can carry on with their important and urgent work until such time as the judicial commissioner makes a ruling. In any case, I am sure that there will be duty rosters and such things going on for this, so, again, I am not sure that the weekend is a concern.
Another argument that has been advanced and may yet return is that other legislation uses three days, so this should, too. The whole point of the Bill is to take advantage of new and innovative technology. It seeks to recognise the differences and change regulations accordingly. If the technology changes, as it does as a result of the Bill, so should reporting criteria. If there are other times that are different, perhaps we should be looking at those rather than at this amendment. In this case we are dealing with new technology, where artificial intelligence, once trained, can be deployed on data—which may or may not be allowed until such time as the judicial commissioner has ruled—and AI can produce its answers in minutes, perhaps hours.
In Committee I proposed that the use of this data for urgent operations should be reported immediately. I recognise that that was a very unreasonable suggestion, which is why these amendments specify within 24 hours, which is a fairer proposal.
In Committee, the Minister’s words on what happens to information retrospectively ruled unusable were helpful:
“The relevant information must be removed from the low/no dataset and either deleted or a Part 7 warrant sought”.—[Official Report, 11/12/23; col. 1743.]
However, additionally in Committee, various ex-services Peers confirmed what I knew, which is that once a fact is known by service personnel, it is not forgotten—it cannot be unknown. The noble Baroness, Lady Manningham- Buller, and other noble Lords were very clear on that.
This amendment is designed to limit the amount of unforgettable information that can be derived from inappropriate datasets. I will listen hard to the Minister’s words, but, unless he has found a different and more compelling argument than those already deployed, I will press Amendment 1.
I am pleased that the Government have agreed that, in the event of Amendment 1 being agreed, Amendment 7 will be treated as consequential. I beg to move.
My Lords, I rise to speak to Amendments 2, 3 and 6. As I made clear in Committee, the Intelligence and Security Committee broadly welcomes the introduction of this legislation as a means of addressing significant changes to the threat and technological landscapes that have the potential to undermine the ability of our intelligence agencies to detect threats and protect our country. There are, however, several areas in which the Bill must be improved and, in particular, safeguards strengthened.
The draft codes of practice published by the Government contain indicative safeguards. This is not a substitute, however, for putting such provisions on the face of the Bill, which is essential if we are to ensure that those safeguards cannot be changed or diluted by subsequent Administrations. This is particularly important when we are discussing necessary scrutiny and oversight. The ISC is still, therefore, seeking amendments to several sections of the Bill.
It is important to remember that the Bill seeks an expansion of the investigatory powers available to the intelligence services. We consider that this expansion is warranted. Any increase in those powers, however, must be accompanied by a proportional increase in oversight. Sadly, the Government have previously been reluctant to ensure that democratic oversight keeps track of intelligence powers—particularly where it is related to the remit and resources of the ISC. This House has made its views on this long-standing failure known during debates on several recent Bills, and yet again in Committee on this Bill. The Government have so far refused to update the remit of the ISC or provide the necessary resources for its effective functioning, such that it has
“oversight of substantively all of central Government’s intelligence and security activities to be realised now and in the future”—
as was the commitment given by the then Security Minister during the passage of what became the Justice and Security Act.
The House of Lords made its views on this long-standing failure known in debates over several recent national security Bills, including what became the National Security and Investment Act, the Telecommunications (Security) Act and the National Security Act. Despite these repeated attempts by this House to ensure effective oversight, this has been ignored by the Government. The Government cannot continually expand and reinforce the powers and responsibilities of national security teams across departments, and not expand and reinforce parliamentary oversight of those teams as well. The committee expects the Government to take this opportunity to bolster the effective oversight it purports to value. It is therefore imperative that Parliament ensures that, in relation to this Bill, the role of the ISC and other external oversight bodies, such as IPCO, is well defined and immovable from the outset. Fine words in a code of practice are, I am afraid, hardly worth the paper they are written on. They must be written into statute.
On the detail of Amendment 2, as I have noted in my previous speeches, Section 226DA of the current Bill requires that each intelligence service provide an annual report to the Secretary of State detailing the individual bulk personal datasets it retained and examined under either a category authorisation or an individual authorisation during the period in question. My amendment would ensure that there was independent oversight of this information, rather than just political oversight, as at present. It would achieve this by providing that the annual report be sent also to the Intelligence and Security Committee of Parliament and the Investigatory Powers Commissioner.
IPCO does have a degree of oversight included in the Bill already, alongside its existing powers of inspection, but it is not full oversight. Further, there is currently no parliamentary oversight of category authorisations at all. This is not appropriate. My amendment will, therefore, enshrine within legislation that IPCO and the ISC will have oversight of the overall operation of this regime.
At this point, I acknowledge the amendment tabled by the Government. I thank the Minister for his engagement with the ISC; we have had some useful dialogue and I thank him very much for that. It is reassuring that there may finally be some recognition of the strength of feeling in this House that was apparent through noble Lords’ interventions at Second Reading and in Committee that the ISC must have a role in scrutinising this new regime.
However, what is not clear is why the Government chose to table their own amendment rather than accept the ISC’s amendment. Both amendments would seemingly provide the ISC with information on category authorisations that are granted or renewed in the given period. Without wishing to sound suspicious, I think the House requires an explanation as to what the Government see as the difference.
The first difference appears to be that the government amendment is less specific on the information to be provided and does not include individual authorisations within its scope. It therefore does not give the same level of assurance to Parliament and the public that the ISC is fully sighted on the operation of the regime.
The second difference is that the government amendment would seem to create more work for the intelligence community, as rather than simply sending the existing annual report to the ISC, a separate report would have to be produced instead. The Minister has been very keen to emphasise the need to minimise the burden on the agencies—we agree entirely with him; they are very busy—when it comes to other elements of the Bill, so it is most peculiar that the Government are deliberately choosing to increase the burden.
The third point I would note is that if the intention of this proposal is to carefully curate the information provided to the ISC regarding the Part 7A regime, it is rather undermined by the fact that the committee would still be able and willing to request a full report be provided to the Secretary of State, under the existing powers in the Justice and Security Act.
My fourth and final point is that the government amendment excludes the Investigatory Powers Commissioner. It is not clear why. IPCO and the ISC are both essential to oversight.
I trust noble Lords can recognise that, despite what I am sure are the Government’s best intentions, the ISC amendment provides the most robust assurance to Parliament and the public regarding oversight of the new regime, and the most streamlined mechanism for delivering this. I therefore urge the Minister and noble Lords to support this amendment to ensure that the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation are not watered down by changes under this Bill. If investigatory powers are to be enhanced, so must oversight. This is what the ISC seeks to achieve by this amendment and those others that I have tabled.
I will touch very briefly on my noble friend Lord Coaker’s Amendment 5. I support it fully and I have raised those issues to do with the ISC.
On Amendment 6, this Intelligence and Security Committee amendment is required in order to close a 12-month gap in oversight. This relates to the new Part 7A, to be introduced by this Bill, which provides for a lighter-touch regulatory regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of the data is deemed to have low or no reasonable expectation of privacy. Approval to use such a dataset may be sought either under a category authorisation, which encompasses a number of individual datasets that may be used for similar purpose, or by an individual authorisation, where the authorisation covers a single dataset that does not fall neatly within a category authorisation or is subject to other complicating factors.
In the case of the category authorisation, a judicial commissioner will approve the overall description of any category authorisation before it can be used. A judicial commissioner will also approve any renewal of category authorisation after 12 months, and the relevant Secretary of State will receive a retrospective annual report on the use of all category and individual authorisations.
However, as I highlighted in Committee, this oversight is all retrospective. What is currently missing from the regime is any form of real-time oversight. Under the current regime, once a category authorisation has been approved, the intelligence services then have the ability to add any individual datasets to that authorisation through internal processes alone, without any political or judicial oversight. They will be able to use those datasets for potentially up to a year without anyone being the wiser. This would mean relying on the good intentions of a particular intelligence service to spot and rectify any mission creep up until the 12-month marker for renewal. Although we have every faith in the good intentions of the intelligence services, no legislation should be dependent on the good will of its subjects to prevent misuse of the powers granted therein, particularly where those powers concern national security.
It is important that we fill that 12-month gap in oversight, and my amendment does so very simply by providing a new Section 226DAA in Clause 2, which would ensure that IPCO is notified whenever a new, individual bulk personal dataset is added by the agencies to an existing category authorisation. The Government’s primary argument against this proposal appears to be that it would be too onerous for the intelligence community and would impair its operational agility. I do not believe this is the case.
Notification would entail the agency sending a one-line email to the Investigatory Powers Commissioner containing the name and description of the specific bulk personal dataset as soon as reasonably practicable after the dataset was approved internally for retention and examination by that intelligence service. The amendment would not require that the use of the dataset be approved by the Investigatory Powers Commissioner, merely that the commissioner be notified that it had been included under the authorisation. It does not, therefore, create extra bureaucracy or process—certainly not in comparison with an entire new annual report, as the Government were proposing in relation to my previous amendment.
Crucially, this will provide for IPCO to have real-time information to enable it to identify any concerning activity or trends in advance of the 12-month renewal point. Any such activity could then be investigated by the commissioners as part of their usual inspections. Aside from the supposedly onerous burdens that these one-line emails will place on the agencies, the Government are also seeking to argue that the safeguards of the Bill are currently calibrated to the lowest level of intrusion associated with low or no expectation of privacy datasets and that it would therefore be inconsistent for the agencies to provide notification regarding category authorisations, given that they do not provide notification for datasets under the current Part 7 class warrant regime.
This argument is similarly unpersuasive. In the first instance, the light-touch nature of our amendment, requiring simple notification rather than approval, is already calibrated to the lower level of intrusion. However, the key point is that the agencies do not have the same powers under Part 7 and Part 7A. This new regime gives the agencies greater powers specifically to internally add individual datasets to those categories without external approval. This is not a power given under the current Part 7 regime. The ISC agrees that the agencies should have this power in relation to low or no reasonable expectation of privacy datasets. However, to rehearse this argument yet again, we should not be creating greater intrusive powers without data oversight. This is a new power that should not be available without some form of real-time external oversight, which is what my amendment provides.
This combination of real-time oversight through the notification stipulated in this amendment and retrospective oversight through the involvement of judicial and political oversight bodies, as set out in my previous amendment, is necessary to provide Parliament and the public the reassurance that data is being stored and examined in an appropriate manner by the intelligence services. The ISC believes that this amendment strikes the right balance between protecting the operational agility of the intelligence services, which remains very important to us, and safeguarding personal data. I therefore urge noble Lords to support my amendment.
My Lords, first, I apologise. Like the noble Lord, Lord West, who during Committee had a bionic knee, I may not last, because I had a new one installed a couple of weeks ago. My eyes turned to the noble Lord, Lord Fox, as he possibly expected, but I am out of reach today and I cannot hit him with my crutch.
It might help the House if I described the circumstances in which an emergency warrant is sought. There is a very long-standing system for this. In the days before we had judicial commissioners, it was if a Minister was unavailable, and now it is if the Minister and, of course, the judicial overseers decide that a warrant sought is wrong or inappropriate, all the material is destroyed.
At the earlier stage, I said that you cannot legislate to forget, but the noble Lord, Lord Fox, has slightly twisted what I was trying to say then. Of course, if the material is destroyed because the warrant was not approved, some people will remember what they read, but it cannot be used in any way.
These occasions occur nearly always at times when people are unavailable—in the middle of the night or at weekends—when there is a brief window of opportunity where it is a matter of life and death. I can see that, on the surface, it is appealing to bring the notification time down to 24 hours, but this is not rational or consistent with the rest of the legislation that we have. For far more intrusive techniques such as planting a microphone or intercepting a communication, it is three days. That said, I know that my former colleagues will endeavour to do it as soon as possible, but over the weekend the Investigatory Powers Commissioner’s Office is not open. People are not available. They will try to do it as soon as possible, but it does not make sense to reduce the time needed in these cases of low intrusion, with datasets of no or low expectation of privacy, to require a stricter regime than for very much more intrusive techniques such as the planting of a microphone in your house.
My Lords, I rise very briefly to support my noble friend Lord West in his excellent speech regarding the Intelligence and Security Committee, which I had the honour of chairing for two years some years ago. I hope that the Government take great heed of my noble friend’s words. The ISC is probably the most important oversight committee in the world, and it is certainly held in great respect by countries throughout the western world. I have never known the committee to be in any way partisan, and it consists of Members of both Houses of Parliament of great distinction. Therefore, I support what my noble friend said.
However, I also support the amendment tabled by my noble friend Lord Coaker regarding the Prime Minister. Something has gone wrong in the last few years in relations between the Government and the Intelligence and Security Committee. It would seem that the Prime Minister, whoever it might be, has not met with the ISC—as he should do—for years. Perhaps the Minister will tell us when the ISC last had a formal meeting in the Cabinet Room of No. 10 Downing Street with an incumbent Prime Minister. It is hugely important because, inevitably, the work of the ISC is secret but may need to be discussed with the Prime Minister of the day. My noble friend’s amendment puts that obligation for the Prime Minister to meet with the committee in statute. I have no doubt that the Minister will dismiss this as impractical. However, it shows the strength of feeling of Members of this House and, I am sure, of the other place, regarding the importance of the ISC, the importance of the agencies reporting to it—especially since, as a result of this Bill, the agencies will have more power—and for there being a direct link between the Prime Minister and the committee on a regular basis.
My Lords, I thank the Minister for his continued engagement with us on all aspects of this important Bill. I would be grateful if he could pass that on to his officials as well. I wish the noble Baroness, Lady Manningham-Buller, well with her knee, and I hope she will soon be able to make do without the crutch.
I very much support what my noble friends Lord West and Lord Murphy said about the amendments moved by my noble friend Lord West regarding the ISC. I look forward to the Minister’s response. I will come to my amendments in a moment, but it goes to the heart of what many of us have been saying—that the Intelligence and Security Committee is extremely important. Part of the problem is that, when the Minister responds to us on these points, he often says, “Don’t worry: there’s ministerial oversight”. However, what my noble friends have talked about is that this is not the same as parliamentary oversight. There is an important distinction to be made. I hope that the Minister can respond to that.
I turn to the noble Lord, Lord Fox, and his amendments. Again, we thank the Government for the communication we have had regarding Amendments 1 and 7. As I have intimated before, we support the noble Lord, Lord Fox, on his Amendments 1 and 7. With the addition of the low/no datasets authorisation and third-party data warrants to the bulk personal datasets warrants regime, and the extension of powers that this represents, it seems appropriate that additional safeguards are put in place to ensure the judicial commissioner is informed as quickly as possible of the use of these urgent warrants. Importantly, that does not change how long the judicial commissioner has to consider the warrant, and to revoke access if necessary; it is just on the importance of notification as quickly as possible. If urgent powers, as the noble Baroness, Lady Manningham-Buller, has pointed to, need to be used, nobody is suggesting that they are not used; the suggestion is that the notification to the judicial commissioner should be made as soon as possible and, with respect to the amendment of the noble Lord, Lord Fox, within 24 hours.
I turn to my Amendment 47. This amendment aims to try to get the Minister to put some of this on the record, rather than to seek to divide the House on it. Amendment 47 seeks to ensure that the Government report on the potential impact of the Bill on the requirement to maintain data adequacy decisions from the EU. The adequacy agreement is dependent on the overall landscape of UK data protections. Although the UK protections are currently considered adequate, deviations from this under this legislation could put our current status at risk. Losing this designation would have serious consequences for digitally intensive sectors, such as telecommunications and financial services as well as tech services. In his response, could the Minister provide some reassurances on this particular aspect of the legislation and say whether any specific analysis has been done on the impacts of the Bill on the data adequacy agreement?
I turn to my Amendment 5, which, just for clarity, is a probing amendment but is extremely important. The Minister will know that I have raised this point again and again on various pieces of legislation over the last year or two. To be fair, the Minister has said that he will raise it with the appropriate people, and I am sure that he has done that—I am not questioning that at all. As the noble Lord, Lord Murphy, said, and the Intelligence and Security Committee said in its report of 5 December 2023—hence my Amendment 5 to probe this—no meeting between the Prime Minister of our country and the Intelligence and Security Committee has taken place since December 2014. I am pleased that we have the noble Lord, Lord Cameron, here—not present in the Chamber now, but here within your Lordships’ House—because he was the last Prime Minister that met with the committee. I find it absolutely astonishing that that is the case.
We are informed by the committee that many invitations have been made to various Prime Ministers to attend the Intelligence and Security Committee. I do not want to go on about this—well, I will to an extent—but it is incredibly important. I cannot believe—people say that it cannot be right, and I show them the report—that it has been 10 years since a Prime Minister has gone to the body, which has been set up by Parliament to ensure there is liaison between Parliament and the intelligence and security services. Obviously, matters can be discussed in that committee. Some of those cannot be discussed in the open, but that is one way in which it is held to account.
Can the Minister explain what on earth is going on? Why is it so difficult for the Prime Minister to meet the committee? I am not intending to push this amendment to a vote, as I say, and I am sure the Minister will try to explain again, but it is simply unacceptable that the Prime Minister of this country has not met the ISC for 10 years. For the first 20 years of its existence, and my noble friend Lord West will correct me if I am wrong, I think it was an annual occurrence that the Prime Minister met the ISC—my noble friend Lord Murphy is nodding—yet that has not happened since 2014. That is unacceptable, and my Amendment 5 seeks to ask the Minister what on earth we are going to do to try to get the Prime Minister to attend. I would not have thought that was too much to ask.
My Lords, I have listened with interest to the points made in this debate. As noble Lords will be aware, we have considered carefully the amendments that have been debated. I place on record my thanks to the noble Lords, Lord West, Lord Coaker and Lord Fox, for their constructive engagement in the run-up to today’s debate on these issues and various others that will be debated later today.
I turn first to the topic of oversight of the new Part 7A regime containing bulk personal datasets, BPDs, where there is low or no expectation of privacy. Alongside the proportionate set of safeguards set out in Part 7A, the Bill currently provides for executive political oversight and accountability by requiring the heads of the intelligence services to provide an annual report to the Secretary of State about Part 7A datasets. The intention of the report is to ensure that there is a statutory mechanism for political oversight, given that the Secretary of State will not have a role in Part 7A authorisations. That is set out in new Section 226DA in Clause 2 of the Bill.
The Investigatory Powers Commissioner will continue to provide full, independent and robust oversight of the investigatory powers regime, including this new part. Nevertheless, the Government have listened to the points made by noble Lords and colleagues in the other place, and we understand their concerns about increasing parliamentary oversight. Government Amendment 4 therefore recognises the important role of the ISC in providing parliamentary oversight of the intelligence services. It places a statutory obligation on the Secretary of State to provide the ISC with an annual report containing information about category authorisations granted under the Act during the year. The amendment will ensure that the ISC is proactively provided with information about the operation of Part 7A on an annual basis. That will support the ISC in continuing to fulfil its scrutiny role and will enhance the valuable parliamentary oversight the committee provides.
It is appropriate for the ISC to be privy to certain information relating to Part 7A in the exercise of its functions, and that a statutory obligation be placed on the Secretary of State to provide it. This obligation is intended to be consistent with the provisions set out in the Justice and Security Act, and due regard will be had to the memorandum of understanding between the Prime Minister and the ISC when meeting it. It is likely that Amendments 2 and 3, tabled by the noble Lord, Lord West of Spithead, which would require that the report provided to the Secretary of State be also shared with the ISC, would not be in step with that. The information required by the Secretary of State to fulfil their responsibilities in respect of the intelligence services will not necessarily be the same as that which would assist the ISC in performing its functions. The report will almost certainly contain information about live operations, which is outside the scope of the ISC’s remit, as well as other information that it may not be appropriate to share with the ISC and which the Secretary of State could properly withhold from the ISC were the ISC to request it.
For that reason, we think it more appropriate that a report be written to meet the ISC’s functions that the Secretary of State will send to the ISC. This will provide the additional parliamentary oversight the committee is seeking and would be akin to the existing arrangements in place for operational purposes.
I thank the Minister for giving way, because this is an extremely important point. He mentioned with respect to my Amendment 5 that somebody will formally reach out. Does that mean that the Prime Minister will formally reach out to the ISC and meet with it, so that we get a resolution to this non-meeting?
I cannot say whether or not that someone will be the Prime Minister at the moment.
As I said, the Government are clear that the MoU review is the correct forum to discuss relevant potential changes to the agreement between the Prime Minister and the ISC. But the Government do not believe a report of this kind is appropriate or necessary and do not support the amendment. The noble Lord, Lord Coaker, has already answered the question from the noble Lord, Lord Murphy, and all I can say from the Dispatch Box is that I will try again.
I turn to the second of the amendments from the noble Lord, Lord Coaker, Amendment 47, which would require the Government to publish a report assessing the potential impact of this legislation on the EU’s data adequacy decision. The Government are committed to maintaining their data adequacy decisions from the EU, which play a pivotal role in enabling trade and fighting crime. The Home Office worked closely with the Department for Science, Innovation and Technology when developing the proposals within this Bill to ensure that they would not adversely impact on the UK’s EU data adequacy decisions. As the European Commission has made clear, a third country is not required to have the same rules as the EU to be considered adequate. We maintain regular engagement with the European Commission on the Bill to ensure that our reforms are understood. Ultimately, the EU adequacy assessment of the UK is for the EU to decide, so the Government cannot support this amendment.
I turn to the amendments retabled by the noble Lord, Lord Fox, on urgency provisions for individual authorisations under Part 7A and third party dataset warrants under Part 7B. The Government remain opposed to these iterations of the amendments for the following reasons. Urgency provisions are found throughout the IPA and the Government’s approach is to mirror those provisions in the regimes in new Part 7A and new Part 7B. Making the proposed amendment solely for these parts would reduce consistency—as the noble Lord, Lord Fox, predicted—and ultimately risk operational confusion where there is no good reason to do so.
It will always be in the interests of the relevant intelligence service—as the noble Baroness, Lady Manningham- Buller, said; I add my comments to those of the noble Lord, Lord Coaker, about a speedy recovery—to notify a judicial commissioner of the granting of an urgent authorisation or the issuing of an urgent warrant as soon as is reasonably practicable. These urgent instruments are valid only for five working days. A judicial commissioner must review and decide whether to approve the decision to issue or grant the instrument within three working days. If the judicial commissioner refuses to approve the decision within that time, then the instrument will cease to have effect. It would be counter- intuitive for an intelligence service to make untimely notifications, as this increases the risk of the urgent authorisation or warrant timing out because the judicial commissioner is left without sufficient time to make a decision.
In an operational scenario where the urgency provisions are required, such as a threat to life or risk of serious harm, or an urgent intelligence-gathering opportunity, it may not be practical or possible for the intelligence services to ensure completion of paperwork within a 24-hour period, as the noble Baroness, Lady Manningham- Buller, explained rather more eloquently than I have done.
The intelligence services work closely with the Investigatory Powers Commissioner’s Office to ensure that the processes for reviewing decisions are timely and work for judicial commissioners. For those reasons, I ask that the noble Lord, Lord Fox, does not press his amendments.
This group also includes the two modest but worthwhile government amendments, Amendments 8 and 9. These make it clear beyond doubt that the new third party BPD regime will fall under the oversight of the Investigatory Powers Commissioner. The robust oversight that IPCO brings will ensure compliance, ensuring that robust safeguards are in place when information is examined by the intelligence services on third parties’ systems. I hope that noble Lords will welcome these amendments and support them.
My Lords, as a former member of the Intelligence and Security Committee, perhaps I may say how much I endorse what has been said by the noble Lords, Lord West and Lord Murphy, and welcome many elements in the—
We have had the speeches on this group and are moving to a vote. I am sorry to interrupt the noble Lord.
I thank the Minister for his comments and, indeed, the noble Baroness, Lady Manningham-Buller. My interpretation—perhaps I am wrong—of the nature of this Bill was that it was to introduce a new class of data and to deal with it. It was not to reach back into existing law and change it. The noble Baroness raised some important points about why I should have been concerned about the other data, which I did not reach back into. I am happy to advise my colleagues in the Commons and perhaps they can do that, too. However, taking on face value the nature of what we were seeking to achieve today, we looked at this data and came up with this conclusion. We have heard the arguments, but I am afraid that I am not persuaded by them and I would like to test the will of the House.
My Lords, I will speak to the government amendments in this group, Amendments 10 to 14.
The Investigatory Powers Act contains world-leading oversight arrangements and safeguards that apply to the use of investigatory powers. The Bill strengthens these to ensure that the oversight regime is resilient and that the Investigatory Powers Commissioner is able to carry out his functions effectively. These government amendments are designed to maintain this approach, and to tighten the drafting in certain areas to ensure that the scope of the measures in Part 3, in respect of communications data, cannot be interpreted more broadly than is intended.
I will start with government Amendment 12, which will ensure that there is clarity for telecommunications operators regarding their obligations to report personal data breaches relating to warrants issued under the IPA. The proposed new clause will also make provision for such breaches to be reported to the Information Commissioner and the Investigatory Powers Commissioner. This amendment will also ensure that the Investigatory Powers Commissioner has the ability to notify an individual affected by the personal data breach, if it is deemed to be in the public interest to do so and if the Information Commissioner considers the breach to be serious. Such a notification will inform an individual of any rights that they may have to apply to a court or tribunal in relation to the breach. This important amendment will bring much-needed clarity in respect of how personal data breaches committed by tele- communications operators are regulated, and ensure that there is a clear statutory basis for the Information Commissioner and the Investigatory Powers Commissioner to be notified of certain personal data breaches.
I move on to government Amendments 10 and 11. Amendment 11 adds Scottish Ministers to the list of parties, at Clause 9(5), who are to be notified by the Investigatory Powers Commissioner of the appointment of a temporary judicial commissioner. This must be as soon as practicable after any temporary judicial commissioner has been appointed. This will ensure that Scottish Ministers are kept abreast of crucial developments in the investigatory powers oversight regime. A similar requirement already exists in the Bill, which requires the IPC to notify certain persons, including the Secretary of State and the Lord President of the Court of Session, of an appointment of a temporary judicial commissioner.
Government Amendment 10 to Clause 8 allows the Investigatory Powers Commissioner to delegate to deputy Investigatory Powers Commissioners the power to approve decisions following the review of a notice. This brings this function in line with the commissioner’s other functions in the Act with regards to delegation and, as with those powers, allows for delegation in only when the commissioner is unavailable or unable.
I turn now to government Amendments 13 and 14, both of which concern communications data, which I will refer to as CD. Government Amendment 13 clarifies the extent of Clause 11 to ensure that its scope is not wider than intended. Section 11 of the IPA creates the offence of acquiring CD from a telecommunications operator without lawful authority. Clause 11 seeks to carve out from the scope of Section 11 the sharing of CD between public authorities, where one of those authorities was a telecommunications operator.
This amendment to Clause 11 ensures that the public authority carve-out from the Section 11 IPA offence of acquiring CD without lawful authority does not go wider than intended. The new definition is based on the definition of public authority in the Procurement Act 2023. The previous definition was based on the definition of public authority in the Human Rights Act 1998. This latter definition could, in some circumstances, have created doubt over whether it included certain private sector telecommunications operators.
This amendment removes that doubt and clarifies that the public authority carve-out will apply only to telecommunications operators wholly or mainly funded by public funds—in other words, they are public authorities themselves. The IPA was designed to ensure that the acquisition of CD from private sector tele- communications operators for the statutory purposes set out in the Act was subject to independent oversight to safeguard against abuse. This amendment maintains this important safeguard in relation to private sector telecommunications operators.
I turn to government Amendment 14. It is critical that the legislation is absolutely clear on what constitutes CD and the lawful basis for its acquisition. Without this clarity, we risk placing CD that is crucial to investigators out of their reach. Government Amendment 14 therefore seeks to clarify that subscriber data used to identify an entity will be classed as CD.
This amendment is necessary as the existing Act creates a carve-out in the definition of CD to ensure that the content of a communication cannot be acquired under a Part 3 acquisition request. This reflects Parliament’s view during the initial passage of the IPA 2016 that the content of a communication is inherently more sensitive than the underpinning metadata: the “who”, “where”, “when”, “how” and “with whom” of a communication. Clause 12 amends the definition of CD in Section 261 of the Act to exclude certain types of data from the carve-out of content from the definition of CD. The effect of this is to include those data types within the definition of CD.
Government Amendment 14 restricts the effect of Clause 12 to ensure that it is not overly broad and cannot be applied to bring unintended, inappropriate types of data within the definition of CD. For example, the amendment will put beyond doubt that the content of recorded calls to contact centres or voicemails is not in scope of the amended CD definition and will not be accessible with an authorisation under Part 3 of the Act. The amendment to Section 261 does not affect the oversight function of the Investigatory Powers Commissioner’s Office, which continues to inspect and highlight any errors and provide prior independent authorisation for the acquisition of CD in most cases.
I hope I have convinced noble Lords of the necessity of these government amendments; I ask that they support them. I also hope that these amendments provide reassurance to noble Lords, ahead of the debate on this group, of the Government’s commitment to ensuring that the clauses in Part 3 are drafted as tightly as possible and with a proportionately narrow scope.
My Lords, I know that the noble Lord, Lord West, will want to speak to his own amendments, but, perhaps for the sake of good order, I could comment relatively briefly on government Amendment 14 before he does so.
I entirely accept what is said in the explanatory statement, that the amendment is intended to ensure that “unwanted cases” are not brought
“within the definition of ‘communications data’ in section 261 of the Investigatory Powers Act 2016”.
That is a good objective, and I applaud the sentiment behind it. I also accept that the amendment may well be an improvement on the original Clause 12. My concern is that the wording used at the end of the amendment may inadvertently leave that definition broader than it should be, putting within the definition of “communications data” material that should plainly be classed as content.
Proposed new subsection 5B(b) is intended to limit the categories of content defined in new paragraph (a) which are classed as “relevant subscriber data” and thus as communications data. Instead of defining subscriber data tightly, by reference to information identifying an entity or the location of an entity, which would be reasonable, the limiting words in new paragraph (b) provide, more loosely, that it should be
“about an entity to which that telecommunications service is … provided”.
That is a wide formulation indeed if you apply it to something such as Facebook or an online dating site. The information that customers may be required to provide to initiate or maintain their access to such services is likely to be very much broader than simply who and where they are. For example, I have it on the best authority that, in the case of a dating site, this information may, for example, include a full online dating profile, which sounds very like content to me. It would be most unfortunate if the wording of new paragraph (b) were to result in an interpretation of this clause—for example, by police reading it in good faith—than was far broader than was intended.
I offer more than the conventional gratitude to the Bill team, who have engaged with me intensively on this issue in an extremely short timescale. It is too late to seek an amendment to Amendment 14, but the Minister would help us and law enforcement out if he could confirm, perhaps in response to this intervention or in his own time, that the aim of Clause 12 in its amended form is to class as communications data only information which is truly needed to obtain or maintain access to a telecommunications service—traditional subscriber data such as name, location and bank details—and that there is no intention to cover information provided as part of using the service, such as the online dating profile that you might be asked to fill out to operate or fully activate an account.
My Lords, I rise to speak to Amendments 15 to 20. In Committee, I moved amendments seeking to remove Clause 13 and its associated schedule. This was to retain the current arrangements, which wisely restrict a number of public authorities from being able to compel the disclosure of communications data from telecommunications operations. Parliament restricted this power in the original legislation because it considered it to be potentially very intrusive.
What this means is that, at present, authorities such as the Environment Agency or the Health and Safety Executive are required to take further procedural steps to compel disclosure of communications data. They must obtain an authorisation under the current IPA, a court order or other judicial authorisation, or under regulatory powers in relation to telecommunications or postal operators, or they must obtain the communications data as the secondary data as part of a valid interception or equipment interference warrant.
The Bill seeks to remove that requirement for further procedural steps in relation to a wide range of public regulatory authorities. The Government’s argument for removing these restrictions is that a broader array of communications now fall into the category of communications data and a wider number of organisations now constitute telecommunications operators. As a result, the current restrictions prevent some regulatory authorities from acquiring the information necessary to exercise their statutory functions in a way that was not anticipated at the time of the original legislation.
These organisations have argued that this is particularly relevant to bodies with a recognised regulatory or supervisory function which would collect communications data as part of their lawful function but are restricted under the current Act if their collection is not in service of a criminal investigation; in particular, the changes focused on improving the position of certain public authorities responsible for tax and financial regulation, the powers of which were removed in 2018 as a result of rulings by the European Court of Justice. The ISC recognises that such bodies much be able to perform their statutory function effectively; however, we have been told that the Bill delivers only the urgent, targeted changes needed, and we have not thus far been presented with the case for that.
This was a highly scrutinised issue during the passage of the original Act. Parliament rightly ensured that the power to gather communications data was tied to national security and serious crime purposes only, to avoid impinging on the right to privacy without very good reason. We should not lightly brush that aside.
There have been a number of reported incidents of the intrusive use of investigatory powers by local councils and other public authorities for purposes that are subsequently deemed neither necessary nor proportionate; for example, things such as dog mess. The Minister said in Committee that the clause
“applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions”.
Yet in response to my question on which bodies would see their powers restored, he said that
“it is not possible to say with certainty how many public authorities have some form of regulatory responsibilities for which they may require data that would now meet the definition of ‘communications data’”.—[Official Report, 11/12/23; col. 1759.]
How can it be right to expect Parliament to reintroduce sweeping powers for a wide range of public bodies when a previous Parliament deemed that that was too intrusive—and when we cannot even be told which bodies they will be? Noble Lords will need to be sufficiently satisfied that these powers are to be given to bodies that cannot function without them; this cannot be a case of just giving powers back by default. I urge the Minister to consider this further. As it stands, we have not been given the information, or a convincing case, to persuade Parliament of the need for such a complete about-turn. The ISC will continue to pursue this amendment unless robust assurance can be provided that these powers will be restored in a sufficiently limited and targeted way.
Amendment 17 and its two consequential amendments seek to remove the ability of the agencies to internally authorise the use of this new, broader power to obtain internet connection records for target discovery. My amendment would require the agencies to seek approval from IPCO, thereby ensuring proper oversight. As I noted in Committee, Clause 14 creates a new, broader power for the agencies and the NCA to obtain ICRs for the purpose of target discovery. It represents a significant change from the current position because it removes the current requirement that the exact service used, and the precise time of use, be known. Under these new provisions, the agencies will be able to obtain ICRs to identify which person or apparatus used internet services in a period of time—a far broader formulation that will capture a far broader number of individuals.
As I also noted previously, the ISC agrees with broadening the power; what it does not agree with is that there is no oversight of it. The principle remains that increased powers must mean increased oversight. This new, expanded power is potentially very intrusive: it allows the agencies to obtain ICRs from a range of internet services over a potentially long period of time, and they could therefore potentially intrude on a large number of innocent people who would not have been captured previously.
It is essential in a democracy that there are appropriate safeguards on such powers, but in all cases relating to national security and economic well-being, the agencies are able to authorise use of this newly expanded, broader power internally. They make the assessment as to whether it is necessary and proportionate; there is no independent oversight of the agencies’ assessment. The Minister argued in Committee that the ISC amendment inserts a disproportionate limitation on the agencies’ ability to use condition D, as the Government
“do not assess that the new condition creates a significantly higher level of intrusion”.—[Official Report, 11/12/23; col. 1761.]
With respect, the ISC not only disagrees with this assessment but finds it incomprehensible. This is about depth and breadth. The new condition D may not represent a new depth of intrusion as ICR requests under the new regime will still return the same type of information, but it certainly represents a much wider breadth of intrusion as a far greater number of innocent internet users’ details will be scooped up by these ICR requests.
The Government may argue that, because those individuals’ details will not be retained once they have been checked and found not to be of intelligence interest, this is therefore not an intrusive power. Again, with respect, this is not an answer that Parliament or indeed the public can or should be satisfied with. I doubt any individual would feel that their privacy had not been intruded on if they had been scooped up just because they had not been retained, particularly when the retention of details is currently contingent entirely on the judgment of the agencies themselves, with no external input on whether the judgment is proportionate. The ISC very firmly believes that the new condition is more intrusive, and therefore greater oversight is required to ensure the power is always used appropriately.
Oversight will act as a counterbalance to the intelligence community’s intrusive powers and provide vital assurance to Parliament and the public. This amendment and my two linked amendments therefore remove the ability of the agencies to authorise use of this power internally. The agencies would instead be required to seek the approval of an independent judicial commissioner from IPCO to authorise the obtaining of ICRs under this new, broader power. This strikes the right balance between security and privacy and minimises any burden on the agencies.
I move on to Amendment 18 in relation to the new same broader target discovery power in Clause 14. This amendment is to limit the purposes for which this new power would be used. As I outlined previously, target discovery has the potential to be a great deal more intrusive than target development as it will inevitably scoop up information of many who are of no intelligence interest. This is why we must tread very cautiously in this area and be quite satisfied of the need for the power, that the power is tightly drawn and limited, and is properly overseen.
The ISC agrees with the noble Lord, Lord Anderson, who, in his excellent report reviewing the Government’s proposal for this Bill, supported the need for this change. The ISC has considered the classified evidence and recognises that due to technological changes the current power is less useful than envisaged due to the absolute precision it requires. However, as this House also recognised, Parliament deliberately imposed a high bar for authorising obtaining internet connection records, given their potential intrusiveness.
The noble Lord, Lord Anderson, also recommended, therefore, that the purposes for which this new broader target discovery power could be used be limited to national security and serious crime only, and that use of it should be limited to the intelligence community. However, the Bill as drafted departs from his recommendations in both respects. Not only does it include the National Crime Agency as well as the intelligence community, but it allows the intelligence community to use the new, broader target discovery power for a third, far less-defined purpose of:
“the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security”.
In Committee, the Government argued that this decision had been taken because it is consistent with the statutory functions of the agencies and Article 8 of the European Convention on Human Rights. That is, of course, true. It is consistent, but that is not an argument in favour of simply transporting it here. Not every intrusive power should be available for every purpose that the security services have. Given the potential intrusiveness of this new power, it must be constrained appropriately and the purposes for which it can be used must be crystal clear.
However, what is not yet at all clear is exactly what critical work must be enabled under the umbrella of “economic well-being” as it relates to “national security” which is not already captured under the straightforward national security category. It must be clear exactly what harm would occur if this purpose were not included in the Bill. At the moment, the addition of “economic well-being” serves only to blur the lines between what an ICR can or cannot be used for, something which Parliament should not accept. Therefore, in addition to requiring independent judicial oversight, which is the subject of a separate amendment, this amendment seeks to prevent the agencies from using this newly expanded power for the purposes of economic well-being relating to national security. This will ensure that the rather vague concept of economic well-being is not being used as a catch-all justification for the exercise of these powers.
The agencies will of course still be able to use this power in relation to national security more broadly, and in urgent cases of serious crime. This is proportionate and indeed more in line with the recommendations of the noble Lord, Lord Anderson. Unless the Minister can provide the House with information as to exactly why it is critical to retain economic well-being for the use of these specific powers, not the agency’s powers more broadly, I urge noble Lords to support my amendment and strike this from the Bill.
I shall be brief. Not for the first time, your Lordships are in debt to the noble Lord, Lord Anderson, for intervening on an issue that I think all of us failed to note. His request of the Minister is helpful, and I hope the Minister will be able to respond. There is an alternative process which I could suggest to the Minister—I have not had a chance to talk to the noble Lord, Lord Coaker, about this. If the Minister wanted to withdraw this amendment and bring it back at Third Reading, which is applicable in certain circumstances. I am sure we would be very flexible in permitting that as well.
My Lords, we support the introduction of the Government’s amendments. I echo what the noble Lord, Lord Fox, said about the amendment in the name of the noble Lord, Lord Anderson, and I look forward to the Government’s response on that point.
I would also be interested to hear what the Government have to say about my noble friend Lord West’s amendments. He has taken a keen interest in this part of the Bill, and I hope the Government will be able to answer the questions, in particular on data disclosure powers, as I think they can give a more detailed response to the expansion of disclosure powers to regulatory bodies than was given in the original legislation. It is also very likely to be further analysed and looked at as the Bill moves down to the other end of the Corridor. Nevertheless, we support the amendments as they are currently.
My Lords, I thank noble Lords for this short debate and the scrutiny on these important issues. First, I will address Amendments 15 and 16 tabled by the noble Lord, Lord West of Spithead, which seek to remove Clause 13 and the Schedule from the Bill. We have covered some of the same ground as we did in Committee, and I am afraid that much of my response will make similar points to those I made then. However, I can appreciate why he has raised the points he made about these provisions, and I hope that I can still provide him with assurance on why these measures are needed and proportionate.
As the Government have been clear, the purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited from performing the roles expected of them by Parliament. It restores their pre-existing statutory powers to acquire CD in support of those functions. When the IPA was passed in 2016—under the expert stewardship of the noble Lord’s fellow ISC member in the other place, the right honourable Member for South Holland and The Deepings—it made specific provision, at Section 61(7)(f) and (j) respectively, for the acquisition of CD for the purposes of taxation and oversight of financial services, markets and financial stability. The noble Lord and his fellow committee members have queried whether we are “unmaking” these measures in the 2016 Act through Clause 13 of the Bill. I would therefore like to put beyond doubt what has happened since then to lead us to this point of needing to refine rather than unmake these provisions.
Following the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, the Government took the opportunity to streamline the statute book, including but not limited to some changes in response to that judgment. This streamlining included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers, and Section 12 of the IPA had not yet been commenced, removing many of those powers. The relevant data was outside of the provisions of the IPA at this time and therefore not considered to come within the definition of CD.
Since then, businesses have operated their services more and more online. This has meant that many have become, in part at least, telecommunications operators as defined by the IPA. As a consequence, growing amounts of the data that they collect—which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers—now fall within the IPA’s definition of CD. The effect of this is that public authorities are increasingly unable to acquire the CD that they need to perform their statutory civil or regulatory functions.
In summary, the IPA has been changed since it was commenced in 2016 to remove tax-related and financial stability-related powers to acquire CD and to introduce the serious crime threshold. Technology and society have moved on, with the result that more relevant data amounts to CD. Section 12 of the IPA has been commenced to remove general information powers. The combination of these changes has meant that public authorities are experiencing increased difficulty in carrying out their statutory functions. For example, the Financial Conduct Authority, His Majesty’s Revenue & Customs and the Treasury are all examples of public authorities that already have the power to acquire CD using a Part 3 request but that may be unable to do so in the exercise of some of their functions as a result of the issue I have just set out.
These bodies perform a range of vital statutory functions using CD, including tackling breaches of sanctions regimes, enforcing the minimum wage and providing oversight of banking and financial markets. Schedule 4 to the IPA provides a list of public authorities that can acquire CD under Part 3 of the Act. The new definition of public authorities inserted by this clause will apply in the context of the sharing of CD between public authorities. This will include government departments and their arm’s-length bodies, and executive agencies administering public services. While data sharing between government entities is covered under other legislation including the Data Protection Act and GDPR, or under separate data-sharing agreements, its sharing for legitimate purposes should not be discouraged or prevented by the IPA.
Clause 13 is needed to ensure that such bodies can continue to fulfil these existing statutory duties in the context of a world that takes place increasingly online. It strikes an appropriate balance between necessity and proportionality. In particular, I re-emphasise that it makes clear that the acquisition by these regulatory bodies should be only in support of their civil and regulatory functions, and not used in support of criminal prosecutions. Furthermore, the Government have retained the serious crime threshold that applies when acquiring CD for the purposes of a criminal prosecution.
The codes of practice will also provide additional safeguards and clarity on how this should work in practice. The Government published these in draft ahead of Committee to illustrate this. Any changes to the existing codes will be subject to statutory consultation before being made and will require approval from Parliament under the affirmative procedure. I am therefore confident that the changes will be subject to a high level of scrutiny. To be clear, this applies to a limited cadre of public authorities with the necessary statutory powers conferred on them by Parliament and only specifically when in support of regulatory and supervisory functions—it is not creating a way to circumvent the safeguards in the IPA. It ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential and has the most serious potential consequences in terms of criminal prosecutions.
I am happy to provide the reassurance—or I hope I am—that the noble Lord, Lord Anderson, sought. I am grateful to him for his comments regarding government Amendment 14, for engaging with officials to work through the concerns they raised and for his generous comments about the officials.
Our view is that the amended Clause 12 will be narrower in scope than the original drafting, which carried a risk of permitting access beyond the “who” and “where” of an entity. I assure noble Lords that the codes of practice will set out the further safeguards and details on the practical effect of Clause 12 so that operational partners are clear on the lawful basis of CD acquisition. It is appropriate that the technical detail is set out in this way rather than in primary legislation. The codes of practice will be subject to a full public consultation and will be laid in Parliament under cover of an SI, via the affirmative procedure. I reassure the noble Lord that we will consult with partners and the regulators of the IPA to ensure that the high standards of the CD acquisition regime remain world leading. I am happy to continue this conversation, and for my officials to continue with the extensive engagement already undertaken with the users of the CD powers, to see whether any further refinement is needed.
Finally, I confirm that the intention behind the amendment is to include the type of subscriber data that is necessary to register for, or maintain access to, an online account or telecommunication service. Examples of such data would include name, address and email address. It is not intended to include all types of data that an individual might give a telecommunication service that is not necessary for the purpose of maintaining or initiating access to that service.
I turn to Amendments 17, 19 and 20 on internet connection records, also tabled by the noble Lord, Lord West. Much of the argument I have heard relies on a perception that the new condition D is inherently more intrusive than the existing conditions B and C. I will set out why this is not the case.
The safeguards for the new condition D replicate the well-established and extensive safeguards already in place for CD authorisations. The authorisation process for CD varies according to the purpose for which the data is being sought and the type of CD to be acquired. This regime works effectively and has been considered by the Court of Appeal and found to be lawful.
The purpose of new condition D is to enable ICRs to be used for target detection, which is currently not possible under existing Part 3 authorisations. The level of appropriate oversight and safeguards is linked to the sensitivity of the data to be disclosed and the impact that disclosure may have on the subject of interest.
As I have said, the Government do not believe that condition D is inherently more intrusive than conditions B or C. Conditions B and C authorise “target development” work, and as such enable the applicant to request data on a known individual’s internet connections. As an example, this means that the NCA could request records of the connections a known subject of interest has made in a given time period, provided that request was judged to be both necessary and proportionate by the Office for Communications Data Authorisations. In comparison, condition A enables the requesting agency to request who or what device has made a specific connection to an internet service.
Similarly, condition D would enable an agency to request details about who has used one or more specified internet services in a specified timeframe, provided it was necessary and proportionate—for example, accessing a website that solely provides child sexual abuse imagery. The actual data returned with condition D will most likely constitute a list of IP addresses or customer names and addresses. No information concerning any wider browsing that those individuals may have conducted will be provided. Information about that wider activity would be available only under a further condition B or C authorisation. Condition D is therefore no more intrusive than conditions B and C in terms of what data is actually disclosed. As such, we see no benefit or logic to imposing a different authorisation route for condition D when the existing safeguards have proven sufficient in terms of ICRs applications under conditions A, B and C.
I use this opportunity to remind all noble Lords of the importance of this new condition D and how it will support investigations into some of the most serious crimes, as well as supporting the critical work against both state and cyber threats. ICRs could be used to detect foreign state cyber activity. For examples, ICRs could be used to illuminate connections between overseas state actors and likely compromised UK infra- structure. We understand that these actors have an intent to target UK-based individuals and organisations, including government and critical national infrastructure, from within UK infrastructure, which we typically would not see. The ICR data returned from TOs would be highly indicative of the extent of malicious infrastructure and could assist with victim exposure. Furthermore, improved access to ICR data would enable the National Cyber Security Centre to detect such activity more effectively and in turn inform incident management and victims of compromises. Using data to flag suspicious behaviour in this way can lead to action to protect potential UK victims of foreign espionage and attacks.
I now turn specifically to the ability of the intelligence agencies and the NCA to internally authorise condition D applications. The intelligence agencies and the NCA must obtain approval from the Investigatory Powers Commissioner for ICR applications for the purpose of preventing or detecting serious crime, other than in urgent circumstances. In urgent circumstances, such as threat to life or serious harm to an individual, the intelligence agencies and the NCA are able to obtain CD authorisations from internal designated senior officers in the same way that police forces are. In practice, the volumes of non-urgent requests are such that the IPC delegates responsibility for the authorisation of ICR and other CD requests to the OCDA.
In terms of oversight, the IPC could, if he wished to, consider specific types of CD authorisations himself. The IPC also has the power to directly inspect any part of the CD regime. If he wishes to focus attention on condition D applications, he has the necessary powers to do so. The approach we have adopted for condition D authorisations is therefore consistent with the wider CD regime and gives the IPC flexibility in how he exercises his powers and resources.
As is also consistent with the wider CD regime, condition D applications relating to national security will be authorised by a designated senior officer within the intelligence agencies. The CD codes of practice state that the designated senior officer must be independent of the operation and not in the line management chain of the applicant. This independence is declared within each application, and each designated senior officer completes training prior to taking up this role. Furthermore, each agency has one or more single point of contact officer, accredited by the Home Office and the College of Policing, who facilitates lawful acquisition of CD.
My Lords, I will move Amendment 21 and speak to the other amendments in this group in my name.
Amendment 21 specifies that the enforcement of retention notices applies only to UK recipients of such notices. It is one of a suite of amendments in this group that return to the issue of extra-territoriality— I see the Minister blow out his cheeks at the prospect. Amendments 22, 25, 28 and 31 are similarly directed and each largely seeks to limit extra-territoriality by ensuring that operators can make changes to their services for users outside UK jurisdiction.
The reason for tabling the amendments, the others of which I will not move, is that there remains a huge gulf of understanding between the tech companies and the Government when it comes to the interpretation of the Bill with respect to its territorial reach. I am again presenting the Minister with a golden opportunity to set out in clear language the territorial ambitions that the Government have for this Bill. I believe there is some element of miscommunication going on here, though I am not sure in which direction. I hope that the Minister can dispel that.
Clearly, we have international tech companies that are incorporated in another country with subsidiaries all around the world and data residing in many different domains—companies that offer services to customers all over the world. In essence, we need to understand what would happen as a result of this Bill if such a business proposed to change a global service that is used by consumers all over the world, including in the UK. How do the Government use this Bill to deal with such situations? I am looking forward to the response.
Amendments 23, 24, 29 and 30 would raise the threshold for calling in a change from “negative effect” to “substantially limit”. Again, this increases the bar before the Government can start the process. Negative effect is a very low bar which will catch almost everything. It is not in the interests of the authorities to have everything coming through. There needs to be some sense of funnel. This is an opportunity for the Minister to define what negative effect is and what it is not, because it is a very low bar. He would be wise to take our advice and look at the language there, certainly when it comes to the code coming later.
Moving on, my Amendment 27 is a retread of an amendment I tabled in Committee, and it was there as a placeholder. I am pleased to see that it is unnecessary, as government Amendments 26 and 32 very much embrace the spirit of what I was seeking to achieve in that amendment. I thank the Minister for responding, and therefore will not be speaking to or indeed moving Amendment 27.
I now turn to Amendment 35. Currently, while there is a requirement for the Secretary of State to consult the operator before giving notice, there is no requirement on the Secretary of State to consult ahead of making regulations that will specify what “relevant change” includes, and therefore what needs to be notified. My Amendment 35 therefore introduces a requirement for pre-legislative consultation on the definition of “relevant change”. The amendment specifies that the Secretary of State must consult the Technical Advisory Board. There is a precedent for consultation with this board in Section 253(6) of the 2016 Act. As your Lordships know, the Technical Advisory Board is comprised of independent and industry representatives; the amendment also specifies a wider range of consultees.
The amendment then requires the Secretary of State to have regard to the impact on users, including on their privacy and on operators’ ability to innovate. Again, there is precedent for this in the 2016 Act. Such considerations must be taken into account when a public authority is deciding whether to issue a TCN or NSN, or where a judicial commissioner approves a DRN. As such, we feel it is worth while also to consider these factors when legislating for a “relevant change”, because delaying a critical security update could negatively impact users and operators. In a sense, all we are asking for is consultation. We are not asking to change the law, and this gives the Government a power to abide by that consultation or not. But we feel that this is an important definition, and it needs to be more widely consulted on.
I hope the Minister will agree, but in the event that he declines, I will be moving Amendment 35. I beg to move Amendment 21.
My Lords, we have had much welcome interaction from stakeholders on the issues summarised in this group, as well as some useful briefings from the Home Office and the noble Lord’s team, for which we are grateful.
As the noble Lord, Lord Fox, has just said, there appears to be a gulf in both position and understanding between the Government and the tech companies, both on the principle of the notice and its details, which is, in a sense, frustrating scrutiny of the Bill. I understand that there is a disagreement about the introduction of notification notices in general. It is right that we look at the details to ensure that the process takes place in a way that reflects the realities of international law, and the need of the intelligence services to maintain levels of data access and the necessary safeguards.
Concerns raised by stakeholders keep striking at the same places: how this notice would work with access agreements with other countries; why there is no double lock on the notification notice, despite the clear impact it would have on tech companies’ activities; and why the definition of telecoms operator is perhaps in reality wider than the Government intend.
We will not be supporting Amendment 35, in the name of the noble Lord, Lord Fox, although we understand the intent behind it. We encourage the Government to keep talking to stakeholders, and we believe that this part of the Bill will benefit from further discussion in the other place.
My Lords, I thank the noble Lords, Lord Ponsonby and Lord Fox, for their remarks in this debate. I reassure the noble Lord, Lord Fox, that any cheek-blowing he witnessed was more a reflection of the previous marathon speech than a reflection on his amendments.
Amendment 21, moved by the noble Lord, Lord Fox, would require that the enforcement of data retention notices—DRNs—would apply only to UK recipients of those notices. DRNs and technical capability notices—TCNs—can be given to a person overseas, but only TCNs are currently enforceable overseas. Clause 16 seeks to amend Sections 95 and 97 of the IPA to allow the extraterritorial enforcement of DRNs in order to strengthen operational agility when addressing emerging technology, bringing them in line with TCNs. It is vital to have this further legal lever, if needed, to maintain the capabilities that the intelligence agencies need to access the communications data they need to, in the interests of national security and to tackle serious crime.
The Government therefore oppose Amendment 21 as it goes fundamentally against what the Government are seeking to achieve through Clause 16 and would not provide any additional clarity to telecommunications operators. As DRNs are already enforceable against UK recipients, there is no need to re-emphasise that in the Bill.
I turn to the amendments to Clause 17 concerning the notice review period. This clause is vital to ensure that operators do not make changes that would negatively impact existing lawful access while a notice is being comprehensively reviewed. Maintaining lawful access is critical to safeguard public safety, enabling law enforcement and the intelligence community to continue protecting citizens during the review period.
Let me be clear: operators will not be required to make changes during the review period to specifically comply with the notice. Rather, under Clause 17 they will be required to maintain the status quo so that law enforcement and intelligence agencies do not lose access to any data that they would have been able to access previously. The review process is an important safeguard, and that right of appeal will remain available to companies.
On Amendment 27, tabled by the noble Lord, Lord Fox, the Government have noted the strength of feeling from parliamentarians and industry regarding the current uncertainty over the timeframe for conducting a review of a notice. We have therefore tabled Amendments 26, 32 and 33 to Clause 17 to address that uncertainty and provide further clarity and assurances regarding the notice review process.
The existing powers within Sections 90 and 257 of the IPA do not give the Secretary of State the power to specify in regulations the time period within which a review of a notice must be completed. The Government are therefore introducing a new regulation-making power to enable the Secretary of State to specify in regulations the length of time the Secretary of State can take to reach a decision on the review of a notice upon receipt of the report by the judicial commissioner and the Technical Advisory Board, and the overall length of time that a review can take.
The amendments will also make provision for a judicial commissioner to issue directions to the Secretary of State and the person seeking the review, as they see fit, to ensure the effective management of the review process. That will give the judicial commissioner the power to issue directions to both parties, specifying the time period for providing their evidence or making representations, and the power to disregard any submissions outside those timelines. These amendments will provide operators the certainty they require regarding how long a review of a notice can last, and therefore how long the status quo must be maintained under Clause 17. They will also provide further clarity on the process and management of that review.
Specifying timelines will require an amendment to the existing regulations concerning the review of notices. The Government commit to holding a full public consultation before the amendment of those regulations and the laying of new regulations relating to Clause 20, which provides for the introduction of the notification notices. Representations received in response will be considered and used to inform both sets of regulations, which we have clarified in the Bill are subject to the affirmative procedure.
Amendment 35, tabled by the noble Lord, Lord Fox, seeks to specify in statute who the Secretary of State must consult before laying regulations relating to Clause 20 and the introduction of notification notices, and the factors that the Secretary of State must have regard to when making those regulations. I hope the commitment that I have just made to hold a full public consultation provides the necessary reassurance to the noble Lord that all relevant persons will be consulted before making the regulations, and that he will agree that is it unnecessarily prescriptive, and potentially restrictive, to put such details in the Bill.
Amendments 22, 25, 28 and 31, also tabled by the noble Lord, Lord Fox, seek to limit the extraterritoriality of Clause 17 and ensure that operators can make changes to their services and systems for users in other jurisdictions during a review. To be clear, the Bill as currently drafted means that companies can make changes to their services during a review. They could choose to roll out new technologies and services while the review is ongoing, including in other jurisdictions, so long as lawful access is built into them as required to maintain the status quo. Furthermore, the status quo will apply only to whichever of their systems and services are covered by the notice in question. Naturally, anything outside the scope of the notice is unaffected by the requirement. I also emphasise that the control of telecommunications systems used to provide telecommunications services in the UK does not stop at borders, and it is highly likely that any such arbitrary geographical limitations would in fact be unworkable in practice.
Amendments 23, 24 and 29 seek to raise the threshold with regard to relevant changes that an operator must not make during a review period to a change that would “substantially limit” their ability to maintain lawful access. This would not make the position any clearer as “substantially” is a subjective test. Moreover, it would constrain Clause 17 in a way that would fundamentally prevent it from achieving its objectives: to ensure that the same level of lawful access available before the notice was issued is maintained during a review period.
Lawful access provides critical data to law enforcement and intelligence agencies. Constraining access to data that was previously available, in a limited capacity or substantially, may seriously undermine investigations and the ability to protect our citizens. It is therefore vital that the status quo is maintained during the review period. It would also be difficult to define “substantially limit” without referring to a “negative effect on” a capability.
Amendments 36 to 38 to Clause 20, also spoken to by the noble Lord, Lord Fox, seek to raise the threshold and provide more proportionality. As I have emphasised on every occasion we have debated the Bill, necessity and proportionality constitute a critical safeguard that underpins the IPA. Authorisations are approved by an independent body and all warrants and notices must be approved by a judicial commissioner. There is considerable oversight of authorisations, meaning that the threshold is already high. Necessity and proportionality justifications are considered for every request for a notice, warrant or authorisation and, by extension, whether it is reasonable to issue that request to the operator. Once operators are in receipt of such a request, they are required to provide assistance. The proposed amendments are therefore not required.
Finally, government Amendment 34 is a consequential amendment necessitated by the introduction of Clause 19, which amends the functions of a judicial commissioner to include whether to approve the renewal of certain notices.
I am grateful to all noble Lords who have spoken in this debate—
Before the Minister sits down, winding back to the point about territoriality, he spoke of national boundaries as being arbitrary. It would help me to understand what kind of activity the Government envisage reaching across those boundaries, which he refers to as arbitrary; in other words, what would the Government be seeking to do extraterritorially?
If it would help, I am happy to write to the noble Lord with some sensible and practical scenarios because I do not think it is appropriate to make them up at the Dispatch Box, if that is acceptable.
I was just about to thank the noble Lord for the time he has taken to talk me through his concerns ahead of Report and at various other stages of the Bill on various other issues. However, I hope that I have provided reassurances through my comments at the Dispatch Box and the government amendments that we have tabled. I therefore invite the House to support these amendments and invite the noble Lord to withdraw Amendment 21 and not move the others he has tabled.
I heard what the Minister said on Amendment 35, and it is reassuring that the consultation will be occurring, so I do not intend to move Amendment 35.
My Lords, this is the first of three amendments I have tabled in relation to Clause 21 and the so-called triple lock for targeted interception and targeted examination of communications relating to Members of relevant legislatures—that is, people like us and MPs et cetera. These changes are replicated in the three amendments I have tabled to Clause 22, which we shall come to later, which relate to the triple lock for targeted equipment interference warrants.
Noble Lords will, I am sure, agree that the communications of Members of relevant legislatures should not be intercepted and read unless it is absolutely essential to do so in the most serious of circumstances. That is why Parliament added a third layer of safeguards to the approval of any such warrant in the IPA. This ensures that these warrants would not only be issued by a Secretary of State and reviewed by a judicial commissioner but approved by the Prime Minister personally. This is a robust and necessary oversight mechanism, and it is essential that any changes as a result of this Bill do not undermine these three layers.
The ISC recognises that, on occasion, the requirement that a warrant be approved by the Prime Minister personally may affect the operations of the intelligence agencies where they are seeking a targeted interference warrant that is very time sensitive, and the Prime Minister is unavailable. We therefore support the intention to provide an element of resilience whereby, in truly exceptional circumstances, it may be appropriate for a Secretary of State to temporarily deputise for the Prime Minister on these matters. However, the clauses as drafted go too far.
My three amendments are designed to ensure that decisions are delegated only in the most exceptional circumstances; that the decision may be designated only to the limited number of Secretaries of State who are already responsible for authorising relevant warrants; and that the Prime Minister retains sight of all warrants relating to Members of a relevant legislature. The first of the three amendments relates to the circumstances in which a decision may be delegated by the Prime Minister to a Secretary of State. These circumstances must be very clearly specified—there can be no ambiguity —and they should be limited to situations in which the Prime Minister is genuinely unable to take a decision.
My amendment specifies that the Prime Minister must be “unable” to decide whether to give the necessary approvals, rather than simply “unavailable”, which is rather a subjective test. It then very clearly sets out those circumstances, which are “incapacity” or
“inability to access secure communications”—
for example, if the Prime Minister is extremely ill, or is abroad and unable to securely access the relevant classified documentation. The draft codes of practice published by the Government give these two scenarios as examples of the circumstances in which the Prime Minister might use this designation power. This is a step in the right direction. But the first problem is that they give them only as examples, which means that there could be any number of other unspecified circumstances about which Parliament would be kept in the dark. That cannot be acceptable.
There should be no question of the delegation of this power becoming routine, so there must be absolute clarity as to the exact scenarios when the power can be used. If, in future, other scenarios arise in which the Government seek to use this designation power— I note that they are currently unable to conceive of what they might be, as they have never arisen before—they must return to Parliament to make the case for it.
The second problem is that to which I referred in my opening remarks: matters as important as this must be in the Bill, where they cannot be amended or diluted by Administrations present or future without first returning to Parliament. This amendment provides what the agencies require but, when combined with the requirement
“that there is an urgent need for the decision”,
it also provides the necessary assurance to Parliament that the Prime Minister’s responsibility will be deputised only in specified exceptional circumstances.
My Lords, it is a pleasure to follow such a strong and powerful speech, and to agree with so much of it. I will speak to Amendment 40, which is based on my report of last year and repeats an amendment that I tabled in Committee and that was introduced there by the noble and learned Lord, Lord Hope of Craighead, my co-signatory then as now. The amendment has two objectives. The first is to ensure that the third part of the triple lock is not too easily wrested away from the Prime Minister.
We are often told that someone is unavailable when they are travelling, are in a meeting, have stepped out of the office or have simply asked not to be disturbed for the afternoon. Indeed, the noble Baroness, Lady Manningham-Buller, used the word in the first of today’s debates on the Bill, albeit in a different context, to describe the status of a Minister, as she put it, during the night or over the weekend. Nobody suggests that reasons such as these should be sufficient for the third lock of the triple lock to be handed to someone else. Unavailable is simply the wrong word. The public interest, in clear and accessible laws, requires us to use the right word. Using the wrong word and then glossing it by guidance or Statements from the Dispatch Box is not a good alternative. I suggest that the right word is “unable”, and I am delighted that the Intelligence and Security Committee and the noble Lord, Lord West, had the same thought in their Amendments 39 and 43.
The second objective of Amendment 40 is to allow provision to be made for the situation in which a Prime Minister is available to apply the third lock but might be considered, or consider himself, unable to do so by reason of conflict of interest. This could be the case if the communications in question were addressed to or from a Prime Minister’s sibling in Parliament. I see that the noble Lord, Lord Johnson of Marylebone, has just left his place. It could be the case if those communications were addressed to or from the Prime Minister himself or herself. Nobody doubts that the agencies currently have the power, and will continue to have the power after the Bill is passed, to request a Prime Minister’s communications to be intercepted. Nor is there any mystery about what will happen if such a request is ever made. It will be put to a Secretary of State for authorisation—presumably the Home Secretary or the Foreign Secretary, depending on the context. If that authorisation is granted, a judicial commissioner—presumably the most senior of them, the Investigatory Powers Commissioner—will be asked to approve it. So far, so uncontroversial.
The issue that arises is what should happen next. Under Clause 21, the request must be put before the Prime Minister unless it happens that he is ill or away from secure communications, in which case the third lock can be passed on to another Secretary of State and the Prime Minister’s communications can be intercepted without his knowledge. A precedent for the delegation of this most sensitive of powers already exists; indeed, it exists in the text of this Bill. But what if the Prime Minister is available? In such a case, the third lock must, under Clause 21, be left in the hands of the Prime Minister himself. He is statutorily barred from passing it on to anyone else, even if he—or, let us say, the Cabinet Secretary on his behalf—took the view that he is unable to take the decision for reasons of conflict of interest. That is notwithstanding the fact that conflict of interest, as the noble and learned Lord, Lord Hope, said in Committee,
“surely is a reason why a Prime Minister, although available, should not exercise the power”.—[Official Report, 13/12/23; col. 1902.]
That principle is so important that perhaps the undoubted practical difficulties to which the noble Lord, Lord West, referred need to take second place to it.
The triple lock was designed to ensure that the communications of parliamentarians could be intercepted only with the consent of the Prime Minister. It was not designed to give the Prime Minister himself an effective veto over the interception of his own communications. Immunities or quasi-immunities of that kind might have their place in some presidential systems, but they seem out of place in a parliamentary system in which the Prime Minister is primus inter pares. However, just such an immunity is perpetuated by Clause 21, and the amendments on this theme from the noble Lord, Lord West, which I otherwise support, do not remedy the situation.
Amendment 40 does not prescribe a detailed solution to this sensitive problem, but it leaves the door open to one. My concern in tabling it was to ensure that we do not legislate in such a way as to prevent a solution being found to the situation in which a conflict of interest arises in circumstances that would be vanishingly rare but that, if they ever did arise, could be of the highest importance to our national security.
I have reflected on what could be done without Amendment 40 if there were serious grounds to intercept a Prime Minister’s personal communications because one of his correspondents or the Prime Minister himself were under suspicion. Perhaps a possible answer would be to wait until the Prime Minister was out of reach of secure communications and then proceed with the interception if the approval of a judicial commissioner and two Secretaries of State could be secured. That is not a very principled or satisfactory answer to the issue of conflict of interest, but it is permitted by Clause 21 and might still be better than a prime ministerial veto. I should say that everything I have said about Clause 21 and interception applies also to equipment interference under Clause 22.
I hoped to generate a debate on this topic by tabling this amendment and, thanks to your Lordships’ indulgence, I have had a chance to do so. I would like to have invited the House of Commons to debate it too, but without the numbers to press this amendment to a vote there will be no such invitation, at least by this route. None the less, I am grateful to the ministerial team and to their shadows in your Lordships’ House and the Commons for discussing this issue with me in a degree of detail. Neither team suggested to me that the prospect of intelligence interest in the communications of a Prime Minister was too fanciful a prospect to be worth considering, although it may be that the two teams have different examples in mind of why it is not. However, I detected a developing sense on both Front Benches that the conflict issue might be one for the “too difficult” box.
I will not divide the House, but I close with these questions to the Minister: is it the Government’s position that the Prime Minister, uniquely among members of the Government, should have a veto over the interception of his own communications in circumstances in which the normal authorisation and approval criteria have been met? If so, why? If not, what answer do they have to the issue of conflict of interest?
My Lords, it is a pleasure to follow that brilliant exposition by my noble friend of the problem that he tries to deal with in Amendment 40. After yesterday’s slightly more tense proceedings in this House, I have had a pleasant afternoon supporting the Government. In that spirit, I wish briefly to add some words to what has been said by my noble friend.
The notion of conflicts of interest is not a difficult one. Lawyers dealing with extremely complex cases have to deal with that problem more or less every day. It is something with which we are familiar. The notion that a Prime Minister could face a conflict of interest is not ludicrous. If we just look at the way in which proceedings have proceeded so far in the Covid inquiry, for example, we know that the most intense examination is now given to past communications. We are in a different age from the era when Prime Ministers did not use social networking. We are coming to a period when there will be a Prime Minister whose youthful exchanges with his or her friends will be available to public inquiries in the years to come. It is easy to imagine circumstances in which conflicts of interest might occur. For example, there could be conflicts of interest arising from kinship, as my noble friend Lord Anderson mentioned. Conflicts of interest could arise from earlier employment or from books and articles that person has written. We recently had a Prime Minister who has written quite a lot of interesting books but certainly provoked some interest of another kind when he was Prime Minister.
I urge the Minister not to brush aside this issue of conflict of interest, because it could happen, and it is better to anticipate these things than to leave them till later. I ask the Government to take seriously Amendment 40, for the reasons that have been given by the noble Lord, Lord Anderson, so we can return to this matter before the Bill is passed.
My Lords, I was not intending to speak in this debate, but it is a pleasure to follow the noble Lords, Lord Carlile and Lord Anderson. I will make two brief observations.
First, I support the suggestion that airing this question of conflict of interest is important. I remember from when I was in the service considering with colleagues —purely theoretically, I hasten to add—what one would do if one had serious national security concerns about a Prime Minister. You would certainly go to the Cabinet Secretary. Would you go to the Palace? I see that the noble Lord, Lord Young of Old Windsor, is in his place. How would you resolve this issue? It was unresolved—it is not an easy issue to resolve, and it may well not be an issue to be resolved in the margins of a separate Bill. But it is worth at least airing these issues, rather than merely considering them in private. I welcome the opportunity to put these issues into the public domain, since it is not impossible to conceive that they might become real issues at some future point.
Secondly, I support Amendment 41 from the noble Lord, Lord West of Spithead, and particularly the second proposed new subsection, which says that any individual designated as one of the five individuals to whom the Prime Minister can delegate powers under the triple lock should be an experienced Minister who is used to signing warrants. I have had experience myself of trying to explain to inexperienced Ministers for whom this was unfamiliar territory what on earth they were being asked to do. The occasional look of either panic or horror when it was revealed what they were being asked to do stick in the mind. It is really important that, if these powers are to be delegated, they should be delegated to Ministers who are experienced and understand the judgments of proportionality and necessity that are made in these important decisions relating to authorisation of intrusion. Therefore, I strongly support in particular that aspect of the amendment proposed by the noble Lord, Lord West.
My Lords, at Second Reading I raised the issue of the Prime Minister in a slightly different context, but it has taken the legal brains of the noble Lord, Lord Anderson, and the noble and learned Lord, Lord Hope, to put it into a frame. I am happy to have co-signed that, and happy to find myself back on the same side as them on this argument.
It is clear that we will not resolve this here today, but it is perhaps something that we will take to the gap between here and the Commons to try to resolve. I rely on the wisdom of noble Lords who have spoken to take this forward.
On the other point, I support the amendments of the noble Lord, Lord West, and I hope that the Government will find his persuasion conducive.
My Lords, I spoke in Committee about the difference between “unavailable” and “unable”. I am greatly encouraged by Amendments 39 and 43 proposed by the noble Lord, Lord West. The one point of difference between us is that he narrows the meaning of “inability”, for reasons he has explained. If it came to a vote, I think I would support his amendments—but, like the noble Lord, Lord Anderson, I think that further thought needs to be given to whether that narrowing of “inability” or “unable” is really appropriate, considering the effect that it has, particularly in situations of conflicts of interest.
My Lords, I do not have much to add to the debate. From these Benches, we fully support the amendments proposed by the noble Lord, Lord West, and the excellent way in which he presented them. They have the support of the whole ISC, which in this respect has done a great service to us all in taking forward the discussion. These amendments certainly improve the Bill.
The point that the noble Lord, Lord West, made is exceptionally important—the fact that this has to be in the Bill, and that we need it to guide us in how we take this forward. For those who read our proceedings, it is important to repeat that what we are discussing here is the interception of communications of parliamentarians, and the fact that the triple lock was introduced to give additional protection to that. The role of the Prime Minister becomes crucial in that, for obvious reasons.
I join others in thanking the noble Lord, Lord Anderson, for the way in which he has presented his arguments, and the discussions and debates that have gone on in this Chamber and outside it. He has done a great service to all of us by tabling what seems on the face of it a simple amendment—simply changing one word, from “unavailable” to “unable”—but is actually of huge significance. We have concerns about it, which we have expressed in this Chamber and elsewhere— indeed, the noble Lord, Lord West, explained them. Notwithstanding the remarks of the noble Lord, Lord Carlile, and others, we are worried about where it takes us with respect to conflicts of interest, and who decides that there is a conflict of interest for the Prime Minister in circumstances in which the Prime Minister themself does not recognise that there is a conflict of interest. I agree with the noble Lord, Lord Anderson, and others, that there may be a need for this discussion to continue—but who decides whether the Prime Minister has a conflict of interest, if the Prime Minister themself does not recognise that, is an important discussion to have. In the end, the system rests on the integrity of the Prime Minister.
The way in which the ISC has tried to bring forward some conditions to what “unavailable” means is extremely important, and we support that, as indeed we support the amendments that try to ensure that those who take decisions are those various Secretaries of State who may be designated under the Bill to take decisions, should the Prime Minister be unavailable. It is extremely important for those Secretaries of State to have experience of the use of those warrants. Again, the amendments proposed by the noble Lord, Lord West, deal with that, and we are very happy to support them.
My Lords, I offer my thanks to the noble Lords, Lord Anderson of Ipswich, Lord Fox, and Lord West of Spithead, and the noble and learned Lord, Lord Hope of Craighead, for their amendments and for the points that they have raised during this debate. I also thank the noble Lord, Lord Evans, for his perspective, and the noble Lord, Lord Carlile, for supporting the Government, which obviously I hope becomes a habit.
I have discussed the triple lock at length with noble Lords and many others in Parliament and across government. We are all in agreement that this is a matter of the utmost importance, and it is imperative that we ensure that the triple lock operates correctly. That means that the triple-lock process, when needed urgently, has the resilience to continue in the most exceptional circumstances, when the Prime Minister is genuinely unavailable, while ensuring that the alternative approvals process is tightly and appropriately defined.
On Amendment 40, I thank the noble Lord, Lord Anderson, for the valuable engagement he has taken part in with my ministerial colleagues, Home Office officials and me regarding this amendment. I take this opportunity to explain why the Government do not support this amendment. The expressed intention of the noble Lord’s amendment is twofold: first to tighten the requirement in the current clauses, which use the word “unavailable”; and, secondly, to introduce a potential provision for dealing with a conflict of interest, as one of the circumstances in which the alternative approvals process could be used.
There is certainly merit in limiting the circumstances in which the alternative approvals process may be used. However, the noble Lord’s amendment introduces the requirement for a judgment to be made on the Prime Minister’s ability to consider a warrant application, for any number of reasons, including conflict of interest. This raises a number of challenges.
The first challenge is that “unable” draws into the legislation the principle of ministerial conflict of interest. This poses a constitutional tension and a challenge to Cabinet hierarchy. The inclusion of “unable” would allow for someone other than the Prime Minister to decide whether the Prime Minister is subject to a conflict of interest in a particular scenario, which goes against clear constitutional principles regarding the Prime Minister’s powers. This would be a subjective decision on the Prime Minister’s ability, rather than an objective decision on his availability.
As such, rather than strengthening the current drafting, the amendment as proposed could be considered to constitute a watering down of the triple lock, in that it was always designed to be exercised by the Prime Minister. Someone else making a decision about whether the Prime Minister is able to make a decision, given they can be said to be available and therefore technically able to consider an application, risks the intention of the triple lock. As drafted, the original clauses require a binary decision to be made about whether the Prime Minister is available or not, whereas, in deciding whether the Prime Minister may have a conflict of interest, a judgment must be made which is not binary and therefore has much less legal clarity.
The noble Lord, Lord Anderson, asked me if it is right that the Government believe that it is proper for the Prime Minister to consider a warrant application relating to the Prime Minister’s own communications. The best answer I can give is that the Bill is intended not to tackle issues relating to Prime Ministerial conflicts of interest, but rather to improve the resilience of the warrantry process. Conflict of interest provisions and considerations relating to propriety and ethics are therefore not properly for consideration under this Bill. The Prime Minister is expected, as are all Ministers, to uphold the Nolan principles in public life. For these reasons, the Government cannot support this amendment.
The Government have, however, recognised the concerns expressed by Members of both Houses, and the seeming consensus that a more specific, higher bar should be set with relation to the circumstances in which the alternative approvals process may be used. This high bar is of particular importance because of the seriousness of using these capabilities against Members of relevant legislatures. We accept that we are not above the law and it is appropriate for it to be possible for us to be subject to properly authorised investigatory powers. However, it is right that the significance that this issue was given in the original drafting of the Investigatory Powers Act is respected, and the communications of our fellow representatives are properly safeguarded.
I therefore thank the noble Lord, Lord West of Spithead, for his amendments, and for the close engagement on this Bill which I, the Security Minister and my officials have had with the members and secretariat of the Intelligence and Security Committee. Following engagement with Members of both Houses on these amendments, it is clear that there is good consensus for these measures, and the Government will not be opposing them today. While they will reduce the flexibility of the current drafting somewhat, the Government agree that these amendments strike an important and delicate balance between providing the flexibility and resilience that the triple-lock process requires, while providing the legal clarity and specificity to allow for its effective use. The amendments will also provide further confidence to members of relevant legislatures, including those of this House, that the protection and safeguarding of their communications is of paramount importance.
I should note that the Government do not quite agree with the precise drafting of these amendments, and we expect to make some clarifications and improvements in the other place, particularly to the references to routine duties under Sections 19 and 102 of the Investigatory Powers Act 2016, but I am happy that we seem to have reached broad agreement today.
I just want to be clear, as I have never had an amendment accepted in 14 years —is the Minister saying that the Government accept my Amendments 39 and 41?
Yes. The noble Lord, Lord Fox, says, “Don’t get too excited”, and he is right.
I now turn to the government amendment in this group, Amendment 46. This proposed new clause amends the Investigatory Powers Act’s bulk equipment interference regime to ensure that sensitive journalistic material gathered through bulk equipment interference is subject to increased safeguards. Currently, Section 195 of the IPA requires that the Investigatory Powers Commissioner be informed when a communication containing confidential journalistic material or sources of journalistic material, following its examination, is retained for any purpose other than its destruction.
This amendment introduces the need for independent prior approval before any confidential journalistic material or sources of journalistic material are selected, examined, and retained by the intelligence agencies. It also introduces an urgency process within the new requirement to ensure that requests for clearance to use certain criteria to select data for examination can be approved out of hours.
The Government recognise the importance of journalistic freedom and are therefore proactively increasing the safeguards already afforded to journalistic material within the IPA. In doing so, we are also bringing the IPA’s bulk equipment interference regime into alignment with bulk interception, which is being amended in the same way through the Investigatory Powers Act 2016 (Remedial) Order 2023; that is being considered in the other place today.
In wrapping up, I once again thank noble Lords for the constructive engagement we have had on the Bill, singling out in particular the noble Lords, Lord Anderson, Lord West, Lord Coaker and Lord Fox. With that, I hope that noble Lords will support the Government’s amendment.
If Amendment 39 is agreed to, I cannot call Amendment 40 by reason of pre-emption.
(10 months, 3 weeks ago)
Lords ChamberMy Lords, throughout the preparation and passage of the Bill, we have been working closely with each of the devolved Administrations. Most of the provisions are UK-wide and are reserved, as national security is a reserved matter. A small number of measures in Part 2 of the Bill, on oversight, engage the legislative consent process in the Scottish Parliament. Currently, the Scottish Parliament has not granted a legislative consent Motion, although I can confirm to noble Lords that the Scottish Government have lodged one. We are engaging constructively with officials, and I reassure noble Lords that the Government will continue with this engagement as the Bill is introduced into the House of Commons. I beg to move that this Bill be read a third time.
My Lords, I extend my gratitude to all noble Lords who have contributed to the Bill, both on the Floor of the House and outside. We all agree that this piece of legislation is both important and necessary. The targeted amendments that it will make to the Investigatory Powers Act 2016 will ensure that the UK’s intelligence services and law enforcement will continue to have the tools at their disposal to keep this country safe, while ensuring that these are used in a proportionate way which places privacy at its heart. As the Bill passed through this House, the valuable debate has shaped it into what it is now. I am pleased that the House was able to reach agreement on several areas of potential divergence and that we send the Bill to the other place in exceptional shape and with cross-party support.
I first correct the record on one small point I made in my speech on the second group of amendments in last Tuesday’s debate on Report. His Majesty’s Treasury is not an example of a public authority that already has the power to acquire communications data using a Part 3 request. Examples of public authorities which do have these powers include His Majesty’s Revenue & Customs and the Financial Conduct Authority, both of which perform a range of vital statutory functions using communications data.
Once more, I extend thanks particularly to the noble Lord, Lord Anderson of Ipswich, who has been crucial in shaping the Bill through his independent review of the Investigatory Powers Act and his contributions during the Bill’s passage. My thanks go also to the noble Lord, Lord West of Spithead, and his colleagues on the Intelligence and Security Committee. The input from him and his fellow committee members has been valuable and intended to improve the Bill. He has been ably and knowledgeably supported by the erstwhile chair of the committee, the noble Lord, Lord Murphy of Torfaen.
Similarly, I have valued the collaborative and serious way in which the Opposition Front Benches have engaged on matters of such importance, so I offer my thanks to the noble Lords, Lord Coaker, Lord Ponsonby and Lord Fox, for their desire to scrutinise the Bill carefully and constructively.
I am much obliged to the support of other noble Lords who have contributed with such eloquence and expertise as the Bill has passed through this House. In particular, the noble Baroness, Lady Manningham-Buller, and the noble Lords, Lord Evans of Weardale and Lord Hogan-Howe, have all provided an invaluable perspective from their professional backgrounds. The noble Lord, Lord Carlile of Berriew, and the noble and learned Lord, Lord Hope of Craighead, both made a number of important and insightful interventions to help shape the debates and work towards practical solutions, for which I am grateful. My thanks go also to my noble friend Lord Gascoigne and his team in the Whips’ Office for their support as the Bill passed through this House.
I ask noble Lords to join me as I thank the policy officials and lawyers in the Home Office teams led by Lucy, Phoebe, Lucy, Hugh, Rob, Daphne and Becca, whose significant efforts have made this Bill happen. It is their hard work that has brought the Bill to this point. My thanks go also to the Bill team—Tom, Megan, Sophie, Emer and James—as well as Dan in my private office. I am also very grateful to Pete and Lucy, the expert drafters in the Office of the Parliamentary Counsel, for preparing the Bill and amendments during its passage.
Finally, I thank the intelligence agencies and law enforcement for their expert contribution to the Bill and for the work they do to keep this country safe day after day. The Bill will ensure that they continue to have the tools they need to carry out this task. We will all be the safer for it. We remain hugely grateful for their work.
As we send the Bill to the other place, it needs very little amending, save for some tidying up here and there. It is the first job of government to keep this country safe. The Bill helps us do just that.
My Lords, first, I thank the Minister and his team for the liaison and the work we did together to try to meet all our concerns about the Bill. I also thank him for giving me the excitement of my life in that I had an amendment accepted—for the first time in 14 years. That is a pretty good strike rate, is it not? I was pleased about that as well.
We on the ISC are very happy that the Bill is needed. However, as the Minister knows, we are still concerned that there is insufficient acceptance of the fact that parliamentary scrutiny is required by the ISC more broadly in this and a number of other areas. I am sure this will be brought up in the other place; otherwise, I am pleased that we have moved this Bill forward at pace.
My Lords, I echo all the thanks that came from the Minister. I do not think I can add to his list, but I certainly endorse everything he said.
Bills of this nature can be controversial. We are seeing this in some other parts of the world at the moment. That was not the case in your Lordships’ House. That is testimony to the care with which the Bill was prepared, the civilised way in which it was debated and the openness of the Government to some of the important points made during our debates. I single out in particular the work of the Intelligence and Security Committee for the great scrutiny that it applied to it.
If I may, I will depart briefly from the studied impartiality associated with the Cross Benches. With the Government and Opposition so closely aligned on a Bill, it was particularly useful that we heard from the Liberal Democrats—with their sometimes annoying but rather necessary process of probing amendments. They caused everyone to think carefully about what we were doing. All in all, it was a happy experience for me. I hope that this is a good model for future Home Office Bills.
My Lords, having been cleared to annoy your Lordships’ House, I will do my best to do so.
This Bill started in your Lordships’ House and now heads to the Commons. Its primary purpose of enabling the intelligence services to better build their data models and teach their AI systems has been left completely unmolested by your Lordships. However, other parts of the Bill have attracted a fanfare of concern from certain external parties—particularly the large platforms. Whether the Government and Apple are at cross purposes or the Minister really is out to get it, we in your Lordships’ House were unable to muster sufficient traction to find out or clarify. It is now up to the MPs if they choose to pick up that particular baton.
There was also an unresolved issue around the triple lock and the Prime Minister’s role when they might be in conflict. Again, this has moved from our orbit. I hope the tenacity of the noble Lord, Lord Anderson, and the noble and learned Lord, Lord Hope, might still be involved somehow between here and the other place. The Minister raised the important issue of legislative consent. I hope he is successful in these negotiations.
I echo what other noble Lords have said. This has been a well-mannered and constructive process of discussion, with everybody moving in the same direction, albeit at different speeds.
I thank the Minister and the team he named for their time, availability and openness in our discussions. I also thank all the many external organisations and individuals who took time either to meet and brief or to send information which helped inform our debate. The discussion was greatly enhanced by the noble Lords, Lord Coaker and Lord Ponsonby, from the Front Bench, and by colleagues on their Benches, as well as the Cross Benchers. They played a pivotal role in our discussions.
Finally, I thank the home team: my colleague, my noble friend Lord Strasburger, and, most of all, Elizabeth Plummer in the Lib Dem Whips’ Office, without whom nothing is possible.
My Lords, we welcome the Bill and see it as an important step forward for our country. I thank the Minister and his colleagues very much for their constructive engagement all the way through; we very much appreciate that. I join the Minister in thanking his officials, all of whom have been helpful in ensuring that we understand the Government’s proposals. I wish him well with the Scottish Government and sorting out the various legislative consents; I hope that happens as soon as possible.
I thank my noble friend Lord Ponsonby for his support and help, and Clare Scally of our Whips Office, who has done an amazing job. I also thank the noble Lord, Lord Fox, the representative of the Liberal Democrats, who have engaged with us and others constructively on the Bill. I also single out the noble Lord, Lord Anderson of Ipswich, whose report gave us a hugely beneficial platform through which to move forward. When an expert puts a report together and the Government engage constructively with it, it helps enormously. Similarly, I thank my noble friends Lord West and Lord Murphy, the ISC for its work and the intelligence services, some of whose representatives are here, for their input. It would be remiss of us not to join the Minister in thanking them again, particularly when we read on the front pages of our newspapers the threat to so-called Iranian dissidents in this country from Iranian criminal gangs. It shows yet again the importance of the work they do.
The Bill is an important step forward because it maintains the powers that our police and other services need to stay ahead of the criminals and those who would organise against us. There are still one or two issues to be looked at, but the Bill leaves us in a good place. As the noble Lord, Lord Fox, said, there will be continuing debate about the triple lock and whether the wording used is completely right, but it is a significant step forward. As my noble friend Lord West mentioned, it shows the Government in a good light when they listen to the arguments and accept amendments because they are the right thing to do. I hope that we can do that in other areas as well.
There are still issues with the oversight the ISC has more generally of government business, and how large companies’ security measures and the work they do will continue under the Bill. However, the Minister is to be congratulated on the open way he has led the legislation through the House. As others have said, it is a case study in how to do it, and we are very grateful for it.
(10 months ago)
Commons ChamberI beg to move, That the Bill be now read a Second time.
The first duty of Government is to keep our citizens safe. The United Kingdom faces an enduring threat from terrorists, hostile actors and organised criminal groups, and that threat is evolving and becoming more sophisticated. It is not enough for us to keep pace with those who would do us harm; we must endeavour to get and then stay ahead of them. The investigatory powers are the legal powers available to law enforcement, the intelligence services, MI5, the Secret Intelligence Service, GCHQ and other public authorities where appropriate to obtain communications and data about communications.
The Investigatory Powers Act 2016 provides a clear legal framework for the use of those powers, combining world-leading safeguards and oversight with giving agencies the tools they need to protect us. There is a double lock for the most sensitive IPA powers, meaning that an independent judicial commissioner must approve a decision by the Secretary of State to issue a warrant under the IPA. The use of any of these powers must be assessed as necessary and proportionate, with strong independent oversight by the Investigatory Powers Commissioner. The Investigatory Powers Tribunal provides a robust mechanism for providing redress in respect of any unlawful use of those powers.
The Home Secretary will be as aware as I am that very occasionally those in charge of our intelligence and security services do not act in the best traditions of this country in their offices, and I am thinking of cases such as Belhaj and Boudchar. Where people have been the victim of mistreatment—as a consequence of UK complicity with foreign powers, for example—should there not be a right for those people to have access to the information about that?
I listened carefully to the right hon. Gentleman’s point. I am not sure it is directly relevant to this matter, but I take on board the points that he makes. He will forgive me if I do not address them directly at this point; I want to consider them properly.
The IPA is sound legislation, but the nature of these threats has evolved since 2016, and we are confronted by greater global instability and technological advances, and they demand that we act. Terrorists, child abusers, organised criminals and malign actors from hostile states have exploited technological advances. Our job is to ensure that the UK’s investigatory powers framework remains fit for purpose. The changes that this Bill proposes were informed by the independent review of the IPA published by Lord Anderson of Ipswich in June 2023. The Bill received cross-party and Cross-Bench support as it passed through the other place. Every Government amendment was accepted, and I thank the members of the Intelligence and Security Committee of Parliament for the productive way they engaged with and helped to shape the Bill.
In particular, we have agreed to tighten the drafting of clauses 22 and 23 in line with amendments proposed by the Intelligence and Security Committee. Those changes put beyond doubt that the Prime Minister may delegate warrants for the purposes of obtaining communications of parliamentarians in two, and only two, exceptional circumstances: the personal incapacity of the Prime Minister and a lack of access to secure communications. There is also a limit of five Secretaries of State to whom this responsibility could be delegated in those circumstances. Further to that, in respect of new part 7A, parliamentary scrutiny will be enhanced through a statutory requirement for the Secretary of State annually to inform the Intelligence and Security Committee about the new regime for bulk personal datasets.
My right hon. Friend mentioned the ISC’s scrutiny of these matters. He will understand the concern about widening the number of people who can play the role previously played exclusively by the Prime Minister. I understand the reasons for that, but has he considered limiting that to those Secretaries of State who have warranting powers?
We looked at that. There is a balance to be struck, and actually the bulk of those Secretaries of State to whom the function could be delegated in those two exceptional circumstances do have warranting powers—I think the Secretary of State for Defence is the only one who does not. My right hon. Friend’s point is a fair one, but the scope of the Bill is not much greater than that.
As a member of the ISC, I welcome the Government’s acceptance of our recommendation. However, I would like to understand why they are not accepting our other, simple proposal: that when a delegation takes place, the Prime Minister would be informed about that afterwards.
I think it is inconceivable that the Prime Minister of the day would not be informed of the use of a delegated authority.
It is not about the Prime Minister not being informed about the delegation; it is about the Prime Minister looking at the case afterwards—they would not be second-guessing it, obviously, because it would already have been agreed. We suggested that, as a matter of course, the Prime Minister should be informed afterwards of the contents of that warrant. For some reason, the Government are resisting that. I cannot understand why.
I understood the point that the right hon. Gentleman was making—perhaps my answer was not clear—but I suggest that it is inconceivable that the Prime Minister would not routinely be informed of the exercise of this power. Ultimately, that is a level of granularity that would add complexity to the Bill without utility. But, as I have said, through the passage of the Bill thus far, we have listened carefully to the Committee’s suggestions, and although we may not always agree, I can reassure him, other members of the Committee and Members of the House that we will continue to act in listening mode in relation to the Committee’s suggestions.
On that point, will the Home Secretary give way?
I thank the Home Secretary for giving way. He mentioned listening to scrutiny by the ISC. The Joint Committee on Human Rights has issued a call for written evidence on the Bill, and as he will know from the human rights memorandum, the Bill raises important human rights issues relating to the rights to privacy and to freedom of expression, and possibly the right to an effective remedy. Will he therefore undertake to look closely at any correspondence that the Joint Committee might send him when we have completed our scrutiny of the Bill?
I reassure the hon. and learned Lady that we will do exactly that.
I turn to the measures in the Bill. We are creating a new regime for bulk personal datasets that have low or no expectation of privacy: for example, certain datasets that are widely publicly or commercially available. Bulk personal datasets are an essential tool to support our intelligence services in identifying fragments of intelligence within a large quantum of data, in order to disrupt threats such as terrorism and hostile state actors. The Bill seeks to create a new statutory oversight regime for how the intelligence services access and examine bulk personal datasets held by third parties. It will place that oversight on a statutory footing, increasing the transparency of the regime. The regime will be subject to strong safeguards, including the double lock.
We are also making changes to the notices regime that will help the UK anticipate and address the risk to public safety of companies rolling out technology that precludes lawful access to data. We want to work with those companies to achieve common goals, but we must have the tools available when collaboration falls short.
I know that the Home Secretary wants to make progress, but I am grateful for the opportunity to comment.
These reforms to the IPA are necessary to upgrade our world-class regime and ensure that our frameworks are kept up to date with evolving threats and, importantly, technology. We know that the terrorists, the serious organised criminals, the fraudsters and the online paedophiles all take advantage of the dark web and encrypted spaces: to plan their terror, to carry out their fraudulent activity and to cause devastating harm to innocent people such as children, in the field of online paedophilia. Does he share my concern and indeed frustration with companies such as Meta and Apple? The former has chosen to roll out end-to-end encryption without safeguards and the latter has rolled out advanced data protection, which will allow these bad actors to go dark, which will severely disable agencies and law enforcement from identifying them and taking action, and will enable—indeed it will facilitate—some of the worst atrocities that our brave men and women in law-enforcement agencies deal with every day.
My right hon. and learned Friend—and immediate predecessor—makes incredibly important points. Digital technology and online technology have been a liberator in so many ways, but, sadly, as has been the case with technology throughout time, it has also been used by those who would do people harm. Indeed, she mentioned in particular the harm done to children. We take that incredibly seriously. We value the important role of investigatory powers and will continue to work with technology companies—both those well established at the moment and those of the future—to maintain the balance between privacy and security, as we have always done, and ensure that these technology platforms do not provide a hiding place for terrorists, for serious criminals and those people taking part in child sexual exploitation.
The three types of notices under the existing IPA are data retention notices, technical capability notices and national security notices. Those notices must be both necessary and proportionate, and they are of course subject to the double lock. The Bill does not introduce any new powers for the acquisition of data. The changes are about ensuring that the system is up to date and remains robust. The Bill will create a notification notice allowing the Secretary of State to place specific companies under an obligation to inform him or her of proposed changes to their telecommunications services or systems that could have an impact on lawful access. This is not a blanket obligation, and it will be used only where necessary and proportionate, and then only on a case-by-case basis.
The notice does not give the Secretary of State any powers to veto or intervene in the roll-out of a product or services. It is intended to ensure that there is sufficient time for appropriate consideration of the operational impact of the proposed changes, and potentially for discussions with the company in question about them. The public, rightly, would want their representatives to know in advance if companies were proposing to do something that would put public safety at risk, and responsible companies will work with Governments to avoid endangering people, who are of course also their customers.
The Bill will also amend the IPA to require the company to ensure that existing lawful access is maintained. That means the company cannot legally take any action that would negatively affect the level of lawful access for our operational partners during the review period. In the other place, the Government tabled an amendment to allow a timeline for review of a notice to be specified in regulations. We also gave the judicial commissioner further powers for managing the review process. Taken together, they ensure that companies are clear on the length of time that a review can take, which reduces uncertainty for their business as well as providing greater clarity for the review process. In the other place, my noble colleague Lord Sharpe of Epsom also committed to a full public consultation before amending the existing regulations on the review of notices, and laying new regulations relating to the notification notices.
The Bill also clarifies the definition of a telecommun-ications operator, to make it clear that companies with complex corporate structures that provide or control telecommunications services and systems in the UK fall within the remit of the IPA. These changes do not directly relate to any particular technology, including end-to-end encryption, but are designed to ensure that companies are not able to unilaterally make design changes that compromise exceptional lawful access.
The Bill makes changes to the powers of public authorities to acquire communications data. Section 11 of the IPA made it an offence for a relevant person in a relevant public authority to knowingly or recklessly obtain communications data from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority outside the IPA, giving greater clarity to public authorities that they are not inadvertently committing an offence. Further targeted amendments will ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data. Further changes will allow bodies with regulatory functions to acquire communications data.
The Bill also creates a new condition for the use of internet connection records—ICRs—by the intelligence services and the National Crime Agency. The IPA currently requires certain thresholds to be met on the known element of an investigation, such as exactly when a website has been accessed. That limits the ability of operational partners to use the ICRs to detect previously unknown criminals, terrorists or state threat actors who are acting online. The proposed measure will allow greater detection of high-impact offenders by removing the requirement to unequivocally know a specific time or times of access and service in use, and instead will allow these factors to be specified within the application.
I understand the use of the measure for the security services, but the Bill broadens the scope of how many people could be dragged into it. There is no judicial oversight of the Security Service or whoever is using it. The Bill states that the measure is for national security and economic wellbeing—that is a catch-all for quite a lot of things. Although the intent is right, there need to be some safeguards to prevent innocent people being dragged into that potentially broad measure.
I understand the right hon. Gentleman’s point. Innocent people’s data is often acquired in dataset capture, and it is always deleted. Economic wellbeing merely reflects the language that is used in other parts, for consistency across our various strands of work.
I thought we were here today to scrutinise the Bill. It should not be a chore for the Home Secretary to be asked questions. The definition of wellbeing could be quite broad. I understand the meaning of national security, as I think he does, and the House, but wellbeing could have quite a broad definition and I am not convinced that I have seen what it is. I am not sure that consistency with other legislation is a great argument for including it in this Bill.
The simple truth of the matter is that I disagree. In legislation of this nature, maintaining consistency of language with previous relevant legislation, including the Intelligence Services Act 1994, is incredibly important to clarity of intent. I recognise that the right hon. Gentleman has given thought to this, and we do not disregard his point, but we have thought through the importance of consistency of language, which is why we have maintained it.
A general listener to our proceedings might worry that the new powers could be used for fishing expeditions, rather than the very specific powers that they replace. Could the Home Secretary give some words of reassurance from the Dispatch Box that the broadening of bulk data collection without specific dates will not be used for fishing expeditions, which might affect the privacy of ordinary citizens who have done nothing wrong?
The hon. Lady makes an important point, but the powers could be applied to any bulk dataset collection, of which she knows there are many across Government. Provisions are in place to ensure that innocent people’s data is not held but deleted, and that our security services and other organisations that will utilise these powers always do so carefully and cautiously. There are relevant safeguards in place, as I have made reference to—the Investigatory Powers Commissioner and the tribunal—if there is wrongdoing. The proposals are put forward for a very specific reason. The Government have given thought to mission creep and broader expansion, and we feel that this is a modest extension that will give significantly greater protection to the British people.
As my hon. Friend the Member for Wallasey (Dame Angela Eagle) just said, we need to give confidence to the public that what we are rightly doing to protect ourselves has that level of security in it. There is no judicial oversight of internet connection records. If we are to give these powers to the Security Service—which I approve of—we should be able to say to the public that they are proportionate and that there is an independent process to ensure that they cannot be abused. Surely, judicial oversight throughout should be important.
The right hon. Gentleman specifically spoke about judicial oversight, but there is oversight—
There is oversight by the Secretary of State through the warrant process, and oversight of the whole process by the Investigatory Powers Commissioner. Through the Committee on which the right hon. Gentleman sits, there is oversight of the Secretary of State’s function.
I agree, and I support that oversight, even though this Government have not made our job on the ISC easy. Unless I am missing something, there is no judicial oversight of internet connection records in the Bill. If we want to give people confidence, that backstop of judicial oversight should be important.
As I said, I noticed that the right hon. Gentleman specifically said that there is no judicial oversight—
I am not disagreeing, but there is oversight. The Committee on which the right hon. Gentleman sits is part of that oversight process.
The Home Secretary has just touched on the importance of the oversight role of the ISC, particularly in relation to these additional provisions. I wonder whether he remembers the passing of the National Security Act 2023. During the final stages of that important piece of legislation, the Government tabled an amendment in lieu promising that they would progress a review of the memorandum of understanding within six months of the Act coming into force to ensure there was an updated and robust relationship between the ISC and the Government, and the Prime Minister in particular, the ISC having been unable to secure a meeting with the Prime Minister since 2014, remarkably. Given the nature of the ISC’s important role in these provisions, I wonder whether the Home Secretary could update us on that review.
That is not an element of this Bill. On a commitment for the Prime Minister to meet with the Committee, I will look at the details.
Will the Home Secretary give way?
I want to make progress to ensure that everyone who wishes to speak in this debate is able to do so, but I will give way to the right hon. Lady.
On that point, will the Home Secretary encourage the Prime Minister to go before the Intelligence and Security Committee at the soonest opportunity? My understanding is that that has not happened for 10 years.
I cannot make a commitment on the Prime Minister’s behalf. Members of the Committee will know that I appeared before the Committee in my previous role, and I think it is important that Government do make themselves available for this scrutiny. As I say, it would be inappropriate for me to demand of the Prime Minister attendance anywhere, but I will pass on the right hon. Lady’s point.
I will assist the Home Secretary with a little context. When I was a ranking member of the Intelligence and Security Committee between 2010 and 2015, it was a matter of routine that the Committee went to see the Prime Minister once a year, usually in the Cabinet Room. That stopped in 2014. Successive Prime Ministers have failed to reinstate it, although it must be said that the shortest-lived of them did offer to meet with the Committee, but sadly ceased to be Prime Minister before that became possible.
The lengths that some people will go to to avoid Committee scrutiny. I am trying to remember where I was; it has been such a long time since I looked down the page of this speech. All such applications must be necessary and proportionate and subject to independent authorisation or inspection.
The Bill will also strengthen safeguards for journalistic material within the Investigatory Powers Act’s bulk equipment interference regime, aligning it with changes to the bulk interception regime that are under way to ensure compliance with obligations under the Human Rights Act 1998. Prior judicial authorisation will be needed before material obtained through bulk equipment interference can be selected for examination using criteria where the purpose is to identify, or is highly likely to identify, confidential journalistic material or confirm a source of journalistic material. Prior judicial approval is also necessary before such material may be retained for purposes other than its destruction. The other measures in part 5 of the Bill will ensure that the resilience and protections of the regime are maintained and enhanced.
The Bill will also make improvements to support the Investigatory Powers Commissioner in effectively carrying out their role, ensuring that the world-leading oversight regime remains resilient, including powers to enable the IPC to appoint deputies, delegate some of their functions to judicial commissioners and the newly created deputies, and put certain functions on a statutory basis. The Bill will ensure there is a clearer statutory basis for reporting errors to the IPC.
I sense that the Home Secretary is coming to the end of his speech. We have mentioned parliamentarians and journalists, but I want to talk about another important group: trade unions. Some people fear that the Bill will open the door even further than its parent Bill on the surveillance of trade unions. Does the Home Secretary agree that there should be no place for the surveillance of trade unions in a democracy? If so, will he consider amendments to the Bill to ensure that that does not happen, including a redraft of clause 5?
I take the point that the hon. and learned Lady puts forward. There are a number of organisations not explicitly mentioned in the Bill where that argument could be made, and I am not sure it would necessarily be useful or right to list them all, but I will take on board the point she makes in good faith—genuinely.
The Bill will bring the Investigatory Powers Act up to date with the modern age, provide greater clarity, make the system more resilient and retain the world-leading safeguards of civil liberties and commercial integrity. Above all, the Bill will mean that the men and women who work so incredibly hard to keep us safe, often without recognition, have the tools they need to do so in the modern era. I therefore commend the Bill to the House.
I call the Opposition Front-Bench spokesperson.
The first duty of any Government is to keep their citizens safe—to defend our national security and defend our citizens against terrorism, extremism and serious crime. Labour always stands ready to work cross-party on national security to keep our country safe. It is why we are supporting this Bill today, why we will work with the Government to get the details right, and why we look forward to pursuing some of these issues in further detail in Committee. We recognise the important work that the Intelligence and Security Committee has done on this and that Lord Anderson has done in reviewing these areas; I pay tribute to his work, and to his previous work as independent reviewer. We also recognise the detailed considerations that have already taken place in the House of Lords.
It is vital that our intelligence and law enforcement agencies have the powers and capabilities they need to pursue terrorists and dangerous criminals, such as child abusers, and to keep the public safe. I pay tribute to the work of the intelligence and security agencies and to our counter-terror police for the immense work that they do. We are all indebted to them for their tireless and, by necessity, often hidden work to protect our country and defend our democracy and our freedoms from those who would seek to do us harm.
It is significant in the context of the Bill that the work of those agencies is about not just protecting our security, but defending our democracy. That is why it is so important that the powers they possess operate within a clear and strong legal framework with proper oversight and robust safeguards to prevent abuse or misuse. It is why the agencies themselves support having a strong legal framework in place. It is how we ensure there is consent and support for the essential work that they do. It is why this framework has to both protect privacy and protect us against serious threats, and why it has to defend both security and liberty—in a democracy, those go hand in hand. Strong powers always need to be accompanied by strong oversight and strong safeguards. That is why it is important we get the detail right. Just as we worked in a constructive cross-party manner on previous investigatory powers legislation and on the National Security Act, we will continue to do so on this legislation.
The reality that we all face is that threats to our national security are now more complex than ever: fast-changing challenges from home-grown extremism and radicalisation; a steep rise in state-sponsored threats from hostile foreign actors; the exponential growth in new technologies; the proliferation of serious crimes; and national security threats such as child abuse being perpetrated and spread online, putting young children and young people at terrible risk.
Within that rapidly evolving landscape, we obviously cannot allow our security services to be outpaced. We must ensure that the interception powers that our security services and police have to fight crime are updated to cope with rapid technological changes and changing threats. We must also ensure that the safeguards and oversight keep pace with changing powers, so that we continue to ensure, as is embedded in the legislation, that all measures are appropriate and proportionate when action is taken. That is why we rightly have, in the existing Investigatory Powers Act 2016, measures such as the double lock on some provisions relating to judicial commissioners’ approval and oversight; those, too, need to be updated in response to changing technology.
The Bill is necessary because technology is moving so fast. We now see serious crimes such as: child abusers using new and very different methods to share vile images of sexual assaults on children; extremists and terrorists using different and changing internet forums and encrypted messaging to find new ways to radicalise and organise; and serious and organised criminals using new applications to launder money and drugs, and to facilitate organised immigration crime that can put lives at risk. Clearly, that means the legislation needs to be updated. That is why we recognise the need for measures and the main provisions in the Bill—for example, on bulk datasets. We recognise the need for the Government to make changes to the existing framework, because agencies that are working at pace to intercept threats should not have to go through the same lengthy processes to use datasets that are widely available to the public and other commercial organisations.
In the other place, Members debated the importance of getting the threshold right and how the phrase “low or no expectation of privacy” should be interpreted. Those discussions will rightly continue in Committee. We will also continue to seek further clarification on the interaction of these reforms with some of the measures in the Data Protection Act 2018.
On internet connection records, the Bill reflects some of the recommendations made by Lord Anderson. This is a sensitive area and, rightly, there is a high test for important agencies to meet to access vital records, but there are also particular concerns around child abusers and terrorists being able to use new forums and communication channels where there should be the further ability to pursue action and intelligence leads. We recognise the importance of the issue, but also of ensuring that we get it right and frame the detail in the right way to ensure that we can protect vulnerable young people and children.
Ministers are right to ensure that Government Departments are not inadvertently prevented from the kinds of normal and routine legitimate exchanges of basic information by inadvertent coverage of previous legislation, and to ensure that appropriate safeguards are in place. We agree it is important that there are processes to ensure that security and intelligence agencies can anticipate technological changes that are coming down the track from major telecommunications companies and major commercial organisations that might potentially make their work more difficult or inadvertently put national security at risk. Rather than have everyone simply try to play catch-up in retrospect, including with criminals and terrorists who may exploit those changes, it is sensible to have in place in advance a process for constructive dialogue between companies and intelligence agencies to mitigate any adverse consequences for tackling serious crimes, such as child sexual exploitation. I hope Ministers will look at how far they can ensure that regulations to govern changes to the notices regime are properly consulted on, scrutinised and therefore set at the appropriate level, and that they continue to engage with technology companies on how they should be implemented.
We welcome the additional safeguards and the introduction of stronger oversight, including as a result of the discussions in the other place—for example, ensuring that more of the commissioners’ functions are put on a statutory footing; ensuring there is proper oversight of the use of third-party bulk personal datasets by intelligence services; and including additional protections, through Government amendment 45 in the other place, relating to confidential journalistic material and sources. We hope that that issue will be looked at further in Committee.
In the context of what the oversight arrangements should be, I ask the Government to look again at the role of the Intelligence and Security Committee. As a former member of the ISC—although that was now more than two decades ago—I can testify to the importance of the Committee and the seriousness with which all its members take their work. The Committee provides a level of oversight and scrutiny that cannot be provided in the normal way by other parliamentary Select Committees, due to the nature of the secret work our intelligence agencies need to do. It also performs an important role for Government. There should be the reassurance for Ministers that the work of the intelligence and security agencies is being appropriately scrutinised. The Government therefore need to look again at updating the memorandum of understanding for the ISC to ensure that it, too, can fit with the evolving landscape under the changes that are taking place, and to make sure that its remit can do so as well.
I will press the Home Secretary again on this issue. I understand that he cannot answer for Prime Ministers in a simple way, but I press him to take back to the Prime Minister the importance of recognising the serious role played by the ISC. It is not simply about the role of the Foreign Secretary or the Home Secretary; it is also about the role of the Prime Minister. There are powers that only a Prime Minister has and has to execute, as is reflected in the Bill. Therefore, recognition from the Prime Minister of the role of the ISC is important.
Finally, there is the complicated issue that Lord Anderson raised regarding the circumstances in which the Prime Minister’s unique powers can be delegated in the context of intercept warrants targeted at Members of relevant legislatures. There was a detailed discussion. Those warrants are rightly subject to a triple lock process which requires the authorisation of the Prime Minister. We recognise that the experience of covid and the hospitalisation of the then Prime Minister in 2020 gave rise to questions about what should happen in such circumstances and making sure there are proper procedures in place to ensure that there is no national security gap. Members in the other place were right to press for a tightening of those arrangements. That raises wider issues that the Bill cannot address: around what happens if there is a conflict of interest for a Prime Minister or circumstances in which a Prime Minister is accused of being careless on issues around national security. I do not think that that can be addressed by the Bill or perhaps by any legislation, but it is a salutary reminder to us all about the importance of Prime Ministers taking immensely seriously their responsibilities towards our national security and always behaving in a way that means that that can never be in doubt.
This should be a cross-party issue—a matter on which we all work together. I know that Members who are present this evening and have great expertise in this area will want to raise further questions about the detailed application of the Bill, and I hope that those will be considered in the same spirit that we saw in the House of Lords. Often in this place, the Government simply maintain their position and the detailed amendments are tabled in the Lords, but I hope that on this issue we will see the same spirit of cross-party discussion that we saw in the other place.
This is about ensuring that there is proper oversight and there are proper safeguards, but it is also, vitally, about defending our national security at a time of rapidly changing technology, when we all have grave concerns about the potential for terrorists, extremists and serious criminals to exploit that new technology to do us harm. We must all be vigilant, and ensure that the intelligence and security agencies are supported so that they can do the work we need them to do, on our behalf, to keep our country safe.
Let me say first of all that I am in favour of the Bill, which I think constitutes a sensible updating of the intelligence community’s powers in the ways that the Home Secretary and, indeed, the shadow Home Secretary have described. I am also in favour of the principle, mentioned by the shadow Home Secretary, that greater powers for the intelligence agencies should come with greater oversight of those powers.
I know that my colleagues in the Intelligence and Security Committee will want to focus on certain areas covered by the Bill. I want to focus my remarks on internet connection records, which are, of course, important pieces of intelligence. We are talking here about which internet sites were accessed and when, not about precisely what was viewed or what activity was carried out, but none the less this data can be of significant intelligence value. The Investigatory Powers Act 2016 allows for the obtaining of internet connection records data in certain circumstances. The circumstances on which I want to concentrate are those in which an intelligence agency is focused on the use of a particular internet service at a particular time and is keen to know the identity of the person or persons who have been using it at that time. This is covered by section 62 of the Act, which gives authority for an intelligence agency to obtain that information. The Bill seeks to broaden an agency’s power to act in those circumstances.
The law currently requires the agency to know specifically which service has been used, and specifically at which time it was used. Clause 15 seeks to extend that to allow the collection of ICR data to identify individuals using “one or more” specified internet services “in a specified period”. What that means, at least as the Bill is currently drafted, is that there is no apparent limit on the number of internet services that can be specified or on the length of the specified period, so the clause could allow an intelligence agency to collect ICR data on a large number of different internet services, and over a long period. That would inevitably involve data on the activities of a potentially large number of people, whereas the current law permits only examination of a specific service at a specific time, which carries much less risk of other wholly innocent and uninvolved individuals being caught in the net.
I do not suggest—and neither, I think, does the Intelligence and Security Committee—that the intelligence agencies do not need these wider powers. We do say, however, that this is a significant widening of their powers, and that it should therefore come with additional scrutiny from a judicial commissioner. I think we can deduce, not just from the debate in the other place, but from what the Home Secretary has said in this House and what other Ministers have said at other times, that the Government essentially have two arguments in response to that. The first is that this new power is not intrusive enough to merit extra oversight, as ICR data relating to those not subject to agency interest is not retained, and the second is that the power being proposed is no more intrusive than current powers to collect internet connection data.
On the first of those arguments, the fact that data is not retained does not mean that it is not intrusive to collect it. Many of our constituents would be concerned about their internet activity being scrutinised, even if no action were taken thereafter—and we should bear in mind that the Bill’s language does not limit that scrutiny to sites visited which are inherently suspicious. Even everyday online activity may be of interest in the case of individuals of concern, but this provision would mean that the everyday online activity of many who are not of concern will also be examined. That, we say, makes the provision worthy of additional oversight.
The second argument the Government might advance is that this is no more intrusive than current powers. That, I think, is true in terms of the depth of the intrusion—it is still the “when” and “where” of internet activity rather than the “what” that we are talking about—but it is not true in terms of its breadth. Many more people will be caught by it, and that is a significant and material increase in intrusion for the population at large. We therefore believe that the Government should think again, not about whether intelligence agencies should have these wider powers, but about whether there should be the involvement of external scrutiny to ensure that they are used properly.
There is only one other matter that I want to touch on briefly, and it has been mentioned already: the grounds on which powers such as these can be used. There are, essentially, three. First, they can be used in the interests of national security, and I have no argument with that. Secondly, they can be used in urgent cases to combat some forms of criminality. Thirdly, they can be used in the interests of the economic wellbeing of the UK, in so far as those interests are also relevant to national security. As the House knows, the last of those has long been controversial as an appropriate ground for action—and, of course, the more intrusive the powers that can be used with that justification, the more controversial it is. I think it fair to say that the ISC is concerned about its use in that regard, and I am sure the House will want to consider, as the Bill proceeds, whether its application to these powers and more generally is still appropriate.
Let me start with two thank yous. First, let me put on record my party’s gratitude to the intelligence services and law enforcement organisations that work so incredibly hard to keep all our citizens safe in the face of constantly changing and developing threats. Secondly, I thank all those who took part in the reviews of the 2016 Act that have informed the Bill. However, as Lord Anderson said in his own review, they should be a starting point for parliamentary scrutiny and debate rather than a finishing point.
Although any opportunity to revisit and improve the 2016 Act would generally be welcome, my party has serious concerns about certain provisions in this amendment Bill. In short, while it is constantly presented as “updating”, and as protecting and making efficient pre-existing powers, we fear that the reality is a very significant expansion of what are, we must remember, already extraordinarily wide powers by international standards. There are significant privacy and human rights risks, and the danger of increasingly widespread suspicionless surveillance. We fear that we may be handing invasive powers to intelligence and law enforcement agencies not because the powers are necessary or essential to their work but because they are convenient, and that is not striking the right balance.
All this is consistent with the very detailed and principled privacy and human rights concerns that my party raised in relation to the 2016 Act itself—particularly in the speeches made by my hon. and learned Friend the Member for Edinburgh South West (Joanna Cherry), who is here to take part in the debate again today. As will be the case today, we did not oppose the Second Reading of that Bill, but in the absence of important amendments, or concessions and reassurances—again, as with the 2016 legislation—we keep open the option to oppose the current Bill at a later stage.
Today I will focus on concerns relating to bulk personal datasets, and on notices relating to changes in telecommunication services. I will also briefly flag up our concerns about internet connection records and changes to the offence of unlawfully obtaining communications data. My party also believes that this Bill provides an opportunity to revisit the whole issue of snooping on parliamentarians, if we are bold enough to take it.
I shall turn first to bulk personal datasets and part 7 of the 2016 Act. In short, we struggle to see that the proposed changes have been shown to be necessary. We fear that they will instead create even larger gaps in the oversight regime in relation to these capabilities. A whole host of concerns arises in relation to the provisions of clause 2 and the concept of data in relation to which there can be
“low or no reasonable expectation of privacy”.
Bluntly, I struggle to see how a decision maker is supposed to assess people’s reasonable expectations of privacy, and when we say “people” we can be talking about hundreds or thousands of people or potentially several million people. Within that group of individuals there will be many varying attitudes to further privacy, and the data related to individuals could vary hugely from the mundane to the deeply personal. It may be that there is supposed to be some type of “reasonable person” test applied, but is that reasonable person black, gay, Jewish or indeed a trade unionist? How are potentially very different subjective attitudes to be accounted for? These might seem like odd questions, but the experience in the United States of America, where a similar test is involved, proves that these questions are very real indeed. Is it a general question of privacy in relation to the data or a more specific question of expectations of the use of that data by intelligence services? What precisely is low expectation? This seems to be an impossible assessment to undertake in any realistic or meaningful sense.
I thank my hon. Friend for his kind comments earlier. As usual, he is making a very forensic speech. On this issue of a reasonable expectation of privacy, does he agree that clause 2 and clause 11(3) seem to be based on a legal misunderstanding that people lose their right to privacy when they happen to share certain information with someone else? He will be as aware as I am that that runs contrary to the jurisprudence of the European Court of Human Rights and that, by contrast, the Court has actually said that privacy includes
“the right to establish and develop relationships with other human beings”.
Does he agree that it is important to ensure that this Bill is commensurate with our obligations under the European convention on human rights?
My hon. and learned Friend will not be surprised to hear that I completely agree with her.
In fact, that brings me to the next point I want to raise in relation to clause 2. As well as putting in place what I struggle to see as being a reasonably operated assessment, the clause raises concerns in relation to consistency with data protection legislation and with human rights obligations. The factors to be taken into account when undertaking that really difficult assessment do not even expressly include the sensitivity of the data in question, which surely should be central to any question of processing. That is an inconsistency with existing data protection principles and laws, and I agree that the compatibility of such provisions with our human rights obligations is also surely highly dubious. Just because someone has shared personal data does not mean that they automatically lose their right to further protection around how that data is shared and processed, especially when it is sensitive personal data, as my hon. and learned Friend has just said.
The role of judicial commissioners in this area is even further diluted, reduced to reviewing by judicial review standards whether datasets do indeed relate to data where there can be low or no expectation of privacy. Frankly, that is not a safeguard at all. At the very least, their role needs to be strengthened when the Bill is considered in Committee. We also need to seek assurances around how the Bill will impact on the reporting of the retention and use of bulk personal datasets. If large numbers are retained under category authorisations, we may not know how many datasets are actually being gathered.
Let me turn to various aspects of part 4, on notices. Again there are some controversial provisions, particularly in clause 21 and the requirement on selected telecommunications operators to inform the Secretary of State if they propose to make changes to their products or services that would negatively affect existing lawful access capabilities. That seems like an extraordinarily broad power, without anything remotely appropriate in terms of oversight and limitations. These powers are going to make the UK a real outlier. Essentially, the Secretary of State will be empowered to say to tech companies, “You are not allowed to improve your products without consulting us, so that we can still break in to access the data that we need and when we want it”. Despite what the Secretary of State says, taken together with other changes to review processes, such powers could easily be used to significantly delay, or de facto veto, updates to security, rendering everybody’s data more vulnerable to hacking by third-party actors.
That is simply incorrect, and I know that the hon. Gentleman would not wish to continue down a road that he knows to be incorrect. Let me just be very clear: this is a continuation of a power that was granted in 2016. The notice does not extend that power; it merely enables a conversation to begin with companies before any action is taken, to maintain an existing standard and not in fact to change it.
I am grateful for that clarification from the Minister, and we will of course engage further in this debate in Committee.
These concerns have been raised not just by me but by significant tech companies; this is not something that has come to me simply through perusing the Bill. The key question remains: why is there to be no proper oversight of these notices and notice powers by independent advance authorisation? Why is there not even the double lock that applies to other notices that can be served on communications providers under that Act? Surely that scrutiny should be carried out in advance. There are also lots of question marks around the expanded claims of international jurisdiction. How will potential conflicts of law be resolved, especially if a company subject to one of these notices that is contrary to its domestic laws cannot even say anything about it because it is bound to secrecy by this legislation? What are the prospects of other Governments copying what our Government are doing and seeking to replicate such provisions, and what would the impact of that be on UK companies?
Turning to internet connection records, the starting point is that we should remember that no other European Union or Five Eyes country permits the requiring of ICR generation or retention in relation to its own residents, so this was a hugely controversial development in the 2016 Act. As we have heard, ICRs can reveal huge amounts of deeply sensitive information about a person. For now, secret services can seek ICRs only when certain facts that are already known, such as the identity of a person connecting or the time and use of the connection, so that the retention is at least targeted in some way.
The risk in this Bill is that reasonable suspicion will no longer precede targeted surveillance. Instead, the Bill would seek to use ICRs for the discovery of new targets, which is a really significant jump and development. I can genuinely understand some of the reasons being offered for this change, and I am not unsympathetic to the case being made, but if these powers are not carefully circumscribed, they risk creating a big step towards mass surveillance and fishing exercises. We need to ask whether there are less invasive alternatives and whether these powers are therefore really necessary. Alternatively, we need to look again at the oversight mechanisms for the use of these powers.
We also have concerns about the Bill’s proposals in relation to the offence created by the 2016 Act, where relevant persons in a relevant public body knowingly or recklessly obtain communications data from a telecoms or postal operator without lawful authority. This Bill seeks to set out examples of what would amount to lawful authority, which is a laudable aim. However, there are real questions about whether some of the examples in clause 12 are not in fact redefining the concept of lawful authority. In particular, the assertion that there would be lawful authority simply because
“the communications data had been published before the relevant person obtained it”
is controversial. That is particularly so when
“‘published’ means make available to the public or a section of the public (whether or not on a commercial basis).”
As I said in relation to bulk personal datasets, limited publication is not authority for intrusive surveillance. Could a simple private message not amount to publication of comms data? The implications of this definition of lawful authority need very careful scrutiny indeed.
Finally, on the interception and hacking of parliamentarians, making provision for circumstances where the Prime Minister is unavailable to play his part in a triple lock seems sensible, but the fact that the issue of snooping on MPs and others is being revisited should trigger us all to rethink the whole scheme. Our role of representing our constituents, interrogating legislation and holding the Government to account should not be interfered with lightly. We should take the chance to consider post-surveillance notification of MPs who have been spied upon, by judicial commissioners, once investigations are completed. As matters stand at the moment, redress is almost impossible to obtain. We should also require that the investigatory power commissioners be informed every time these powers are used, so that there is transparency about how often this is happening. All other options should be on the table as well.
I started by thanking intelligence and law enforcement authorities and I am happy to do so again in closing, but our respect for them does not mean we should ever consider writing blank cheques or handing them whatever powers they ask for. They are not perfect. From time to time they exceed their powers and certain individuals abuse their lawful capabilities. The powers that they seek through this Bill are extremely invasive and broad in scope. There is a real danger that key provisions of the Bill will go beyond what is necessary and get the balance with privacy and human rights wrong. These provisions will need serious scrutiny and revision in Committee, and that is what we in the SNP will seek to secure.
Hegel said, “What is reasonable is real, and what is real is reasonable.” In facing the very real threats that pervade, it is certainly reasonable that we equip those missioned to keep us safe with the powers they need to do so. That is partly about putting in place a legislative framework that allows them to counter those threats, for we know what will happen otherwise. We sit in this Chamber graced by the coats of arms of our former colleagues Jo Cox and David Amess. We in this place know what it means when those missioned to keep us safe are unable to do so.
On that basis, I was proud and pleased to take the original Investigatory Powers Bill through this House—some veterans of its passage are in the Chamber tonight—and, in doing so, we were conscious of the need to strike a balance between, on the one hand, providing the powers and equipping the police and the security services with the necessary mechanisms to do their job and, on the other hand, retaining both the privacy of individuals and putting in place the necessary safeguards mentioned by the shadow Home Secretary, the right hon. Member for Normanton, Pontefract and Castleford (Yvette Cooper).
That balance was at the heart of our considerations then. I am conscious that I said in that debate:
“It is important to understand that privacy is at the very core of the Bill… The protection of private interests and the protection of the public are at the heart of all we seek to do”.––[Official Report, Investigatory Powers Public Bill Committee, 12 April 2016; c. 90.]
That remains so, but it is also important to recognise that we always anticipated that the legislative arena was bound to require a dynamic approach, of the kind we are discussing this evening, and that we would need to update the legislation to deal with the changing character of the threats I described. It comes as no surprise that the Government have introduced legislation to do just that, to add to what is already on the statute book and to make it more appropriate.
The right hon. Gentleman and I often crossed swords during the passage of the 2016 Act, but we have since reached a point of rapprochement on discovering our mutual passion for the importance of freedom of expression. From what he is saying this evening, I think we can also agree on the importance of privacy. Of course, that comes from the right to a private and family life under article 8 of the European convention on human rights. Does he agree that it is unfortunate, given this Bill’s huge implications for our constituents’ privacy, that the Government have decided not to conduct a privacy impact assessment? Surely such an assessment is vital, and it is perhaps something upon which he and I can again, rather unusually, agree.
Our agreements are becoming rather less unusual. I do not know whether that gives the hon. and learned Lady any pleasure, or whether it causes her pain. None the less, she is right that, when we consider such legislation, it is important that it is scrutinised to an even greater degree than we would normally expect in this place.
The 2016 Act was considered by three Committees of this House. It was subject to pre-legislative scrutiny by a Joint Committee of both Houses of Parliament and, indeed, the bulk powers, which have been mentioned, were subject to an independent review by David Anderson, who has since been elevated to become Lord Anderson.
The hon. and learned Lady is right that the need for scrutiny is profound, particularly when we equip organisations with extensive authority to invade private space. Of course, we will not know much of what they do. Many of the individuals involved in the security services and the police, and the work they do, are rightly unknown to all but a few, so it is all the more important that, in giving them such authority, we behave in the way that the hon. and learned Lady describes—I am now adding to the small, two-person coalition formed between us.
It is right that the legislation is updated to make it fit for purpose. The ISC, of which I am also proud to be a member, has been told of the need for urgent, targeted and necessary changes. When we consider this Bill, we should test whether its provisions are indeed urgent, targeted and necessary. I am not absolutely convinced that all we see before us passes that test, and I will say a little more about that when I come to clause 14 and its associated schedule.
There is more expertise in the Chamber tonight than I could possibly imagine but, by way of background for the wider audience, I will say a word about what the 2016 Act does and why this Bill therefore matters. The Act provides the law-enforcement and security services with the vital powers they need to keep us safe, and it does so in a way that is clear and transparent.
When we passed the Act into law, we ensured that the safeguard mechanisms were radically overhauled. The innovative double lock that we put in place was, at the time, unprecedented. As the shadow Home Secretary said, it does two things: it provides the necessary protection that she describes, but it also gives the security services confidence that what they are doing is not only authorised but thoroughly checked. It is also good for Ministers to know that the process has judicial oversight as well as political oversight.
There have been a number of changes since the Act was passed, both in the job done by the security and intelligence services and the police and in the reason they have to do that job, for the people who seek to do us harm are dynamic, too; they change what they do, and technology has also changed. All of that explains why this Bill is, in broad terms, welcome and necessary.
But the powers I describe are not given solely to the people I mentioned. They are also given to a number of other public bodies. This was debated at great length when the 2016 Act was considered in this place. These public bodies—ranging from local authorities to the Environment Agency, the Health and Safety Executive and all kinds of others—have proper legal functions. I am not debating that, but they are not quite of a kind with the security services and the police. To grant these bodies such intrusive powers was always controversial and, to put it mildly, was bound to give rise to some scepticism.
When Parliament considered the Act, we deliberated on that provision in great detail and took a very considered and cautious decision to restrict the use of the power, which we considered to be intrusive. As a result, the public bodies that I have described, including the Environment Agency, the Health and Safety Executive and local authorities, are required to take further procedural steps in order to compel the disclosure of communications data from telecommunications operators. They must obtain either an authorisation under the current IPA, a court order or other judicial authorisation, or regulatory powers in relation to telecommunications or postal operators, or they must obtain the communications data as secondary data as part of a valid interception or equipment interference warrant. So their ability to take advantage of the powers within the existing Act is both limited, particular and subject to those safeguards. The Bill before us seeks to remove that requirement for those further procedural steps in relation to a wide range of public regulatory authorities.
Worse still—I hope the Minister will correct this in his summation—we have yet to learn which those bodies are, as we have not seen a list of the authorities. I hope we will get that list, if not tonight—as it is a big ask for the Minister to read them all out in his 10-minute summation, I hope he will write to the House, and put a copy of the letter in the Library, explaining which bodies will enjoy those powers.
The Government’s argument for removing the restrictions I have set out is that a broader array of communications now fall into the category of communications data—the definition of communications data has broadened—and that a wider number of organisations now constitute telecommunications operators. As a result, it is said that the current restrictions prevent some regulatory authorities from acquiring the information necessary to carry out their statutory responsibilities. The problem with that argument is that unless we know what those regulatory functions are and unless we understand which bodies are involved in the supervisory functions, it is hard to know whether the changes before the House can be legitimised. I have no doubt that will be explored in Committee— I would be amazed if it is not—but it would be helpful if the Minister could be ahead of that further consideration and clarify which specific bodies will fall into this category.
As I said, the issue was highly scrutinised when we last debated these matters. At that time, the powers were tied to national security and serious crime circumstances only, to avoid impinging on the very privacy mentioned by the hon. and learned Member for Edinburgh South West (Joanna Cherry). For that reason too, Parliament granted the powers to a limited range of organisations. We should not brush that aside lightly. Colleagues will be aware of various reports of the intrusive use of investigatory powers by local authorities and other public bodies. The House would not be content to introduce sweeping powers for an unknown and potentially unlimited number of public bodies, when a previous Parliament decided that was too intrusive. I would like the Minister to satisfy the House about the necessity of the change, to specify to whom the change will apply, and to reassure us that there is no weakening of the core connection between the privacy of the individual and the necessary powers available to do what is legally right.
As I said earlier, in broad terms the Bill is welcome. It is important to understand that we need to update the legal framework in which those missioned to keep us safe operate, but the Bill can be improved during its scrutiny. I simply point out that when we debated the Act in its original form, we recognised that through scrutiny that Bill could be improved. As we continue consideration of this important measure, I hope that this Minister—one of my successors as Security Minister—will recognise the same.
In common with all the speakers who have made their contributions thus far on Second Reading of the Investigatory Powers (Amendment) Bill, I will not say that I oppose the Bill or that these powers should not exist or be updated in this rapidly developing area of technology. As others have observed, the rapidly evolving technology is creating threats about which we could not have dreamed when the original Act was introduced after an ISC report on privacy and security in 2015. Although the issues are evolving, some things stay the same, namely that in a democracy it is important that the security services and all the agencies, whether they relate to police or security, can be held to account by the democratic structures that are created to make our democracy real.
I emphasise a point that has not been stressed by others: we are living through an era during which authoritarian governments across the world are beginning to challenge the openness of democratic structures and test whether those who live in a democracy have the political will to maintain their democracy, keep it vibrant and protect it from threats. Against that background of being challenged—we do not have to look much further than Europe and the borders of Ukraine to see how some of those challenges are beginning to develop—we are being asked whether we rate the health and strength of our democracy enough to protect it. We are also being asked, which is the nature of this debate, to justify the powers we are giving to the security and police services to our constituents and those citizens of our country who wish to see their democracy protected, as well as having a proper balance between democratic oversight safety and the powers we give our security services to do their jobs.
As others have mentioned, there is a balance between the effectiveness and speed of those powers and the safeguards that this Parliament puts in place in order to ensure that there is proper oversight and use of them. We have heard how that balance and safeguarding has been developed in law. We are looking now at amendments to the existing law in order to update and modernise those powers to make them more effective, efficient and easier to use, and to ensure protecting our security, be it from criminality, terrorism, paedophilia or state actors who wish to our country harm, is balanced correctly with safeguards, openness and transparency oversight. Then we can protect our society and values, while respecting the privacy of every individual citizen who enjoys the freedom of living in our democracy.
The Bill seeks an expansion in investigatory powers and some of those powers available to agencies to deal with the evolution of this area. Our job, not only in the debate tonight, but in the scrutiny of this Bill in Committee, is to test and ask the appropriate questions about whether the right balance has been struck by Ministers and the relevant agencies in the extra powers that they want to introduce. As the newest member of the ISC, I believe that, as the investigatory powers evolve, it is also important that the powers of the Intelligence and Security Committee to do its job in these new areas are properly developed and resourced. I shall just leave that on the record. It is not a surprise to those who have read the Lords debates that this is an issue.
I draw attention to an area of the Bill where amendments were agreed in the Lords: what is known as the triple lock, rather than the double lock. That is the mechanism that protects the communications of Members of this Parliament and other relevant legislatures from being arbitrarily intercepted by agencies for no reason. In fact, it is part of the protection that one would expect in a robust democracy for those people who are elected to represent their constituents. They have a reasonable expectation, I think, to be allowed to go about their business without being subjected to that kind of intrusive power, unless there is an extremely good reason for it. Members will know that the underlying principle is that the communications of Members of this Parliament and other relevant legislators should be intercepted and read only where it is absolutely essential to do so—in the most serious of circumstances. In the Investigatory Powers Act 2016, which this Bill will change, Parliament recognised that that was an issue by adding a third layer of safeguards to the approval process for warrants for targeted interception and targeted examination of communications. Those warrants are issued only by a Secretary of State and reviewed by a judicial commissioner, which is the double lock, but they are also approved by the Prime Minister personally. As my right hon. Friend said from the Dispatch Box, there is an issue if the Prime Minister is unavailable to do that. It is important that there is not a gap in security protection, which would happen if the Prime Minister is unable to be the third part of that triple lock.
Nobody disagrees with the idea that that process should be made more robust, but there is also an issue about how wide the power to issue that final approval—currently, that final approval rests only with the Prime Minister—should go. There were debates about that when the Bill went through its stages in the other place. The question of balance is how the new Bill deals with ensuring that the triple lock is robust while not creating a lacuna should the Prime Minister be indisposed and unable to issue warrants without that power going too wide. The ISC supports the intention behind this, which is to provide resilience around the current arrangements. It is important that the Prime Minister is the person who approves these things, but this may affect the operations of the intelligence agencies when they are seeking a targeted interference or a time-sensitive warrant. None the less, there was agreement that, in truly exceptional circumstances, it may be appropriate for a Secretary of State to temporarily deputise for the Prime Minister. The Committee considered that it was important that decisions in this area should be delegated only in the most exceptional circumstances, and delegated only to a limited number of Secretaries of State who are already responsible for authorising relevant warrants. We want the Prime Minister to retain sight of all warrants relating to Members of a relevant legislature. Most of that was agreed in the other place, although there is an issue about whether the relevant Secretaries of State—there can be up to five of those—are ones that already issue warrants.
I was a little taken aback that the Home Secretary just assumed that, once these had been agreed by a substitute, they would automatically be reviewed by the Prime Minister. Clearly, that is a big assumption. Does my hon. Friend not think that it would be better if we put it in the Bill that the Prime Minister had full oversight of this warrant?
Clearly, putting such things in the Bill is often an important safeguard. Certainly, I do not understand why the delegation of these powers should not be limited to Secretaries of State who also issue warrants. I do not quite understand why there is an obsession with five Secretaries of State. We could have four and still have robust oversight.
Is the hon. Lady aware that the Wilson doctrine is still in operation? This came about in the ’60s and ’70s when Harold Wilson, the Prime Minister of the day, gave an undertaking to this House that the mail of Members of Parliament would not be routinely tapped; it would happen only in exceptional circumstances. All this triple lock is doing is putting that doctrine on to a statutory footing.
I thank the hon. Gentleman for his comments. Obviously, the Wilson doctrine is in the previous Investigatory Powers Act. However, given what happened with the incapacity of the Prime Minister during the covid pandemic, we are seeking to tweak it. It seems sensible to do so, but we need to tweak it in a way that is as narrow as possible to ensure that there is no lacuna in protection.
I wonder why this idea of five Secretaries of State is so important. I also wonder why we cannot restrict the Secretaries of State who could operate in place of the Prime Minister in this very particular circumstance to those Secretaries of State who also issue warrants, and why that cannot be on the face of the Bill. I hope that, in his response, the Minister might have some contribution to make about why the Government are sticking on this particular issue, given that everyone understands how important it is to have resilience. But the resilience that the ISC is seeking is slightly stricter than that which the Government seem to wish to grant. It would be helpful for Committee stage if the Minister explained why that is.
It is important that our discussions on particular bits of the Bill, which we will have in Committee, are seen in the context of a widespread acknowledgement that we need to ensure that the investigatory powers to which the Bill relates are updated, and continue to evolve, to make them relevant, and efficient and effective to use. At the same time, any expansion in investigatory powers must have particular safeguards and oversight in a democratic country, so that we can assure our constituents that it is being done in the interests of preserving our democracy and ensuring that we can protect the population from growing and ever-evolving threats, be they of terrorism, state actors or crime, and that their human rights and rights to privacy are still appropriately protected with proper oversight, which of course the ISC is an important part of.
It is a pleasure to follow the hon. Member for Wallasey (Dame Angela Eagle). As she mentioned, she is the newest member of the Intelligence and Security Committee, but that has not prevented her, as we have seen this evening, from already making a valuable contribution to our work. As Chairman of the ISC, I will set out the Committee’s view of the Bill as a whole, based on the engagement that we have had with the intelligence community, and with the Government more broadly, on the legislation. In doing so, I pay particular tribute to our member in the other place, the noble Lord West of Spithead, who has already clearly set out our Committee’s position there, and had success, in at least one respect, in obtaining an improvement to the Bill. In looking at the Bill as a whole, I will also touch on one other specific matter in addition to those that my colleagues have tackled individually.
As right hon. and hon. Members on both sides of the House will be aware, the original Investigatory Powers Act was introduced as a result of the Intelligence and Security Committee’s 2015 report on privacy and security. The report recommended the creation of a new Act to set out clearly: the intrusive powers that are available to intelligence agencies; the purposes for which they may be used; and the authorisations and, crucially, the oversight that should be required. There have, however, been a number of developments since the Act was introduced. As the Home Secretary said in opening the debate, we now face a different threat picture, with greater danger from state actors, a significant rise in internet-enabled crime, and an ever-accelerating pace of technological change.
The ISC has therefore made time to consider and scrutinise the case for change put forward by the intelligence agencies and the Government, and to take classified evidence on the Bill. I can tell the House that, broadly, the Committee welcomes the Bill as a means of addressing those developments that have the potential to undermine the ability of the intelligence agencies to detect threats and protect our country. However, as we have heard, there are several areas in which the Committee considers that the Bill goes too far. In particular, it does not yet provide the safeguards and oversight that are so essential when it comes to secretive actions that have the potential to intrude on a great many people.
The Bill seeks an expansion of the investigatory powers available to various public bodies. The Committee is in agreement that, at least in the case of the intelligence services, that is justified, but we are still sceptical—this was eloquently presented in more detail by my right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes), who took the original legislation through when he was Security Minister—of the broad way in which some powers have been restored to an unknown number of as yet unidentified public bodies through clause 14. Any increase in investigatory powers ought to—indeed, must—be accompanied by a concomitant increase in oversight. That is a very basic principle that Parliament has always expected to be followed. By oversight, I do not just mean parliamentary oversight as exercised by my Committee, but robust ministerial, judicial and regulatory oversight too. During the passage of the Bill, Members of the Intelligence and Security Committee will seek to ensure the inclusion of necessary safeguards and sufficient detail on those safeguards.
The Bill deals with a number of technical areas, where it is right that the necessary guidance is provided in codes of practice. However, matters that deal with procedural safeguards or external oversight must be on the face of the Bill to ensure that they are adhered to and cannot be changed or watered down without Parliament being consulted.
I am sorry to say that in recent years the Government have been reluctant to ensure that democratic oversight keeps pace with intelligence powers, particularly where it is related to the remit and resources of the ISC, which have been increasingly undermined in a way that I believe Parliament never intended. It is therefore imperative that Parliament ensures that the safeguards and scrutiny provided by the ISC and other external oversight bodies, such as the Investigatory Powers Commissioner, are clearly set out and cannot be discarded on a political whim. That means putting them in the legislation itself. Fine words in a code of practice are, I am afraid, not worth the paper they are written on; the statute must include everything that is needed to provide Parliament and the public with the necessary assurance that investigatory powers are tightly drawn and robustly scrutinised.
The Committee therefore expects the Government to take this opportunity to bolster the effective oversight that they keep saying they value. Actions speak louder than words, as is often said, so I look forward to hearing the Minister’s assurances in his response to our interventions. I hope that he will be able to find a solution both to the individual aspects of the Bill that continue to be raised, and to our overarching concern about the diminution of parliamentary powers in respect of national security.
I would like to highlight one particular issue, which concerns my colleagues on the ISC and myself, relating to the oversight requirements for the retention and examination of bulk personal datasets. The Bill will insert new section 226DA into the Investigatory Powers Act 2016 to require each intelligence service to provide the Secretary of State with an annual report detailing the individual bulk personal datasets that they retained and examined under either a “category authorisation” or an “individual authorisation” during the period in question.
In the upper House, Lord West, on behalf of the Committee, tabled an amendment that was designed to ensure that there is independent parliamentary and judicial scrutiny, too—I emphasise that—of this information, rather than just political oversight. The amendment would have achieved that by providing that the annual report that the Government propose be sent to the Secretary of State should also be sent both to the ISC and the Investigatory Powers Commissioner. One would think that that was a pretty reasonable request. Such a measure would rectify the current gap in parliamentary oversight of these authorisations and complement the commissioner’s existing powers of inspection to provide oversight at all levels.
Unfortunately, the Government did not accept the amendment. However, they did at least acknowledge that the gap existed and that some level of parliamentary oversight of the new regime was needed. The Government therefore introduced their own amendment, which, rather than providing the ISC with the same report that they are providing to the Secretary of State, places an additional duty on the Secretary of State to provide a separate report to the ISC. Notably, even this secondary report would not be provided to IPCO. That Government amendment is now proposed new section 226DB.
Although we are reassured that the Committee’s strength of feeling, which was matched by the feeling of noble Lords in the upper House, has been recognised by the Government, what concerns the Committee is why the Government have chosen to craft a separate amendment requiring a separate report to be drawn up.
There are three key differences of which the House will wish to be aware between the proposals of the Committee and those of the Government. The first is that the Government’s proposal will actually create more work for the intelligence community because, instead of simply sending the existing annual report to the ISC, it will have to produce an additional report. That seems entirely at odds with the Government’s general approach to the Bill. The Minister in the upper House was keen to emphasise the need to minimise the burden on the agencies when it came to other elements in the Bill, so it is most peculiar that the Government are deliberately choosing to increase the burden unnecessarily.
The second difference is that the Government proposal excludes the Investigatory Powers Commissioner completely, and it is not clear why. Oversight by the commissioner should be regarded as essential, because that is what it is.
The third and most important difference is that the Government amendment is less specific on the information to be provided to the Intelligence and Security Committee, and does not include individual authorisations within its scope, only category authorisations. It therefore does not provide the same level of assurance to Parliament and the public that the ISC will be fully sighted on the operation of this new regime. It is that final point that is causing us most concern. I therefore seek assurance from the Minister that the Government proposal will not limit the information received by the ISC to category authorisations, and that all the information contained in the report to the Minister will be contained in the report to the ISC, unless it is material that falls strictly within the definition of current operations at the time at which the report is provided, which we accept is the one thing that we do not generally see. That definition should be strictly as set out in the Justice and Security Act 2013. Any excisions beyond that would undermine what we presume is the intent to provide assurance to Parliament and the public that the regime has robust democratic oversight.
Finally, I simply reiterate the key point: the Bill seeks an expansion in the investigatory powers available to the intelligence services. Although that expansion may be justified, any increase in investigatory powers must be accompanied by a concomitant increase in oversight, and the Government have not yet fulfilled that requirement.
Let me start by thanking our security services. I think I am now the longest-serving member of the ISC, and it is a privilege to work with them and scrutinise their work, as our Committee does. They do not get a great deal of publicity—for the right reasons—but when they do, it is sometimes not factual by any stretch of the imagination. They do an invaluable job, and in protecting our democracy, the threat that they face—that we all face—is changing, so the Investigatory Powers Act 2016 needs revising.
As my hon. Friend the Member for Wallasey (Dame Angela Eagle) said, the important point is that any new powers that we give the security services to act on our behalf should come with an equally balanced level of scrutiny and oversight. I see the scrutiny of our security as like a three-legged stool, with the Investigatory Powers Commissioner, the Investigatory Powers Tribunal, and the ISC. Well, actually, I would say that it is more like a two-and-a-half-legged stool, because the Home Secretary has done what most Ministers do; they say how wonderful the ISC is, how much they value our work, and that they want us fully involved—in passing this legislation, for example—but since 2017, when I first sat on the ISC, there has been a marked increase in lip service paid to it, as I think we see again in the Bill. As my right hon. Friend the Member for Normanton, Pontefract and Castleford (Yvette Cooper) said, we have not met the Prime Minister for 10 years—any of them; I think we had one who offered to come in the dying days of her Administration. We have taken evidence from the security services on the Bill, and I have to say that they are not the problem: it is the Government who are the problem all the time. That was the case with the National Security and Investment Act 2021. Frankly, it is an uphill struggle to get things changed in this Bill—changes that would not only improve the Bill, but make sense. One has just been highlighted by the Chairman of the ISC, the right hon. Member for New Forest East (Sir Julian Lewis).
On occasions, it is a bit like going round in circles. I will give an example. We have actually made one little advance in the other place, in terms of acceptance of the changes to do with the triple lock. Now, though, the sensible thing we are asking for—that it should be in the Bill that the Prime Minister should actually see those warrants—is being resisted as though it would somehow stop the world. I am sorry, but I do not think it would. I think the Government believe that they have to be seen to be resisting any changes. I like the Minister, but the passage of the National Security and Investment Act was a pretty dark day for the Government’s relationship with the ISC, because we had to fight tooth and nail to try to get anything changed in that Bill.
I think the Minister was, actually. I think he picked up the tail end of that Bill.
The ISC has looked at this issue in detail. We have taken evidence from the heads of the security services, and we want to be supportive of change, but we also want that important role of scrutiny and ensuring the public are protected from the occasions when things might go wrong. The other thing that struck me today is that, although the Home Secretary can read a good speech, I am not sure he had a great grasp of some of the detail of the Bill. All I ask of the Minister is to please take on board some of the things we are saying, so that we can make progress in Committee. They are not radical things that are going to upturn the Bill; they are things that will improve it. I suspect that in certain parts of the Government there is a hatred of the ISC, and the belief that we have to be resisted at all costs. That will lead to a poorer Bill, because the amendments we will be tabling would actually improve the Bill. Lord West also did a great job in the other place.
I now turn to clause 2 of the Bill, which introduces the bulk personal data regime. There is a worrying gap: oversight of what are deemed low or no privacy datasets added to category authorisations. At the moment, the system does not work, because things like the electoral register have to get special permission. That is silly, frankly, but we need to ensure that these provisions are scrutinised.
New part 7A of the Investigatory Powers Act 2016, introduced by clause 2, provides for a light-touch regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of that data is deemed to have low or no reasonable expectation of privacy. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) said, people are increasingly giving their personal data with little thought to how it is going to be used—not just by the intelligence services, but for commercial purposes. That needs looking at.
Approval of such a dataset will be sought either under a category authorisation, which encompasses a number of individual datasets that have a similar content and may be used for a similar purpose, or by individual authorisation, which covers a single dataset that does not fall neatly into a category authorisation or is subject to a complicating factor. For a category authorisation, a judicial commissioner will approve the overall description of the category authorisation before it can be used. A judicial commissioner will approve renewal of the authorisation after 12 months, and the relevant Secretary of State will receive retrospective annual reports on the use of category and individual authorisations.
However, as the Bill is currently drafted, this oversight is all retrospective. The problem is that what is missing is real-time or even near real-time oversight of changes. Under the present regime, once a category authorisation has been approved, the intelligence services have the ability to add individual datasets to that authorisation through internal processes alone. They examine the dataset without being subject to any political or judicial oversight, and they would be able to use those datasets for potentially a year without anybody being any the wiser.
We do not question why the security services need these powers, but there is potential for mission creep without any oversight of what is being authorised. We are not saying that these powers are not required; they are required. What we are really being asked to do is rely on the good faith of the intelligence services to use the powers in a certain way. I do not think that is strong enough, and no legislation should be solely dependent on good will. We also have to guard against—there are such occasions—situations when mistakes happen or people use powers for purposes that are not in the public interest.
It is important that we fill this 12-month gap, and the ISC thinks that the easiest and simplest way to change this process would be for the Investigatory Powers Commissioner to be notified when an individual bulk personal dataset is added by an agency to an existing authorisation. I understand that Lord Anderson of Ipswich, in his review of 2023, recommended a similar proposal. The argument from the Government—it is similar to what they have used throughout this Bill, as the Committee Chairman has remarked—is that that will be onerous in adding to the work of the intelligence services. Well, it would not, because it would simply mean sending a one-line email to the Investigatory Powers Commissioner containing the name and description of the bulk personal dataset as soon as reasonably practicable.
The decision would be approved internally and then sent to the Investigatory Powers Commissioner, so it is not actually asking for approval. It is just making sure that the Investigatory Powers Commissioner is aware of what is being added, and that the individuals taking such a decision realise that they must inform the Investigatory Powers Commissioner. That would obviously allow the Investigatory Powers Commissioner to look at trends in what is happening. Clearly, after the 12 months, they could look back, but they could also intervene if they thought something was not in touch.
An argument the Government use quite often about this Bill is that it is to have a light-touch approach, and I think this suggestion is for a light-touch approach. I do not know what is onerous about the security services sending an email to the Investigatory Powers Commissioner. I think it would ensure the oversight that is needed. Real-time oversight is what we are suggesting, and I do not think it would add to the administration of the security services, but it would lead to the Investigatory Powers Commissioner at least having some visibility on another layer at which decisions are taken.
The proposal would be a very simple thing to do, and I do not understand why the Government are resisting it. I suggest they are resisting it for the many reasons they have resisted some of the other sensible things we have put forward: just because they want to do that. I do not know how we go forward with the relationship between this present Government and the ISC. Dragging information out of them screaming and kicking is taking a long time, even though we have a legal duty to get information, and the critical point now is the starvation of resources from the Committee which is creating real problems in the way that it can operate.
I hope that things change and that when we table amendments we will not get the usual response that amendments to this type of legislation should only be done in the Lords. Are we here to cause trouble for the security services? No, we are not; we want to ensure we do our job, which is set out in statute, to supervise the security services and improve the powers, but to ensure that the public have the recognised safeguards we should expect in a democracy such as ours.
Unlike most Members present, I am not an expert on security. We in this House often have to be generalists. We are here to participate in debates, to understand legislation and to raise concerns where we see them. Like all Members who have spoken before me, I would like to put on the record my deep gratitude to our security services; I regard them with the highest respect. We all regard them with the highest respect and within that there is a slight danger: we respect them and admire their work so much that we are almost always going to grant them what they want. That is a danger, because our duty is to scrutinise what people want and, as the right hon. Member for North Durham (Mr Jones) has just said, not to create trouble but to raise questions of concern. I know these questions of concern will be well received by the Minister on the Front Bench, who thinks deeply about these matters and is also a good friend of mine.
I will be brief because we are coming to the end of the evening, but I want to look at clause 15 and internet connection records. The general rule of investigation is that suspicion precedes surveillance, so if there is good reason to believe that someone is up to mischief, we can start to look at them more closely; we can conduct surveillance to see if our concerns are factually based. The problem with the recommendation in clause 15 is that it allows for target discovery as opposed to target development. If I have got this wrong, I am happy to take an intervention, but what target discovery means to this layman of security matters is possibly going on fishing expeditions—just looking out there to see what is going on and processing enough data on enough people. As my right hon. and learned Friend the Member for Kenilworth and Southam (Sir Jeremy Wright) said, people who are perfectly innocently going about their business will get caught up in this data-processing machine just to make sure they are not up to anything nefarious, dangerous or unpleasant. That causes me some concern.
I do want bad people to be caught—I benefit from the capture of bad people; my constituents benefit from the capture of bad people—but surveillance always needs to be proportionate and risk-based, as the hon. Member for Wallasey (Dame Angela Eagle) said in her speech. Freedom is important. One of the most ridiculous constructs in the English language is “Nothing to hide, nothing to fear”, because if people saying that genuinely believed it, they would not have any curtains in their home.
The truth is that we like to think that we have private space in which to operate and go about our legitimate business without the state taking a view that we are up to mischief or might be up to mischief. I know that point was touched on in previous speeches. I think the Chairman of the Committee, my right hon. Friend the Member for New Forest East (Sir Julian Lewis), who is also a good friend, touched on it. Sometimes it is difficult to keep up with experts, but he made it clear that the Committee has concerns about these new powers.
I said I would speak briefly, so I will just close on this point. There are people in this country who like to protest and, frankly, often get in the way of other people, but what they are doing is not illegal. I would hate to think that people within those organisations might end up having their internet records checked out, just to make sure that they were being good citizens. I remember that during the debates on covid-19 perfectly respectable, hugely respected scientists and respected Members of this House were raising concerns about Government policy on lockdowns. I am not saying that the security services were keeping tabs on their interventions, but we know from subject access requests that people in Government were keeping tabs on these people, as if what they were doing was against the interests of the state. That is why I raise my concerns about the clause. I hope the Government will bring forward amendments, but if they do not, I hope they will not be too offended if I perhaps bring forward some amendments on Report.
First, I thank all right hon. and hon Members for their contributions. This is a complex issue, and that is clear from the level of scrutiny and debate we have seen thus far. The Bill seeks to find a balance—the shadow Home Secretary referred to that very word, “balance”—between necessary investigatory powers and not having a Big Brother, nanny state.
I thank, as others have done, the security forces and those involved in the intelligence sector for all that they do, their work and their commitment and dedication to the job, which have made all our lives safer. Many in this House—I know a few, anyway—could say that they owe their lives to them, and I would be one of them. I thank them very much for all they have done.
I am keen to see work on international terrorism. I was talking to my friend, the right hon. Member for North Durham (Mr Jones), about how international terrorism works. The Real IRA has contacts in the middle east and eastern Europe. It has contacts where all evil organisations come together, because their ultimate intention is to create havoc and murder innocent people. This Bill is important, because it can address terrorism in Northern Ireland and its contacts with international terrorism. I hope and pray that the work will be successful. As someone who has lived through years of terrorism, I am well used to curtailed freedoms, with checkpoints and stop and search. I have understood the necessity for that and have been thankful for those protections. Let me be clear: I have no issue whatever with this Bill in principle, but I have some questions for the Minister.
Various constituents have contacted me to express concerns, and I want to put those on record, ever mindful of supporting the Government on this issue as measures come forward. I will take a few moments to seek some clarification. First, a concern has been outlined to me about having a notification requirement to require operators to inform the Secretary of State if they propose to make changes to their products or services, and I am sure that other Members have received that briefing. Open Rights Group states:
“While this objective may appear to be reasonable, it would allow the Home Office to prevent secure services from launching in the UK, even where they are rolled out elsewhere. This provision would allow the Home Office to place itself in a position of power over the provider as soon as it hears about the possibility of data being less accessible than it is currently. This situation would take place without reference to an independent authority to assess the rationale or proportionality. Such a move might not be proportionate, for instance, if the security technology had already been introduced safely and with demonstrable benefits to users in other parts of the world.
Open Rights Group is concerned that these powers could deny people the access to technological developments upon which people’s free expression and right to privacy rely. For example, major tech providers such as Apple have stated that they would pull certain services from the UK rather than compromise their security if this power was used to prevent them from rolling out security updates.”
I gently ask the Minister to be clear about why the presumption should not be made in the manner I outlined and what discussions have taken place to ensure that providers such as Apple can work securely in the UK. The right hon. and learned Member for Fareham (Suella Braverman) referred to the dark web and all the things that can happen in it. It is really important that the dark web is taken care of in this legislation.
Also highlighted to me were end-to-end encryption issues and the inability of service providers to see service users’ content in their apps and systems. I am not a technical whizz kid; I am the very opposite. I am of that old generation who can just about do text messages on their phone and turn on Zoom meetings, but if something goes wrong, I am lost. When it comes to technology, I am not au fait with it, but I do know this. I understand the need for people with no question mark above them whatsoever to know that their messages are private and that the Government are not storing information—that could be accessed by others—on them for no reason. It is important that that never happens.
Data breaches affected staff in my office when my accounts in the House were hacked in the last fortnight. We let the security people know, and I understand that it is not unusual for it to happen, but when it does and people’s content is accessed, it is important that such breaches are taken care of. We have also had the breach of data on police officers in Northern Ireland. Those are both testament to the fact that breaches occur. Therefore, only what is essential should ever be gathered and stored. Reference was made to the need to have robust monitoring and regulation. If that had been in place, the Police Service of Northern Ireland data breaches, which I think disadvantaged more than 3,500 people, would never have happened.
While I cannot browse and shop online—I have no interest in doing so—watch TV programmes online or do any of those other things, I do believe that there is a need for privacy. My concern is that the Bill is encroaching too far on those whom the Government have no reason to hold data on. I ask the Minister again to make it clear why any online search history should be stored. These are gentle questions—they are not meant to be intrusive or aggressive—but it is important that I put these matters on the record on behalf of the constituents who have contacted me.
I highlight the concerns of my constituent that the Bill’s proposed measures are poised to
“profoundly impact political dissidents and opposition figures residing in the UK. Refugees, political exiles and human rights advocates who have sought refuge in the UK deserve the assurance of digital safety and security.”
I seek that assurance for those who have fled offensive and oppressive regimes and sought refuge in this great United Kingdom of Great Britain and Northern Ireland.
I would further appreciate an insight into how we can ensure that there is freedom to express opposition, yet not see harmful rhetoric. That balance is clearly difficult to reach. I seek the necessary clarification that we have struck that balance. I very much look forward to hearing from the Minister, because I believe that his response will encapsulate the questions we have asked and give us the answers that we desire.
The Investigatory Powers (Amendment) Bill is a technical but important piece of legislation that, as my right hon. Friend the shadow Home Secretary said in her opening remarks, we support. We support the Bill, which updates aspects of the Investigatory Powers Act 2016, because it is imperative that legal frameworks are updated to ensure that our security and law enforcement services keep up with changes to communications technology in an increasingly challenging and complex landscape of threats to our safety and our national security.
At the outset, let me pay tribute to the exceptional men and women who serve in our law enforcement and security services, often in the shadows and without recognition, to keep our country safe. We owe them all a deep debt of gratitude. I also thank officials at the Home Office, who have provided very helpful briefings on the Bill to the shadow Home Office team. I hope that the Minister will join me in paying tribute to our noble colleagues in the other place, especially Lord Anderson, Lord Sharpe, Lord Coaker, Lord Ponsonby and Lord West, among many others. They have already done a lot of the intellectual heavy lifting, digging into the technical details of the Bill to improve it ahead of its Second Reading today. Those contributions are most welcome, but the Bill still needs to be scrutinised in more depth to probe any remaining ambiguity and ensure that safeguards are strengthened. I will say a little more about that later.
As the shadow Home Secretary said, the Opposition will work in the national interest with the Government on national security because, as legislators, we all have a duty to ensure that the law is one step ahead of those who seek to harm us. As lawmakers, we have a duty to ensure that when technical Bills are before us on matters relating to national security, we scrutinise them carefully and get into the detail. Members on both sides of the House have fulfilled that important duty with a number of thoughtful and considered contributions in this debate, including the right hon. and learned Member for Kenilworth and Southam (Sir Jeremy Wright), who spoke, as always, with great authority and made important points about oversight and the interests of economic wellbeing. I am certain that we will return to those in Committee.
The right hon. Member for South Holland and The Deepings (Sir John Hayes), a former Security Minister, helpfully reflected on his experience of taking the original legislation through the House back in 2016, and made some important points about the role of public bodies. My hon. Friend the Member for Wallasey (Dame Angela Eagle), the newest member of the ISC, made an important point about the context in which we are having this debate, with authoritarian regimes around the world constantly seeking to test the will of democracies. She also made an important point about the balance between safeguarding our security and oversight and transparency.
The chair of the ISC, the right hon. Member for New Forest East (Sir Julian Lewis), spoke with his long-standing experience of these matters, and expressed clearly the view of the Committee. He made a number of important points, including about the safeguards that he will seek to include in the Bill. I am sure that we will return to that. He also made the important point about any increase in powers coming with an increase in oversight—a point reiterated by my right hon. Friend the Member for North Durham (Mr Jones), who I think is the longest serving member of the ISC. He spoke about the two-and-a-half legged stool, made a number of important points and provided a constructive challenge to Government. I hope that he will work with us, the other Committee members and the Minister in Committee to make some improvements to the Bill.
The hon. Member for Broxbourne (Sir Charles Walker) made a typically carefully considered speech. For someone who claimed not to be an expert, he made a number of important points, not least about surveillance needing to be proportionate. The hon. Member for Strangford (Jim Shannon) reflected, as he often does, on his own experiences of dealing with terrorism in Northern Ireland, and rightly paid tribute to all those who served to keep our country safe.
I will now turn to aspects of the Bill that could be improved. The measures outlined in the Bill continue to provide our law enforcement and security services with some of the most powerful measures that our state has at its disposal to keep us safe, intercepting private communications and retaining information where necessary. With those strong powers there must also be strong, robust safeguards, to guarantee their appropriate and proportionate use.
When the Minister responds, I would be grateful if he provided further assurances that the notices regime will be kept under constant review. Such assurances are important as the power to access telecommunications data through bulk personal datasets unlocks an individual’s digital footprints of their online activity. For those of a certain age—I do not have anybody in particular in mind—investigatory powers can conjure images of wiretapping telephone lines, and, for those of a very certain age, even steaming open letters. However, the modern reality is that the huge amounts of data produced every second could be sifted through and used by law enforcement and crime agencies when there is a lawful basis to do so. The Bill must therefore clearly establish a precedent of proportionality, such as further defining what is meant by low or no reasonable expectation of privacy, in clause 2, in relation to certain bulk personal datasets. I would be grateful if the Minister outlined how the Government intend to do that.
The UK’s use of investigatory powers should be clearly understood by our international partners. Vast amounts of telecommunications data, such as WhatsApps, are now stored in servers across many jurisdictions by multinational companies with sometimes complex corporate structures. I understand that Meta, for example, has stringent measures to protect those servers from cyber-attacks, preventing WhatsApp messages from being interfered with or accidentally deleted. If only the same stringent measures existed for some Members on the Government Benches—and the SNP Benches, for that matter.
Moving swiftly on, a warrant to intercept messages between two UK nationals in the UK could be stored on a server in another jurisdiction, leading to potential conflicts of law arising from clause 17, which would strengthen extraterritorial enforcement of retention notices. I would therefore be grateful if the Minister said something about the feedback the Home Office has had from international partners about potential conflicts of law that could arise from clause 17, and what actions have been taken to avoid potential conflicts. Can the Minister also say what recent feedback the Home Office has received from companies providing messaging services in the UK that use servers storing communications data in other countries?
Ensuring the utmost clarity in the measures outlined in the Bill must also include where they are applied in the most exceptional circumstances, such as when the Prime Minister cannot make a decision to sign off an interception warrant. The shadow Home Secretary rightly mentioned the importance of Prime Ministers treating these matters with the utmost seriousness. This was also discussed and debated in detail when the Bill was progressing through the other place, with the term “unable” being used if a Prime Minister cannot make a decision, compared with other terms such as “unavailable”. I expect the Minister will be relieved that I do not plan to spend too much time on this, but that is not to underplay its importance. The debate between noble colleagues on whether “unable” or “unavailable” was the most appropriate term may in part have been generated by the activities of two former senior figures in Government, neither of whom is still a serving Member of Parliament. For the benefit of the House, I will just say that one of them might have been a Foreign Secretary who became Prime Minister, and the other might have been a Prime Minister who became Foreign Secretary.
The Prime Minister plays a crucial role in making decisions on national security. May I remind the Minister, as other hon. Members have sought to do during this debate, that since 2014, successive Prime Ministers have failed to meet with the Intelligence and Security Committee? As we all know, the ISC is a senior Committee of Parliament that provides absolutely vital oversight on these crucial matters. We heard from the Chair, the right hon. Member for New Forest East (Sir Julian Lewis), who made some important points. Can I again ask the Minister why he thinks no Prime Ministers have made themselves available to the Committee for a decade now?
Furthermore, recent updates to the IPA 2016 after the ruling of the European Court of Human Rights in the case of Big Brother Watch and Others v. the United Kingdom provide further safeguards to protect sensitive information relating to freedom of expression, such as journalistic material, from the usual interception and retention regimes. Other elements of freedom of expression should have similar safeguards. Does the Minister think there should be similar exemptions in the Bill for communications relating to the vital work of trade unions? That was a point also made by the hon. and learned Member for Edinburgh South West (Joanna Cherry).
To conclude, this is an important Bill that demands strong and careful scrutiny. Our personal liberties and our national security depend on it. It is in the national interest to get the legislation right: to make sure it is both appropriate and proportionate in its scope. It must also be effective in maintaining the current powers our law enforcement and security services already have to disrupt and defeat criminals and malign actors who seek to harm us and undermine our way of life. On the Labour Benches, we will work with the Government as much as we possibly can in the national interest to get it right. I look forward to working with the Minister and other colleagues on that important endeavour as the Bill progresses through the House.
I thank hon. and right hon. Members from across the House for their contributions not just today, but throughout the many different stages of the Bill. I pay huge tribute to the Members of the other place who have contributed enormously, in particular Lord Anderson, who has been an exceptional asset to the passage of the Bill and the condition it is in, and Lord West who, as a member of the Intelligence and Security Committee, not only shepherded some extremely important amendments into the Bill, but was kind enough to say that it was the first time in 14 years that he had ever had an amendment accepted by the Government. I am delighted to say that it was to this Bill. It was because we are so committed to working with all parts of both Houses and with the ISC that we got so much through in the other place. [Interruption.] That said, many comments will no doubt be raised in this House. I can assure hon. Members, especially the right hon. Member for North Durham (Mr Jones), that I will approach all suggestions in the way that I have done to date. Where we may not agree—it may not be that he is right, or that I am right—it will be for good reason and I will set out my reasons in the appropriate way.
The Bill is about one fundamental thing: the security of the British people. We rightly heard from my hon. Friend the Member for Broxbourne (Sir Charles Walker) about the nature of freedom, but the truth is that freedom without security is impossible. It is a chimera. The Bill is about ensuring that the British people have the security to enable that freedom. That is an absolutely vital responsibility not just of this Government, but of this House and the other place. I am grateful for the work that the hon. Member for Barnsley Central (Dan Jarvis) and the shadow Home Secretary, the right hon. Member for Normanton, Pontefract and Castleford (Yvette Cooper) have put in to ensure the co-operative, bipartisan and open approach to the Bill, as is merited by the work of our fantastic intelligence services to provide security for our whole country.
As the British public would expect, we keep our approach to national security under constant review. Where we identify the need for change or improvement, we will not hesitate to act. That is why we have brought forward the Bill, which acts on the findings of the Home Secretary’s report and Lord Anderson’s independent review into the Investigatory Powers Act 2016. Hon. and right hon. Members will not need me to rehearse the arguments, but we have seen an extraordinary, rapid evolution in the nature of the threats since the 2016 Act: Russia’s threat to the whole of Europe and not just to Ukraine; the violence that Iran is trying to bring not just in the middle east but even on to our own shores; and the way technology has enabled hostile states not only to steal our technology but to introduce intelligence-gathering platforms into our country through the guise of car sales.
We have seen a change in the way technology works and a change in the nature of the threats, and we must keep up to date with those changes. That is why this work is so important. It is essential that the United Kingdom’s investigatory powers framework remains fit for purpose to help our intelligence agencies detect and stop some of the most serious threats posed to the UK and its citizens, including threats from terrorism, state threats, and child sexual abuse and exploitation.
Because these are exceptional powers, Members have rightly pointed out that they require appropriate, robust and, in this case, world-leading safeguards, and that is what we have sought to set out. The changes in the Bill are relatively narrow in scope, but unless we make them now, the ability of our agencies to tackle evolving threats will be increasingly constrained in the face of global instability, technological advances and state hostility, so now is the time to act.
Let me now deal with some of the points that have been raised. The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) raised a rather interesting point about the changes to “lawful authority” in clause 12 in respect of published data. The purpose of new subsection (3A) is for material that has already been published not to require additional authority for its disclosure by a telecommunications operator to a relevant public authority. The definition of “publish” and reference to “a section of the public” would not include private messages unless they had been made public in some other way—just as our sitting room could not be considered a public place unless we opened it up to the public. It would be our choice, and nothing to do with the nature of the building.
The hon. and learned Member for Edinburgh South West (Joanna Cherry), who has made important contributions through her chairmanship of the Joint Committee on Human Rights, raised questions about the transparency safeguards in the 2016 Act. Those extremely robust safeguards are centred on considerations relating to intrusion into privacy, and that will remain the case in the Bill. They include a requirement for investigatory powers to be used in a “necessary and proportionate” way, with independent oversight by the Investigatory Powers Commissioner and redress through the Investigatory Powers Tribunal.
My right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes) contributed in his usual robust fashion to the debate—and, I should add, to the session that I was fortunate enough to have with the Intelligence and Security Committee, in which he was enormously helpful in assisting me with some changes to the Bill. He spoke about the five individuals who could be designated by the Prime Minister, and asked why we had not referred specifically to “those with warranting powers”. It is possible that a Minister with warranting powers who had that experience would then be moved to another Department, or indeed that the machinery of government change would alter the nature of the oversight. While we felt that it was right to limit the number to as few as possible, we also felt that it was right to have a relevant selection, which is why we left the number at five—after some very good consultation with the ISC, for which I am extremely grateful to my right hon. Friend the Member for New Forest East (Sir Julian Lewis) .
My right hon. Friend has been immensely generous both in giving way and in his earlier comments about my role. Will he briefly deal with the issue of the other bodies with the regulatory function who can compel the release of communications data? As he will remember, the point I made was that the existing law obliges them to take further procedural steps before they do so. Why is that no longer deemed appropriate?
As my right hon. Friend will know, several powers in the earlier Bill—the one that he took through the House—were indeed overseen in various different ways. The Bill does not seek to undermine any of that oversight; what it seeks to do is clarify, in certain areas, where it is necessary. My right hon. Friend has highlighted individual agencies or bodies, and I should be happy to write to him to ensure he is aware of exactly where that is being covered.
The right hon. Member for North Durham spoke about prior judicial authorisation for ICRs. The purpose of the Bill is to try to streamline operations for the intelligence services in areas where the risk is of, as we are calling it, low or no expectation of privacy. He will have seen in the Bill what the expectation means, including areas where information has already been readily made public. I accept his commentary and I would be happy to enter into further conversations with him, but the reason we are not currently going down that route is simply that the existing law, the IPA 2016, allows the collection of bulk data with prior authorisation. This is intended to speed the process up. If we put in the measures he is referring to, we would effectively remain in the same place that we are now. That would make it harder for the volume of data that is now coming to be considered by the intelligence agencies. That is why we have made the provision for a subsequent approval rather than a prior approval. He is right to say that it involves a maximum of a year, although I think it unlikely that it would go to that maximum. That will be in cases where this is low or no expectation of privacy—after it has already been agreed by a judge to be in the correct category. I think the right hon. Gentleman might be looking at this through the other end of the telescope.
What the Minister has to realise is that the big concern from the public—although let’s be honest, the public are not looking at the detail of this—is that somehow the security services will be getting access to huge amounts of bulk data and just having a free run at it. All that I and the Committee are suggesting is that an email should be sent when there are changes to the Investigatory Powers Commissioner. That would be a simple thing. It would not be onerous, and it would reinforce the point that there was at least some potential oversight of the process.
I think we may be conflating different aspects of the Bill. I do believe that this already has oversight.
Let me answer the point raised by my hon. Friend the Member for Broxbourne, which touches on a similar area. Where people have the right to and expectation of privacy and freedom, this provision does not remove that right. What it does is allow the intelligence agencies to use bulk data to target an individual at a particular point, and the excess collected information will not be able to be used for targeting an individual without the warrant process that would be expected for any initial search. In that sense, this is not undermining anybody’s privacy; it is allowing for the fact that information is now largely in bulk format. The hon. Member for Barnsley Central was talking about steaming open envelopes. It is impossible to steam open a single envelope today; one has to steam open thousands because that is how data comes. Without an amendment such as that set out in the Bill, we would simply be interrupting the work of the intelligence services to the degree that it would hold them back and make the process harder, but I would be happy to take this up with my hon. Friend the Member for Broxbourne later if he wishes.
I thank the hon. Member for Halifax (Holly Lynch), who was here earlier and made an interesting point about the various ways in which the memorandum of understanding should be looked at through the National Security Act 2023. Friends of mine will know my thoughts on that and know that I gave the Conservative party the chance to allow me to change that 10-year absence, but the Conservative party chose somebody else to make that decision so I have sadly lost the ability to have that influence.
My right hon. and learned Friend the Member for Kenilworth and Southam (Sir Jeremy Wright) made a typically insightful speech and typically sensible comments on the ways in which we must consider how the authorisation must not be used to mount general surveillance. Condition D will be used only when an applicant makes a clear and compelling case, based on tangible, reliable intelligence leads, information and analysis, that the resulting data will identify parties involved in a relevant serious crime or national security-related specified operation or investigation. The applicant must explain any anticipated collateral intrusion, and how this will be managed to ensure that the application is necessary and proportionate to the outcomes of the investigation.
I accept what my right hon. Friend says but, in the context I described, the case is being made to someone else within the intelligence agency. There are, of course, two types of authorisation—D1 and D2—and we are worried about D2, under which the application is made from inside the intelligence agency to inside the intelligence agency. That does not present the sort of external scrutiny that we suggest is necessary.
My right hon. and learned Friend is right, but he also knows that IPCO has retrospective oversight of these areas. Where it comes under a category allocation through “low or no”, there is an automatic review period within a year. Although he is correct that the application is made within the service, it is within the service subject to a pre-agreed condition and with follow-up oversight, so as to enable that speedy response.
On a different but not unrelated point, the Minister will recall that I referred to the annual report given to the Secretary of State detailing the individual bulk personal datasets that had been retained and examined. There is no extra work involved in letting the ISC and IPCO see that report. The only possible justifiable exclusion would be something that, at the time of the report, was still current. Is there any reason at all why IPCO and the ISC should not be sent that report, rather than a severely watered-down version?
My right hon. Friend answers his own question. The reason for the difference is the currency element.
In that case, we can reach agreement if the Minister would like to give us an assurance that the only difference between the two reports will be the exclusion of matters that are current at the time of drawing up the report, but I suspect that there will be many other differences between the two reports.
I will be very happy to talk to my right hon. Friend about that to make sure that he is satisfied. It is important that we make sure that the reports that go to the House—through the ISC, because of the nature of the reports—are relevant and allow appropriate scrutiny. I think we can all agree with that.
I have covered the points raised by my hon. Friend the Member for Broxbourne, so I will turn to the hon. Member for Strangford (Jim Shannon), who made an extremely important point: that his constituents, like any other citizens of the United Kingdom, should expect the right to privacy. He also made a compelling point about the need for security, and I think the Bill strikes that balance extremely carefully. He is right to say that people will be concerned, and he is not alone. I am also concerned that we maintain the right to privacy within our legislative framework, which is why we checked very carefully that the Bill is fully compliant with the ECHR right to a private life. It is also why we looked at the various exceptions.
The hon. Member for Barnsley Central mentioned the notices regime, and he is right that we will keep it under review. We maintain a regular conversation with companies that have an interest in this area, and he is right to say that there is an overseas element. I merely point out that it is the role of this House to legislate for the security of the British people and, in particular, for the safety of our children and families. Such security is not something we can outsource to tech firms on the west coast. We sometimes have a responsibility to pass extraterritorial laws—as he knows very well, we have done that in the past—so although this measure adds to that ability, it is not detrimental because it asks people to maintain their current position before making any changes and to talk to us during that period. There is no requirement to break any policies, change products or introduce new products; it is merely to maintain the status quo, so that we have the same ability to keep the British people safe until we have had a conversation about how that status quo should change.
Finally, the hon. Member for Barnsley Central raised a question about trades unions. He is right that there are many different professions where protected characteristics could come into play, including lawyers, doctors and psychiatrists, and where any such intrusive power should be used with exceptional caution. I would just say that, due to the nature of this place and Parliaments around the United Kingdom, the position of parliamentarian is particular, which is why it is set out specifically and separately in the Bill. That does not mean that any attitude against any other individual should be used cavalierly. It is not a question of the role or the post the person holds, but their rights as a British citizen. Those rights should be absolutely guarded from intrusion or aggression by the state without exceptionally good reason. This amendment, which the hon. Gentleman is kindly supporting, sets out that balance between British citizens’ right to privacy and their right to security. With that, I commend the Bill to the House.
Question put and agreed to.
Bill accordingly read a Second time.
Investigatory Powers (Amendment) Bill [Lords] (Programme)
Motion made, and Question put forthwith (Standing Order No. 83A(7)),That the following provisions shall apply to the Investigatory Powers (Amendment) Bill [Lords]:
Committal
(1) The Bill shall be committed to a Public Bill Committee. Proceedings in Public Bill Committee
(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Tuesday 12 March 2024.
(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.
Consideration and Third Reading
(4) Proceedings on Consideration shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which those proceedings are commenced.
(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.
(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and Third Reading.
Other proceedings
(7)Any other proceedings on the Bill may be programmed.—(Mark Fletcher.)
Question agreed to.
Investigatory Powers (Amendment) Bill [Lords] (Money)
King’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Investigatory Powers (Amendment) Bill [Lords], it is expedient to authorise the payment out of money provided by Parliament of:
(a) any expenditure incurred under or by virtue of the Act by the Secretary of State or a government department, and
(b) any increase attributable to the Act in the sums payable under or by virtue of any other Act out of money so provided.—(Mark Fletcher.)
Question agreed to.
(9 months, 2 weeks ago)
Public Bill CommitteesBefore we begin line-by-line consideration, I have a couple of announcements. Hansard colleagues will be immensely grateful if Members email their speaking notes to hansardnotes@parliament.uk. Please switch off electronic devices or turn them to silent. Tea and coffee are not allowed during sittings. Today, we will first consider the programme motion on the amendment paper. We will then consider a motion to enable the reporting of written evidence for publication. I hope we can take these matters formally without debate. I call the Minister to move the programme motion standing in his name, which was discussed yesterday by the Programming Sub-Committee for this Bill.
Ordered,
That—
1. the Committee shall (in addition to its first meeting at 11.30 am on Thursday 7 March) meet—
(a) at 2.00 pm on Thursday 7 March;
(b) at 9.25 am and 2.00 pm on Tuesday 12 March;
2. the proceedings shall be taken in the following order: Clauses 1 to 14; the Schedule; Clauses 15 to 33; new Clauses; new Schedules; remaining proceedings on the Bill;
3. the proceedings shall (so far as not previously concluded) be brought to a conclusion at 5.00 pm on Tuesday 12 March.—(Tom Tugendhat.)
Resolved,
That, subject to the discretion of the Chair, any written evidence received by the Committee shall be reported to the House for publication.—(Tom Tugendhat.)
Copies of written evidence received by the Committee will be made available in the Committee Room, and will be circulated to Members by email.
We now begin line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room; this shows how the selected amendments have been grouped together for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order they are debated, but in the order they appear on the amendment paper. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when they come to the clause to which the amendment relates. Decisions on new clauses will be taken once we have completed consideration of the existing clauses of that Bill. Members wishing to press a grouped amendment or new clause to a Division should indicate when speaking to it that they wish to do so.
Clause 1
Requirement for authorisation
Question proposed, That the clause stand part of the Bill.
It is a pleasure to be here under your chairship, Mrs Cummins. The exceptional growth in volume and types of data across society globally since 2016 has affected the intelligence services’ ability to work and collaborate at the necessary operational pace. The existing bulk personal dataset safeguards do not account for the way that data and its availability have evolved since the Investigatory Powers Act 2016 was passed. This creates a negative impact on operational agility, while making it increasingly difficult for the intelligence services to develop the necessary capabilities.
Clauses 1 and 2 introduce an alternative regime for bulk personal datasets where there is low or no reasonable expectation of privacy—the so-called low/no regime. Clause 1 specifically provides a mechanism for the intelligence agencies to determine whether bulk personal datasets should be authorised under part 7 of the 2016 Act for sensitive datasets, or proposed new part 7A for low/no datasets.
It is a pleasure to serve under your chairship, Mrs Cummins. I rise to speak very briefly to clause 1, and to thank the Minister for his opening remarks.
At the outset of our consideration, we should all take the opportunity to pay tribute to the exceptional men and women who have served in our law enforcement and security services. We owe them a deep debt of gratitude. Let me say that the Opposition support the Bill, which updates aspects of the Investigatory Powers Act 2016. It is imperative that legal frameworks are updated to ensure that our security and law enforcement services keep up with the challenges to communications technology in an increasingly challenging and complex landscape of threats to our safety and national security. None the less, the important provisions proposed in this Bill need to be scrutinised carefully. The shadow Home Secretary and I made it clear on Second Reading that we will work with the Government to improve it in places, following the example of the constructive cross-party work that was done in the other place.
It is good to see you in the Chair, Mrs Cummins.
I echo what the shadow Minister says. We are all here to assist the brave personnel in our security and intelligence services, but that does not mean that we will not closely scrutinise this legislation. We did not oppose the Bill on Second Reading. Some parts are good, but we have indicated our serious concerns about other parts because we think the powers go too far. They have not been shown to be necessary and proportionate; rather, they are more for the convenience of the security and intelligence services. How these powers are drafted also causes us concern, because they seem to allow behaviours beyond what we were told the powers were going to be used for. At other times, it is the nature of the oversight that is a concern, as the Bill introduces potentially intrusive powers.
I have one other brief point to make, which I indicated I would make at last night’s meeting of the Programming Sub-Committee. I had hoped that this morning we could perhaps have had some witnesses to guide us through this process. I think that would have been very helpful. It was very helpful in 2016, when we were looking at the original legislation, and I regret that we do not have such an opportunity this morning.
The provisions on bulk personal datasets and so-called low/no datasets are an area where we fear that the legislation is rather more a matter of inconvenience than something that has been shown to be a necessity. That will emerge in the debate about clause 2, which contains quite a lot of the detail about how the regime is supposed to work. Basically, we have been told that there will be a significant increase in the use of bulk personal datasets. We have been told that scrutiny is too slow, so we will either have to remove it or, perhaps more accurately, water it down in relation to these so-called low/no datasets. Fundamentally, I do not like that argument. The Minister will need to make a compelling case.
When we discuss clause 2, it would be useful if the Minister told us how many bulk datasets are retained and examined each year currently; how many datasets it is envisaged will be retained and examined after these powers come into force; what percentage of the datasets he thinks would be considered low/no datasets; how long authorisation processes take currently and why they take that length of time; and why cannot we improve or accelerate that process in some way, rather than having to water it down in the way that this Bill suggests. We will ask the Minister for that sort of evidence, because he is asking us to do away with parts of the oversight system that were put in place in 2016, and we want to understand how that oversight system is causing a problem at the moment. If he cannot explain that, we cannot support this new regime.
It is a pleasure to serve on this Committee with you in the Chair, Mrs Cummins.
My hon. Friend the Member for Barnsley Central said very clearly that there is general support for the Bill. The need for it is self-evident: things have moved on since the passage of the 2016 Act—indeed, they have moved on very quickly in terms of the amount of data there is, not only data that the security services have to deal with but data in general life.
Bringing the legislation up to date is important, but if we look at the Hansard reports of the debates in 2016, when the right hon. Member for South Holland and The Deepings took the original legislation through the House, we see that there was then, quite rightly, concern that the state acquiring bulk data was intrusive into people’s private lives.
Having read those Hansard reports a couple of days ago, I accept that some of the concerns expressed in 2016 were overblown, as are some of the concerns expressed about this Bill. Frankly, if the accusations regarding what our security services are able to do were true, they would be 10 times, if not 100 times bigger than the actual security services we have today. Nevertheless, it is important in a democracy to ensure that the security services act proportionately—I am confident that they do—and that there is the necessary oversight of their actions and how they deal with the data they have. It is not just parliamentarians who need reassurance in that regard, but the public. The public need reassurance about the data that the state is holding.
Examples have been given, but frankly, they are a bit silly, because things such as the electoral register, which you, Mrs Cummins, I and everybody else can access, fall under the existing regime. The expectation that the data will not be made public is ridiculous, and the same is true of some of the other examples that have been given. For instance, some datasets for machine learning are open on the internet for everybody to see. I do not have any problem with that and I do not think that anybody else does.
Oversight, which we will discuss later, is important. We are giving the security services the powers to determine what is low and what is no. Do I trust that they will have the protocols in place to ensure that that process is done fairly? Yes I do, but I have been on the Intelligence and Security Committee for the last seven years; I know exactly how the protocols work internally in those organisations. To reassure the general public, we need a definition of how this process will take place. I will not touch on that now, but later I will raise the question of how we will have independent oversight of that process.
Neither I nor anyone else is saying that we distrust how the security services will handle those datasets, but one thing the ISC has been very clear on is that if we are going to extend the security services’ powers, there needs to be a corresponding extension of oversight to balance that. I do not want to put in place oversight that prevents operational effectiveness; it would be silly to give the security services powers and then make it impossible or too onerous for them to operate in practice, but striking a balance is important in a democracy.
We broadly got that balance right in the 2016 Act. Looking at international comparisons, we are way ahead of many other democracies in how we deal with oversight of those potentially very delicate issues.
I will not detain the Committee unduly, my Whip will be pleased to know. However, I feel it is important at this juncture—in part because, as the right hon. Member for North Durham says, I was responsible for taking the 2016 legislation through the House, and in part because of my current role on the ISC—to make some comment on the first part of this Bill, which deals with bulk powers. There are misassumptions about bulk powers. The Minister will be aware of how vital they are to the security and intelligence services and to the police. These powers are used in almost all investigations —95% of them—and they are critical if we are to deal with the changing character of the threat we face.
Contextually it is important to note that when the 2016 Act was passed, the nature of the threat was metamorphosising, and that is even more the case now. The scale and character of the threats are altering all the time, so the legal powers available to those we mission to keep us safe need to be fit for purpose and up to date. We knew that when we passed the 2016 Act; we knew that the legislation was dynamic and that it would be supplemented over time to take account of that metamorphosis, which takes two forms. First, the threat now is probably greater from state actors, and secondly, it is greater from those inspired to do harm via the internet in particular. That situation makes an implicit case for the kind of measures the Minister has brought before us today.
Furthermore, there is a paradoxical change in the methodology used by those who seek to do us harm. Because of the nature of technology, those people are now able to do things that they were not able to do when we debated the original Act that this Bill amends. I describe the change as paradoxical because those people have simultaneously learned that they can do immense harm with a vehicle and crude weapon; we know that from some tragic cases in recent years. Those inspired people do not need a sophisticated organisation with all kinds of capabilities; they simply need the perverse, indeed perverted, will to do damage. All of those factors legitimise the case for the measures in the Bill, which we will consider over the coming hours and days—but not weeks I am pleased to say, unless something goes badly wrong.
What can I say? We have got a little further on clause 1 than I anticipated. I am grateful to my right hon. Friend the Member for South Holland and The Deepings, the right hon. Member for North Durham and other hon. Members who have spoken. Bulk personal dataset authorisation is clearly an important change, as my shadow, the hon. Member for Barnsley Central, has set out; I was interested to hear the suggestion from my right hon. Friend the Member for South Holland and The Deepings that this was the shadow Minister’s first step on the path to greatness and to leading the Opposition. I am grateful for the points that hon. Members have made.
The type of data that may fall into part 7A is indeed covered—things like news articles, academic papers, public and official records, and the sort of bulk personal data that many people would have access to routinely. The changing nature of the need to hold data has meant that bulk personal data must be authorised in a different way than was previously thought. Paragraphs 4.14 and 4.20 of the draft code of practice set out further details of the datasets that would fall under the section 22A test, of which the hon. Member for Barnsley Central is no doubt aware.
The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East touched on various aspects of data that might fall within this approach. He will remember that Lord Anderson noted in his independent review that MI5 and MI6 estimate that roughly 20% of their bulk personal data holdings would fall into the category of “low and no”; for GCHQ, the figure would be nearer to 8%. Clearly, these things will evolve. To answer the point made by the right hon. Member for North Durham, the simple fact is that our world is producing incomparably greater volumes of data than ever before. The need to understand, handle and triage that data is therefore essential.
It is worth making the point, right at the beginning, that creating and storing huge volumes of data is to nobody’s advantage, and particularly not that of the intelligence services. The only purpose of having or examining data is to enable investigatory operations to get to targets of interest. It is not about anything other than ensuring that investigations can be properly targeted against those who threaten the interests of the British people, under various existing laws. This measure does not change those laws; it merely assists the targeting.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2
Low or no reasonable expectation of privacy
I beg to move amendment 14, in clause 2, page 3, line 18, at end insert—
“(1A) This section does not apply to a bulk personal dataset unless it has been published in accordance with the Data Protection Act 2018.”
This amendment would ensure bulk personal datasets with low or no expectation of privacy have been published lawfully and in accordance with General Data Protection Regulation (GDPR) set out in the Data Protection Act 2018.
With this it will be convenient to discuss amendment 21, in clause 2, page 3, line 34, at end insert—
“(4) By way of example, bulk datasets of images obtained by CCTV and bulk datasets of Facebook posts are not to be considered datasets where the individuals to whom the data relates could have no, or only a low, reasonable expectation of privacy.”
Probing amendment regarding the scope of “low or no reasonable expectation of privacy”.
May I reflect on my gentle amusement at hearing the Minister’s remarks about a former shadow Security Minister and his onward passage to becoming Leader of the Opposition? I know that these are matters on which he speaks with great authority.
We have already had very helpful contributions from two senior Intelligence and Security Committee members. Questions about the meaning of “low or no reasonable expectation of privacy” in relation to BPDs have been raised throughout the Bill’s progress in the other place and on Second Reading in this House, including by members of this Committee. The amendment seeks to probe the meaning of the phrase, but I should be clear at the outset that I do not intend to divide the Committee on this or any other amendment on which I intend to speak.
I will set out two scenarios. It would be genuinely helpful if the Minister could clarify the limits to the factors relating to the Data Protection Act 2018. The first scenario is where the data can be attributed to a leak that, although unintentional, resulted in the unconsented publication of personal information in the public domain. Would a leak of the personal details and working patterns of the staff of Members of this House—a number of hon. Members will remember the one that happened in March 2017—be subject to a low or no reasonable expectation of privacy?
The second scenario is the deliberate and unlawful publication of personal information into the public domain. If there were a hack resulting in the unlawful publication of personal information into the public domain, would that information also be subject to a low or no reasonable expectation of privacy? Data breaches of that nature occur regularly: the personal information of more than 2 million Duolingo users was compromised last year. A user’s mastery of French verb conjugation is unlikely to be of interest to anyone, with the possible exception of our friends over the channel, but other personal information could be. The Duolingo data was put up for sale on the dark web, so it might be regarded as third party BPDs. It is important that the Minister clarifies the meaning of “low or no reasonable expectation of privacy” in relation to those two scenarios.
Labour Members are not opposed to the concept of “low or no reasonable expectation of privacy” in relation to BPDs. We want to ensure that the police and security services are not unnecessarily limited in their intelligence gathering, but there need to be parameters for what is considered fair game. There must be clarity on important definitions relating to personal data. I hope that the Minister will respond in the constructive spirit in which the amendment was intended.
Clause 2 will remove the need for further judicial authorisation for personal dataset retention and examination if the datasets are deemed to fit into the low or no category, for which there is already authorisation, or if there is urgency. Many personal datasets can be contained within one warrant, so we have lots of questions about how proposed new part 7A will work. Amendment 14 demands an explanation of how the regime fits alongside data protection standards and how it applies to leaked and hacked datasets, as opposed to those that are lawfully obtained.
Our amendment 21 simply seeks to push the Minister to give examples of personal datasets that would be considered to have a low or no reasonable expectation of privacy. I refer hon. Members to a letter from the Chair of the Joint Committee on Human Rights, my hon. and learned Friend the Member for Edinburgh South West (Joanna Cherry), which has been shared with us all:
“There is perhaps some ambiguity or confusion as to what data is envisaged to be caught by these provisions. For example, is it merely online encyclopaedias, Companies House registers or news articles; or would it also cover, for example, quite extensive discussions over the internet or mass voice or face images, as has been mentioned in evidence?”
That is the question that we are getting at here.
The whole concept of a reasonable expectation of privacy seems to have been borrowed from the US, where it has been criticised for permitting fairly intrusive surveillance at quite a considerable scale. To my mind, it difficult to grasp the concept or even understand how the test to be applied. It is bad not just for citizens in general, but for people who are having to make these decisions who are not absolutely clear whether or not they can consider a set of data to have a low or no expectation of privacy.
Would bulk datasets of CCTV images or Facebook posts be no/low? How can someone assess whether a bulk personal dataset falls into the category if they do not know all the information within it because they cannot see it until they have a warrant? If the dataset contains information about many thousands or millions of people, with different types of information about different people, how can there be one single level of expectation? People with a low expectation of complete privacy might reasonably have a high expectation that their data will not be retained and processed by the intelligence services.
Why is the sensitivity of the data not expressly mentioned in the Bill? That should surely be pivotal, particularly if the Government want to operate within our human rights obligations. There is no clarity in the Bill to reassure us that sensitive information such as health data would absolutely not be captured by these provisions. Why could that not be on the face of the Bill? Why is publication the important factor instead? Publication in the context of small Facebook groups, for example, does not mean that there are no expectations that security services would not hold that information.
My hon. Friend the Member for Barnsley Central has been trying to put a definition around this. That needs to happen. If it is not to be in the Bill, the Minister needs to put on the record exactly what his expectations are, because I can see this being challenged in court. Courts are very good at looking back at what is said and what is actually meant in Parliament, so it is quite important.
There are certain categories that no one has any problems with: open Companies House registers are available to anybody, for example, and so is the open electoral register. But how will the closed electoral register be dealt with? I would argue that people who want to be on the closed register would think that there was a reasonable expectation that that data would not be shared. We know that it is, but somebody might challenge that.
Likewise, there are telephone directories. I am not sure whether they are produced any more. Perhaps I am old-fashioned—I am showing my age now. [Interruption.] Well, I am sure they still exist in a digital format. Those who are old enough to remember will know that there was an ex-directory option for people who did not want their name published; someone could make a conscious decision that they did not want their private phone number to be in the public record. Now it must be all online, but how will that be dealt with? With a directory on which everyone’s number is publicly available, I would think that there was a reasonable expectation that that was public data; I think everyone would assume that. Where they are ex-directory, however, I think most people would reasonably expect their data not to be shared with anybody.
“No expectation of privacy” is very clear—it means things that are publicly available—but “no reasonable expectation” is a dance on the head of a pin. People’s interpretations of what is reasonable will be different. I am reassured that the agencies have protocols for dealing with that, and I am not suggesting for one minute that they will be on fishing expeditions, but we need some clarity on what it all means.
The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East made a point about Facebook and other types of social media. For those who are interested, my “North Durham morning” posts are on Instagram, Facebook and Twitter, or X. I have been doing them for many years.
I have no reasonable expectation that those posts are private. I am not suggesting that the security services will want to look at North Durham mornings, but those posts are something that I have put in the public domain. That is fine, but it is different from what the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East was talking about. We might share a photograph or information on a small Facebook group, but do we expect everyone to have access to it? I am not sure that we do. Where does that fit into the definition of “reasonable expectation”? Would the individual think that it was available? That is the point.
The right hon. Gentleman is making a persuasive argument about public expectations of what is reasonable versus what the Bill says and what the agencies do. He is right that there are good operational validations through the agencies’ protocols, but perhaps the best way of explaining the marriage between expectation and what is real would be by example. It would be helpful to hear some examples from the Minister of how the powers that are currently used, and those that will be used under the Bill, are necessary and proportionate; for all these things are about necessity and proportionality. By example, we can probably put this matter to bed.
Yes. A point was also raised about leaked data. If something is leaked on the internet or any other portal and everyone has access to it, do we then assume that the security services think that it comes under “reasonable expectation”, even though the individual whose data it was perhaps did not want it out there?
I accept that under proposed new section 226B(4)(b),
“the authorisation is necessary for the purpose of the exercise of any function of the intelligence service”,
which is fine. I do not think that people will go on fishing expeditions—we will come on to that issue later— but I note that the phrase “economic well-being” appears later in the Bill, but not in this part. When I have raised the point before, the Government have argued that the phrase is used in other legislation and that they want to be consistent.
If nothing is to be changed in the Bill today or on Report, the Minister needs to put something on the record so that it when somebody challenges this provision in future, which they will, the Government’s intention is clear now and can be interpreted later.
I will be brief. I back up the comments of the right hon. Member for North Durham: much more needs to be done to define clearly what we mean by “low or no”. In many ways, separating the two out would make everything clearer. Everybody can tell what “no expectation of privacy” means. It is when we get to low expectation of privacy that we have debates: “Is it this or is it that?”
The factors considered in determining whether something qualifies as low or no include
“the extent to which…the data has been made public”.
If there is no expectation of privacy, that is obvious, so I do not understand why we cannot have more clarity and say, “This is what we mean by no expectation of privacy, and this is what we mean by low.” It might be fine for us in this room to have an understanding of what we mean, but there needs to be public understanding.
We all know that every time we go on any website, we are asked to click to accept the cookies, and sometimes we cannot progress any further unless we do. Data is being gathered left, right and centre. With the best will in the world, not everyone reads every single line of the terms and conditions. We need to be absolutely clear about exactly what we mean so that legal challenges do not occur down the line.
Before I address those points, I want to address the shadow Minister’s somewhat contentious argument that learning French is not a security issue —that was a bold innovation from him.
The points that have been raised are essential to understanding exactly why the Bill is so important. I will cover the “no” and “low” areas separately, for the reason that the hon. Member for Midlothian touched on. We all know what no expectation is; that has been largely covered, and the reality is that even the slightly more restricted version of the electoral register is shared with political parties, as the right hon. Member for North Durham knows.
That is what I was going to say. Although the register is not publicly available and therefore would not fit in this category, that is where we get to the line. The “no” is for publicly available data, and that is relatively clear.
The “low” comes in areas such as the idea of leaked papers, which somebody raised—forgive me, I cannot remember who. That is where the Bill sets out terms under which datasets should be considered, because of course it is impossible for me to give an answer that applies to every single dataset into the future. One example that came up recently, as right hon. and hon. Members will remember, is the Panama papers. One would not argue for a second that the people listed in those papers had an expectation of openness initially. However, after those papers had been published and republished over many years, at what stage do we really think the expectation of privacy is maintained?
That is where the dataset becomes low expectation. We have set out the oversight regime in another area of the Bill, but I will touch on it. The Investigatory Powers Commissioner has a range of responsibilities, the judicial commissioners have other responsibilities for approving warrants and IPCO has responsibility for overseeing the regime. That is where that is addressed—in slightly ways at each moment of influence and each moment of power, but everything is covered.
I am interested in the Minister’s example of the Panama papers. As he rightly says, when those papers were originally held by a bank or a financial institution, there would be an expectation of privacy. However, he is alluding to where they are sourced from. Those papers have been freely circulating on the open internet and anyone can download them, and it is at that point that the low or no expectation would come in. Rather than the nature of the document itself, it is the fact that it is easily available online that matters.
My hon. Friend is absolutely right. The reality is that once papers are effectively public, the argument for privacy somewhat falls away. That is exactly where we are getting to in this area, which is why we have looked at how to oversee it and the different elements within it. Part 7A explains the oversight regime clearly and section 226A really gets to the nub of it.
It is important that we focus there, where the argument comes back to the essential element: when considering whether intelligence services have applied the test correctly, the judicial commissioner will apply the same principles that a court would apply on application for judicial review. We therefore have an internal legal process overseeing this before it would even get to any legal challenge. That is why it is more robust than some voices have gently suggested, and covers many of those internal challenges.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 22, in clause 2, page 4, leave out lines 27 to 30.
This amendment is consequential on Amendment 23.
With this it will be convenient to discuss the following:
Amendment 23, in clause 2, page 5, leave out lines 1 to 14.
This amendment would remove proposed new section 226BA, thereby removing the ability to grant “category authorisations”.
Amendment 24, in clause 2, page 5, line 17, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 25, in clause 2, page 5, leave out lines 23 to 25.
This amendment is consequential on Amendment 23.
Amendment 26, in clause 2, page 5, line 34, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 27, in clause 2, page 5, line 39, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 28, in clause 2, page 7, line 3, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 29, in clause 2, page 7, line 27, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 30, in clause 2, page 8, leave out lines 6 to 15.
This amendment is consequential on Amendment 23.
Amendment 31, in clause 2, page 8, leave out lines 19 to 23.
This amendment is consequential on Amendment 23.
Amendment 32, in clause 2, page 8, line 37, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 33, in clause 2, page 8, line 41, leave out from “authorisation” to “they” on page 9, line 1.
This amendment is consequential on Amendment 23.
Amendment 34, in clause 2, page 9, leave out lines 14 to 16.
This amendment is consequential on Amendment 23.
Amendment 35, in clause 2, page 9, leave out from the beginning of line 38 to the end of line 13 on page 10.
This amendment is consequential on Amendment 23.
Amendment 36, in clause 2, page 11, leave out lines 17 to 29.
This amendment is consequential on Amendment 23.
Amendment 37, in clause 2, page 11, leave out lines 32 and 33.
This amendment is consequential on Amendment 23.
First, unless I was distracted, I do not think I got a specific answer on the types of data mentioned in the amendment—for example a Facebook post, CCTV footage or anything else.
Those are covered under sensitive data areas; they would not be covered under bulk personal data. The hon. Gentleman also mentioned health data, and he is absolutely right that I did not answer that. I should be absolutely clear: it is hard to envision a case in which health data would be considered “low or no”, unless it was of very ancient historical standing, or there were other exceptional reasons.
I am grateful for that. Could the Minister perhaps follow up on that in writing? That is useful to have on the record.
This discussion is mainly about amendment 23; the other amendments are all consequential. Basically, the amendments would remove the concept of category authorisations from the Bill. Again, I take the same approach as the shadow Minister; I will not be pushing any of these amendments to a vote, but they are designed to probe and allow for debate on some of the important concepts in the Bill.
It is this clause, and the notion of category authorisations, that leads to the restricted judicial oversight of the “low or no” categories that are being retained. It would be useful for the Minister to give us an example here of what a category authorisation might look like. I am not on the ISC, so it is hard for me to understand exactly how broadly they might be drafted. I absolutely appreciate that there are operational reasons why the Government might have to be careful about the examples they give. However, to provide some reassurance, I am sure it would be possible to put on record what one of these authorisations might look like, just so we know how broadly they will be drafted, or indeed how focused they will be.
The Minister spoke a little about oversight at the end of his previous contribution, but it is the oversight of category authorisations that causes me some concern. The tests for a category authorisation set out in proposed new section 226BA of the Investigatory Powers Act 2016 are simply that it must be classed as “low or no” and that the decision has been approved by a judicial commissioner. There are none of the other tests that are set out for the individual authorisation, such as it being necessary for the
“exercise of any function of the intelligence service,”
that it
“is proportionate to what is sought to be achieved,”
or that there are various arrangements in place.
It seems to me that the degree of oversight at the stage of granting a category authorisation is far more restricted. That has a knock-on consequence: when the judicial commissioner comes to review the granting of a category authorisation, they are only then considering whether it applies to a “low or no” group of datasets. The judicial commissioner, even on the low-level judicial review criteria, does not look at whether the category authorisation will be necessary or proportionate, or any of the other tests for the other authorisation.
I do not want to do the Minister’s job for him, because I am sure he will say this anyway, but when an application is made by an agency for the acquisition and retention of bulk personal datasets, a specific case needs to be made in the warrant application, and a particular case has to be made where that application applies to exceptional material. That case is considered through the double-lock mechanism by both the judicial commissioner and the Minister. That case needs to specify the reason that it is necessary for operational purposes.
It is useful to have that explanation. I understand that is the existing process, as the 2016 Act applies just now. However, my simple question concerns the fact that that does not seem to be what is set out here.
I will just answer that directly, as the hon. Gentleman seems to be running away with this issue slightly. The test set out in proposed new section 226A still applies to all datasets. It is not removed; it goes through the whole thing.
That is useful to know. I will pray in aid the fact that we did not have any witnesses; anything I say that is daft, and anywhere that I do not understand how the Bill operates, I will blame on the lack of witnesses.
That is useful to know. I will go away and look at that and make sure that that all makes sense to me. That just leaves me with my earlier request: can we have some examples of what a category authorisation looks like? I can imagine that they could be incredibly broadly drafted, but they could also be very narrow. It would be useful to get a better understanding of how they will operate.
My final point is that the Government’s case appears to centre quite largely on using the material for machine learning. We have heard about language, online encyclopaedias and whatever else. If nothing else, why not use this streamlined process on that category of information and keep the existing processes in place for everything else?
I welcome the spirit in which the hon. Gentleman approaches this issue. He is asking important questions, and I do not challenge at all the validity of the way he has approached the issue; in fact, I should put on record that I am grateful for the way the whole House, and this Committee in particular, have approached it. It is important that any questions that any Member has, particularly the questions honourably and reasonably raised by the hon. Gentleman, are addressed.
The hon. Gentleman’s question on category authorisation is important, because the individual authorisation authorises the retention or retention and examination of a bulk personal dataset, to which part 7A applies. In other words, for every individual dataset there will be an individual authorisation. The normal rule is that each individual authorisation must be approved in advance by a traditional commissioner, as my right hon. Friend the Member for South Holland and The Deepings quite rightly addressed.
A category authorisation does not itself authorise the retention or retention and examination of a dataset; rather, the category itself is the means by which the normal rule of prior judicial approval may be disapplied in respect of the individual authorisation of datasets that fall within the description approved by the category authorisation. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East knows, that allows for the internal authorisation of an individual dataset that falls within an existing category. By definition, those categories are narrow enough to be identifiable but large enough to be useful. The reality is that that must be done on a case-by-case basis, but under the watchful eye of not just the unit within the intelligence service that requests it, but a senior officer in that service and a judicial commissioner.
That oversight means that we have an effective way of ensuring that we are able to use bulk personal data as categorised in different areas in a speedy fashion to enable the detection and prevention of harm, but with the oversight regime that the hon. Gentleman quite rightly expects of any apparatus of the state. The intelligence services in particular, for reasons of operational necessity, operate in the shadows, and therefore require an extra guarantee of reliance.
I will go away and consider what the Minister said. Our basic issue here is that a process is in place whereby every single individual dataset must be approved and have the approval and authorisation of a judicial commissioner. Under this scheme, if there is a category authorisation and then an individual authorisation under it, there will not necessarily be any involvement from a judicial commissioner. That is the bit that we have an issue with.
May I come back straightaway on that? To be clear, category authorisations are reviewed by IPCO at the very latest a year—12 months—after the authorisation, but they could actually be reviewed at any point. I am afraid the idea that a category authorisation stands forever just because it has been allowed is not accurate—I know that is not what the hon. Gentleman is suggesting. The judicial commissioner would have oversight of the wider category authorisation, and the IPCO review means that the whole thing is checked at the very latest every 12 months, and probably more frequently than that.
Again, I get all that, and I do not think that we are really at cross-purposes. However, we are talking about 12 months of access to datasets without necessarily having them before a judicial commissioner.
I do not think that anyone disputes that this is a slightly weaker form of oversight, which is because the services want to access this material at scale and regard the existing oversight mechanisms as cumbersome, slow and whatever else. We still ask the question of whether there is another way to do that that would still involve judicial commissioners but happen much more randomly and at scale. However, we will go away and consider that. I repeat my request—I know it is not easy—for some examples to reassure members of the public on how exactly this will work. That would be useful. In the meantime, I do not intend to push the amendment to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 15, in clause 2, page 5, line 14, at end insert—
“(4) The head of an intelligence service, or a person acting on their behalf, must notify the Investigatory Powers Commissioner as soon as is reasonably practical after a decision has been taken to include a bulk personal dataset within a category authorisation in effect under this section.”
This amendment would require that the Investigatory Powers Commissioner is notified when a new bulk personal dataset is added by an intelligence agency to an existing category authorisation.
With this it will be convenient to discuss amendment 38, in clause 2, page 11, line 21, at end insert—
“(1A) The report provided under subsection (1) must include an annex listing the bulk datasets retained or retained and examined under each category authorisation granted during the relevant period.”
This amendment would require information about the scale and nature of use of category authorisations to be provided to the Intelligence and Security Committee.
The issue of closing the gap between adding a bulk personal dataset to an existing category authorisation was raised on Second Reading by my right hon. Friend the Member for North Durham, who has a long-standing interest in these matters. I agree with the argument he made on Second Reading and the simple solution he proposed to close the gap: a one-line email to the Investigatory Powers Commissioner as soon as reasonably practical.
Any such email would not be seeking real-time approval and would not necessarily be reviewed by the Investigatory Powers Commissioner in isolation, but rather as part of a wider trend of what is being added to existing category authorisations. Labour does not seek to create additional work for the men and women who serve in our police and security services. On the contrary, a simple arrangement —to send a single-line email—would enhance wider oversight arrangements, while keeping extra requirements for the police and security services to an absolute minimum. In response to my right hon. Friend on the matter on Second Reading, the Minister said the IPA 2016
“allows the collection… with prior authorisation”
and that
“This is intended to speed the process up.”—[Official Report, 19 February 2024; Vol. 745, c. 556.]
We do not intend to slow the process down through the amendment, as any such notification would be made after it had happened. I therefore ask the Minister whether the problem is the act of notifying the Investigatory Powers Commissioner as soon as reasonably practical, or the potential volume of notifications, that mean he deems it an unworkable arrangement. I would appreciate if he could be as open as possible in answering those questions. If the Government do not accept the amendment, perhaps a conversation could take place between my right hon. Friend the Member for North Durham, the Minister and myself to agree a practicable solution.
As my hon. Friend the Member for Barnsley Central said, I raised the matter on Second Reading. In no way do I or other members of the ISC want to slow down the process or give more work to the hard-working men and women of our security services. However, as I understand it, the only reason put forward by the Government was that it would impair operational agility.
The amendment proposes, and what I proposed, is not for the security services to go through an authorisation, as my hon. Friend just said; it is literally an email saying, “This is what we are doing.” Members might ask why that is important. It is important because we are giving the security services new powers in the Bill and for IPCO to be informed in real time. I accept the retrospective look at them, but at least if there was a trend, we could see it.
The Government have also tried to argue that there is no need for more oversight because it is a low or no dataset, much lower than those governed by the existing section 7 of the IPA. We have just had the argument about the definition of “low” and “no”, but it means that we are giving the security services additional powers here. I am not for one minute suggesting that the internal protocols within those security services will lead to things that are just a free-for-all, as some might suggest, but it gives that assurance that there is oversight of what is happening in real time.
If we were asking for authorisation of each one, I would accept that it would be too burdensome and would slow down the process, but this is literally a one-line email so the IPCO knows what is needed. I do not understand why the Government are resisting that, except that—let us be honest, Minister—we have form on this. With the National Security Bill, there was an idea that it would be a weakness on the Government’s part to accept any amendments from the ISC. However, there was one slight change made with Lord West’s amendment, so there is possibly a change of attitude. I accept that the Minister respects the ISC—I am not sure it is the same for many people higher up in Government. But that should not be a reason not to accept this very simple amendment, which I think would give people reassurance that there is some real-time oversight of this. If an election was called in the next few weeks, this Bill—
I endorse what the right hon. Gentleman said. It is a straightforward matter. The Government could give way on this—because they already have the power to ask for it under existing arrangements—by making it a routine, light-touch process. I take the point that we do not want to impair the alacrity that is necessary for the agency. However, I think a simple change would satisfy the right hon. Gentleman, me, and many others.
I agree entirely with the right hon. Gentleman. If the amendment goes into the wash-up of the Bill, things like that will have to be included anyway. I do not understand why the Government are dying in a ditch on quite a small amendment that would make no practical difference at all to the operation of this Bill. There are certain people—not including the Minister, who is quite a reasonable individual—who want to make sure that the ISC cannot claim credit for doing anything, which I think is quite sad. If the Minister cannot agree to the amendment as drafted, I echo the suggestion of my hon. Friend the Member for Barnsley Central that we draft an amendment that the Government are happy with on Report that fulfils our ambitions on oversight, but that is also practically and technically correct. [Interruption.]
I remind members of the public to please turn their electronic devices to silent as well.
I will be very brief, because I fully support what the shadow Minister and the right hon. Member for North Durham have said. If we are going to go down the route of somewhat watering down the oversight of certain bulk personal datasets, we need greater transparency and accountability. Our amendment 38 has very similar motivations. It requires complete transparency with the ISC by listing all the bulk personal datasets that would be retained under a category authorisation in the report the Bill requires to be sent to the ISC. It answers the question of how we are supposed to know how these new powers will be and are being used unless we have one of these methods of transparency.
If I may, I will come to the last point first. The information going to the ISC on this basis would be, as far as possible, the same as that going to the Secretary of State. Obviously, the operational data may not be included, depending on the relevant operational case. I hope that will reassure this Committee and, indeed, the ISC that the intention is to make sure that the ISC is as fully informed as possible.
On the point made by the right hon. Member for North Durham, he will know that the Bill, in many ways, has been a joint project between the Government and the ISC. I have spent many hours with members of the ISC, including the Chair, my right hon. Friend the Member for New Forest East (Sir Julian Lewis), and with various members of the Committee. Their input has been exceptionally important to me and has been included in many areas of drafting on this.
Turning to amendment 15, the right hon. Member for North Durham and the hon. Member for Barnsley Central, in many ways, have both been the Occam’s razor of the Bill process, not just here, but in other areas. They have been rightly keen that we should not include powers or requirements that would otherwise constrain or block processes or confuse the law. I understand the argument that hon. Members are making about a one-line email, but the reason that I am not convinced—though I am very happy to have the conversation suggested—is that the reality is that it is possible for IPCO to investigate at any point, and it must investigate at 12 months. Therefore, if we ask for a legal requirement on the services, that would force an extra legal duty into the various elements and it will be an extra change.
I disagree with the Minister. Yes, IPCO can look back and can go in at any time to look at things, but if it does not know where the needle in the haystack is, how is it going to actually find it in the first place? This is not an onerous proposal, and I do not understand why the Minister is resisting it, to be honest. This measure would just send another reassurance to the public that, again, the extra powers being given to the security services, which I fully support, at least have some oversight. We need to address the Bill in detail and in such a way that we cannot be accused of handing over powers without also providing very light-touch reassurance that there is outside oversight. I accept that, in most cases, IPCO would not actually look at any of these.
In the spirit with which the right hon. Gentleman has approached this, may I commit to meeting him and the hon. Member for Barnsley Central to discuss this?
Well, the right hon. Gentleman could make a virtue of a necessity if he wishes. I certainly will. I shall enjoy meeting him to discuss this, and I hope that he will take that commitment in the spirit with which it is made.
I think that this has been a useful debate. There have been a number of sensible and constructive contributions from both sides of the Committee. The Minister has made a commitment to sit down and discuss this further, and I am grateful for that undertaking. As I have said, we do not intend to push this amendment to a vote.
This is as good a time as any to raise this point. If we are going to give the powers to the security services, which nobody objects to with the appropriate oversight, and ask them to do more assessments, more dataset investigations and so on, does my hon. Friend agree that the Minister should give us assurances on resources? Given that we are asking the services to take on additional tasks in one fashion or another, does he agree that we have to set aside the resources? Perhaps, during his meeting with the Minister, he could tease that out a little bit more, because I do not want these powers and responsibilities to be given to the services without them having the appropriate resources— financial and staffing—to do their job.
I am grateful to my hon. Friend the Member for Bootle. I am happy to give way to the Minister if he wants to respond directly to that point.
The point about these powers is indeed to make better use of resources. One challenge is that many intelligence officers are tied up doing things that are no longer genuinely necessary for the protection of personal privacy, but they are following processes that, were they to be working for a private organisation —a company or whatever—would no longer be necessary because bulk personal data could simply be bought. Therefore, what we are actually looking at doing is using resources much more efficiently and therefore helping the protection of the British people, from a better financial position. However, the point made by the hon. Member for Bootle on resources is always one that I welcome.
I have nothing further to add, other than to beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 2 ordered to stand part of the Bill.
Clause 3
Duration of bulk personal dataset warrants
Question proposed, That the clause stand part of the Bill.
We are making sufficient progress, which perhaps permits me to say a word about why, as we have now dealt with those publicly contentious matters around bulk powers, we can move to the next part of the Bill with greater confidence. The Minister has been crystal clear that he—like me, the right hon. Member for North Durham and other members of this Committee—understands fully the important role of oversight and checks and balances. Those checks and balances are multidimensional because of the role of both those elected to this House and the judiciary. I know he will want to expand on that a little as we come to the next part of the Bill.
I thank my right hon. Friend. Clause 3 amends the duration of bulk personal dataset warrants under section 213 of the IPA from six to 12 months. BPDs tend to be used to support long-term strategic intelligence activities, and a longer warrant duration will enable the value of the BPD to be better demonstrated, which will provide the relevant Secretary of State with a more accurate picture of the necessity and proportionality when an application for renewal is made. The existing part 7 safeguards will remain in place, including the double lock by the judicial commissioner.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4 ordered to stand part of the Bill.
Clause 5
Third party bulk personal datasets
I beg to move amendment 16, in clause 5, page 14, line 34, at end insert—
“(4) A third party BPD warrant may not authorise the examination of a dataset consisting of the contents of the marked electoral register.”
This amendment would prevent a third-party bulk personal dataset consisting of the electoral register, which sets out whether people have voted, from being examined by the intelligence services.
Amendment 16 relates to third-party BPDs, specifically the use of the marked electoral register, which is a copy of the electoral register usually arranged by a polling station area or ward with names crossed off to indicate who has voted. Copies are available for political parties to buy from local authorities and add to their records, which aid with canvassing and voter engagement on the basis that a person who has previously voted has a higher propensity to vote again, and for that purpose alone.
Compared with the electoral register, the marked electoral register contains a record of individuals who have exercised their democratic right at the ballot box. The Opposition understand entirely that it would be appropriate for copies of the marked electoral register to be examined in an investigation into electoral fraud. Any attempts to undermine our democratic process must be dealt with with the utmost seriousness. However, we do not believe that it is appropriate or proportionate for information relating to voting records, contained in such documents, to be authorised as a third-party BPD. That could establish links between individuals or better understand a subject of interest’s behaviour.
More widely, we have concerns about records of democratic activity, such as any relating to trade union membership, being examined as a third-party BPD. Does the Minister agree that copies of the marked electoral register should be used to defend and strengthen our democratic processes, and for those purposes alone, and that safeguards should be in place to protect other data relating to democratic activity from being examined as a third-party BPD?
I fully understand the questions that have been proposed by the shadow Minister, and it will be interesting to hear the answers that he gets.
On clause 5, it makes sense to ensure that access to third-party bulk personal datasets is subject to the general Investigative Powers Act scheme and oversight regime, including the double lock. Of course, we had extensive debates back in 2016 on whether that double lock was strong enough. My party argued that the judicial review standard was not tough enough and that we should be asking judicial commissioners to look at the positions again on their merits. But we lost that battle, and we are where we are.
Some of these datasets will include hugely personal information on internet searches and shopping history. These profiles can build up a pretty intrusive picture of how we go about our lives, and sometimes not very accurately. We are also talking expressly about personal datasets, which could include health data. That is on the face of the Bill. Does the Minister envisage that such access will be used only to make inquiries on subjects of particular interest, or will it be used for broader trawls of information?
As set out in the letter from the Chair of the Joint Committee on Human Rights, there is also concern about how this provision will apply to datasets that have been obtained unlawfully. Should there be additional safeguards on the use of illegally obtained data? What is the Government’s thinking on that?
I thank hon. Members for their points. The examination of third-party bulk personal datasets by the intelligence services is vital to their role of protecting the national security and economic wellbeing of the United Kingdom and preventing and detecting serious crime.
Clause 5 places an explicit statutory regime around the intelligence services’ examination, in situ, of bulk datasets held by third parties. The regime would apply only to the intelligence services, in line with the wider part 7 BPD powers in the IPA. The clause puts in place robust oversight and safeguards. For example, third-part dataset warrants are to be subject to a double lock, and the decision to authorise the warrant will need to be approved by both the Secretary of State and an independent judicial commissioner. The Investigatory Powers Commissioner and his office will oversee the regime to ensure the intelligence services’ examination of third-party datasets is both necessary and proportionate. That relates to the point made by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East about proportionality and need.
To answer the point made by the hon. Member for Barnsley Central, we do not consider it appropriate to exclude specific types of dataset from those for which a third-party dataset warrant can be sought. The reason is, as he knows, that we can begin to go down very tricky routes on this area, as the intelligence services have a requirement to keep safe not just our democracy but our wider nation. Therefore, limiting those different arguments can be problematic. What we are aiming to do is ensure the proportionality requirement is the test applied by both judicial commissioners and the Investigatory Powers Commissioner.
The Secretary of State may issue a warrant authorising the examination of a third-party dataset only where it is necessary and proportionate—that is going to be quite a high bar in some of the areas asked about—for the intelligence service to examine the dataset to which the warrant relates. That decision will be double-locked by an independent judicial commissioner who, among other things, is required expressly to review the Secretary of State’s conclusions in respect of necessity and proportionality when deciding whether to approve the decision to issue a warrant. That is already in the Bill. Each decision will be made on a case-by-case basis and will be subject to prior judicial approval.
I am grateful for the Minister’s response. I have to say, I am struggling to think of a scenario in which it might be necessary and proportionate to examine the marked electoral register. This is something we will reflect on.
I broadly support the Minister’s view of this, but the easiest way to establish the case for this is to be clear about its operational purposes. Clearly, one would not expect the Minister or the agencies to speak about the specifics of operations, but dealing with the operational purposes would help the shadow Minister and the Committee. I am sure the Minister would be happy to do that in broad terms, either now or in writing. It would be really helpful to go through the kinds of operational purposes associated with this inquiry. I do not know what the Minister and the shadow Minister think, but that is how I see it.
That is a helpful and useful suggestion. I am happy to proceed on that basis, if the Minister is.
On that basis, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 5 ordered to stand part of the Bill.
Clause 6
Minor and consequential amendments
Question proposed, That the clause stand part of the Bill.
Clause 6 makes minor amendments to the 2016 Act to reflect the introduction of parts 7A and 7B, including making it clear that the Investigatory Powers Commissioner is responsible for oversight of the part 7B regime.
Question put and agreed to.
Clause 6 accordingly ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned. —(Scott Mann.)
(9 months, 2 weeks ago)
Public Bill CommitteesThe Investigatory Powers Act 2016 contains world-leading oversight arrangements, which have strengthened the safeguards that apply to the use of investigatory powers. The clauses will enhance this oversight regime, including the role of the Investigatory Powers Commissioner, to ensure it is resilient and that the IPC can continue to effectively carry out their functions. This includes creating a statutory basis for appointing deputy IPCs to whom certain functions can be delegated and, in exceptional circumstances, the appointment of temporary judicial commissioners. The clauses also place certain existing oversight functions on a statutory footing and provide clarity to public authorities in their error reporting obligations. These are important and targeted amendments to ensure the oversight regime remains robust and the IPC can continue to carry out their role effectively.
Question put and agreed to.
Clause 7 accordingly ordered to stand part of the Bill.
Clauses 8 to 10 ordered to stand part of the Bill.
Clause 11
Personal data breaches
I beg to move amendment 1, in clause 11, page 31, line 36, leave out “a court or tribunal” and insert “the Investigatory Powers Tribunal”.
This amendment is consequential on amendment 2.
With this it will be convenient to discuss the following:
Government amendment 2.
Clause stand part.
Clause 11 will ensure that there is clarity for telecommunications operators operating within the IPA framework about which regulatory body certain personal data breaches should be notified to. It also provides a statutory basis for the Investigatory Powers Commissioner being notified of such breaches. Without this change, there will be confusion about personal data reporting obligations and a regulatory gap in respect of certain personal data breaches by telecommunications operators not being dealt with by the appropriate regulatory body. The clause also ensures that an individual affected by a personal data breach can be notified of the breach by the Investigatory Powers Commissioner, if the IPC deems to it to be in the public interest to do so. This will enable them to seek remedy from the Investigatory Powers Tribunal.
Government amendments 1 and 2 build upon the provisions already contained in clause 11 by providing a clear route to redress for those affected by personal data breaches committed by telecommunications operators. They ensure that the Investigatory Powers Tribunal has the jurisdiction to consider and determine complaints about personal data breaches committed by TOs and grant a remedy. The IPT already has significant experience of considering complaints from individuals who believe they have been the victim of unlawful interference by public authorities. It is therefore the appropriate forum to consider complaints regarding certain personal data breaches.
Amendment 1 agreed to.
Amendment made: 2, in clause 11, page 32, line 19, at end insert—
‘(1A) In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—
(a) in subsection (2), after paragraph (b) insert—
“(ba) to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;”
(b) after subsection (4) insert—
“(4AA) The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.
(4AB) In subsection (4AA) “relevant personal data breach” means a personal data breach that the individual is informed of under section 235A(5) of the Investigatory Powers Act 2016 (serious personal data breaches).”
(1B) In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—
(a) in subsection (1)(b), after “65(2)(b)” insert “, (ba)”;
(b) in subsection (5)—
(i) the words from “section” to the end become paragraph (a), and
(ii) after that paragraph insert “, or
(b) section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.”
(c) in subsection (6), for “reference” substitute “complaint or reference has been”.
(1C) In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—
“(8) In this section “relevant Commissioner” means—
(a) the Investigatory Powers Commissioner or any other Judicial Commissioner,
(b) the Investigatory Powers Commissioner for Northern Ireland, or
(c) the Information Commissioner.”’—(Tom Tugendhat.)
This amendment provides for the Investigatory Powers Tribunal to be the appropriate forum for complaints by individuals about certain personal data breaches reported to the Investigatory Powers Commissioner under section 235A of the Investigatory Powers Act 2016 (personal data breaches).
Clause 11, as amended, ordered to stand part of the Bill.
Clause 12
Offence of unlawfully obtaining communications data
I beg to move amendment 39, clause 12, page 33, leave out lines 16 and 17.
This amendment would remove one of the examples cases where a relevant person has lawful authority to obtain communications data from a telecommunications operator or postal operator, being where the data has been “published”.
With this it will be convenient to discuss the following:
Clause stand part.
Clauses 13 and 14 stand part.
The schedule.
The clause relates to section 11 of the Investigatory Powers Act 2016, which created an offence where a relevant public authority knowingly or recklessly obtained communications data from a telecoms or postal operator without lawful authority. That is an extra protection against unlawful invasions of privacy by public authorities. Comms data can of course be vital to prevent serious crime or to assist in missing persons investigations, but it can also be seriously invasive if not monitored, as such data can reveal all sorts of details about our lives and the people that we are linked with. The clause makes changes to that offence.
It is said that there is a lack of clarity around the concept of lawful authority, so the clause includes some examples of what lawful authority is. Most are uncontroversial—for example, where there is a statutory basis for gathering the data, where there is a relevant court order or an authorisation, or where it is obtained to respond to a call to the emergency services. However, we contest the assertion that new subsection (3A)(e) is a proper example of lawful authority, referring to:
“where the communications data had been published before the relevant person obtained it”.
We are concerned that that is not a correct expression of the law as it stands.
The simple fact of data being published is not in and of itself lawful authority for it to be obtained and subject to surveillance. The fact that I publish a Facebook post at such and such a time in such and such a place does not give public authorities the right to seek it from Facebook. In fact, on a Zoom meeting about a controversial political campaign, it cannot be the case that Zoom can then be ordered by the police to obtain the relevant communications data simply because the data was published and available to those who attended the meeting.
We need a very careful explanation from the Minister about what precisely is intended by the example in paragraph (e) because as drafted—again, it depends on how we interpret these things—it seems to be open to an interpretation that anything even semi-publicly available can be obtained by public authorities without anything more.
I will speak more widely to clause 12 before addressing the amendment. The clause does not create new routes to obtain communications data outside the Investigatory Powers Act. Rather, it provides examples of existing routes to acquire communications data in order to put the existing position, as set out in the communications data code of practice, on to a statutory footing. This will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in section 11 of the IPA. It makes it clear that sharing of communications data between public bodies is lawful. It is not the intention of section 11 to discourage public sector sharing of data when administering public services for purposes such as fraud prevention. Clause 12 puts that beyond doubt.
While discussing clause 12, I will take the opportunity to set out that a communications data authorisation can amount to lawful authority to require a telecommunications operator to carry out any necessary activity on their systems to enable or facilitate the obtaining of the relevant communications data. The list of examples of what will amount to lawful authority in clause 12 will provide additional clarity to the existing drafting of section 60A(5) in the Investigatory Powers Act, which sets out what can be authorised under part 3 for the purposes of acquiring communications data.
I would also like to address an inconsistency with paragraph 176 of the explanatory notes for the 2016 Act and the conduct that the Act permits. To be clear, a communications data authorisation may authorise interference with equipment by a person where that is done to enable or facilitate the acquisition of communications data for the purposes of identifying an entity as well as information about their previous or current location.
The Government do not support amendment 39, moved by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East. Additional authority for published material should not be required for its disclosure by a telecommunications operator to a public authority when that data has been disclosed with the consent of that operator. The consent of the operator provides the lawful authority for the obtaining of the previously published communications data, which public authorities can rely on. It places the existing position, set out in paragraph 15.11 of the communications data code of practice, on a primary legislative footing. It does not create new acquisition routes.
Clause 13 amends the definition of communications data to include subscriber and account data, ensuring that this communications data is available to investigators with an IPA part 3, even if it is transmitted as the content of the message. That is not a broadening of the definition but a clarification of scope. “Subscriber data”, or “account data”, includes the details provided when someone completes an online registration form for a telecommunications service or system. This change overcomes the current uncertainty for investigators about the data types that will be “communications data” and therefore available to them.
Clause 14 restores the general information gathering powers to regulatory or supervisory bodies, which were repealed by section 12 of the 2016 Act. It will ensure that public authorities will be able to utilise their own pre-existing statutory powers to acquire communications data for civil purposes. These are existing statutory powers that have been conferred on public authorities by Parliament—for example, in the regulation of the financial markets to ensure market stability.
Since 2016, the data sought has increasingly moved online and is now being caught by the definition of “communications data” in the 2016 Act. For example, His Majesty’s Treasury is responsible for the civil enforcement of financial sanctions regulations. Some information that is essential in carrying out its civil enforcement functions, such as the timestamp of an online banking transaction, is now communications data, and His Majesty’s Treasury cannot currently use its powers to compel that information to be provided by a telecommunications operator. Communications data is available under the IPA only if the matter under investigation is a serious crime, and so is out of reach for public authorities exercising civil enforcement functions.
I thank the Minister for his response and his explanation. We will of course take that away and give it consideration again. He has referred to codes of practice being put into statute, so we will go away and look at those codes of practice. Of course, codes of practice can sometimes be inconsistent with various laws as well, so this is not necessarily the end of the matter. It would be helpful if the Minister could perhaps—in writing, or perhaps we will have to revisit it on Report—look at the specific examples that I gave and just explain whether or not those amount to prior publications of comms data.
I very much appreciate that, and that will hopefully help to clear things up before we get to the next stage of proceedings. I will withdraw the amendment.
Before you move to the vote, Mrs Cummins—forgive me for not rising with greater speed—I just wanted to test the Minister on clause 14 in particular. Clause 14 deals with the other public authorities that will enjoy the powers that the Bill affords. That was debated at length when the 2016 Act, which this Bill amends, was considered, and the Minister will recall that I also raised it on Second Reading.
It is of course true that a number of public bodies have lawful powers to intervene in a regulatory function where a malicious activity could have dire consequences. The Minister will have many examples to hand, but I will take just one for the purpose of illustrating my argument. The Environment Agency could intervene in the case of a watercourse that had been poisoned intentionally; that would be a criminal act resulting in an investigation and prosecution. One can imagine a circumstance where it would be necessary for that body to obtain communications data to discover how that occurred.
To be clear—the Minister will no doubt tell us—this is not the “what” being communicated, but the who, the when and the where. That is what we mean when we speak of the powers in the 2016 Act and this new Bill. We are not talking about the “what”; we know the telecommunications operator will be obliged to make available the content of communications data. The endeavour that the agency concerned will be involved in is finding out why something has happened. The “why” will of course be closely associated with the investigation and the possible subsequent prosecution.
As always, my right hon. Friend asks a pertinent question. I hope he will forgive me for saying that I very much hope that the letter I asked to be sent arrived in his inbox this morning. He may not have seen it, which I completely understand, as there are many pressing issues on his time. I have also attached it into the packet for the Bill and indeed copied it to the ISC secretariat, which has done such an important job in ensuring that we are all as one on this. I hope very much that that will answer my right hon. Friend’s questions. If it does not, he knows where I am—I would be delighted to clarify it further. As my right hon. Friend has very kindly asked, I shall give that list now, for the record: HM Revenue and Customs, the Financial Conduct Authority, the Department for Work and Pensions, the Treasury, the National Crime Agency, the Department for Business and Trade, and the Competition and Markets Authority.
My right hon. Friend reminds me of that famous scene in “Yes, Prime Minister”—thank God defence is held at central authority, or we would not have to worry about the Russians; we would have a civil war in two weeks. His point about local authorities having intelligence powers is valid. They do not have the same intelligence powers as MI5—let us be absolutely clear about that. That is not what we are offering.
It does the Minister great credit that he has made that list available during the course of our consideration. That is very important. What I had feared might happen was that we might not get it while we were in Committee. In fact, I have not actually seen it, but I am grateful to him for making it available, at least, during our consideration.
This is an area that concerns me. I am quite certain the security services have protocols on how to deal with such things, but it worries me that the DWP is on that list. Having been involved in work on the Horizon Post Office scandal for many years, I know the DWP did not cover itself in glory on some of those cases. Can the Minister reassure the Committee that there are protocols governing when and how it will use those powers? That, I think, would give the public some assurance that there is a standard for how they will be used.
The right hon. Gentleman tempts me towards an area that the Bill does not cover, so I hope he will forgive me for focusing on what it does cover, such as the safeguards. Clause 14 will limit communications data acquisition to the purpose of a body required to meet its civil functions and duties, such as a regulatory body providing oversight of financial markets, or indeed the DWP overseeing different elements of its responsibilities. Where disclosure is in support of a criminal prosecution and IPA part 3 authorisations for communications data must continue to be sought, using the existing safeguards and oversight provided for by the Investigatory Powers Commissioner’s office, the courts will oversee the use of those powers by public authorities in the same way as the acquisition of non-communications data under the existing powers. He has asked me specifically about a connected area, so—I hope he will forgive me—I will have a look at it and write to him very specifically about that.
May I suggest that the Minister does write to the Committee? I accept the safeguards in place, but for organisations other than the security services, I want to know what internal mechanisms they have to ensure that use of those powers is proportionate in terms of investigations and so on, and what training and protocols they are using. If the Minister could write to us on that, that would be helpful.
Forgive me, but the right hon. Gentleman is asking for a very large piece of work there. I am setting out the legal authority under which those organisations can act. Their internal processes may be different in different circumstances and be answerable to different Ministers.
I am sorry, but I do not agree with the Minister. He is giving those other public bodies additional powers, and I think it is quite reasonable for this Committee and the public to be assured of how those powers are actually going to be used. As I say, I have no problem with the security services, because I am well aware that they have very clear, strong protocols and safeguards governing the use of their powers internally, with authorisations and so on. I think he just needs to ask those other Departments how they are going to do this, and what the internal mechanisms are.
I am very happy to ask them; I am just stating clearly that they are not under the responsibility that I have as a Minister. The legal powers that they are given are not additional powers; they are repetitions of the IPA 2016, so they are not additional powers—[Interruption.] Forgive me, but they are not additional powers. Their existing codes of practice under the different organisations have their own responsibilities within them.
I beg to differ. In the next clause, we will come on to the breadth and depth of the new powers, but that is a different argument—I will save that until then. However, he is the Minister and, in my experience, the Minister leads the Bill. I would have thought it would be quite simple to ask those other Departments what those protocols are. If he does not ask, he does not get.
I will happily ask. The right hon. Gentleman is asking for internal management structures, though.
I am grateful to the Minister for offering me a second bite of the cherry. Perhaps I can offer a Hegelian synthesis between him and the right hon. Member for North Durham. We talked earlier about operational purposes, but we have to be careful about that: in the case of the agents of the police, one cannot publish purposes in fine detail, because that would be unhelpful. However, in broad terms, perhaps the way forward on this is to illustrate the kind of purposes that the bodies the Minister described might employ, within the legal constraints that he just set out. Perhaps that is the way forward; it would certainly satisfy me, and I cannot think that would not help to satisfy the right hon. Member for North Durham, who is a reasonable man—not my right hon. Friend, but a right hon. Gentleman and a personal friend, which is better than being a right hon. Friend.
As always, I welcome my right hon. Friend’s contribution. That is covered in many areas in the letter I wrote to him.
In an earlier response to comments by the right hon. Member for South Holland and The Deepings, the Minister helpfully mentioned the letter that I think has been sent to the right hon. Member and possibly other members of the Committee. Can the Minister confirm that that letter will also be sent to the Opposition?
To be absolutely clear, the letter was in response to my right hon. Friend the Member for South Holland and The Deepings, so it was sent to him, it was copied to the secretariat of the ISC and it is in the Bill pack. The hon. Member for Barnsley Central therefore has access to it.
May I ask the Minister to look at his internal process again? We also had this problem with the National Security Bill. I do not know whether he should change the pigeon post he is using to ensure people have it. May I also point out that the ISC is not constantly in session? Therefore, if he has to send it to the ISC, we do not automatically get it until our next meeting or when we do the next reading.
I am delighted to clarify that the letter was emailed to my right hon. Friend the Member for South Holland and The Deepings. He is a traditionalist in many ways, but I believe he has entered the electronic age.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 12 ordered to stand part of the Bill.
Clauses 13 and 14 ordered to stand part of the Bill.
Schedule agreed to.
Clause 15
Internet connection records
Question proposed, That the clause stand part of the Bill.
The changes made by clause 15 should transform the intelligence services and the National Crime Agency’s ability to detect serious criminals and those seeking to undermine national security. Current internet connection record conditions only enable identification of individuals involved in known events. That means an investigator must know the date, time and service being used, preventing identification of offenders where they cannot be linked to a specific time of access. For example, where analysis of a seized device identifies a site serving images of child sexual exploitation, it would not currently be possible to search ICRs for subjects accessing that site beyond a specific known event. New condition D would help to identify other subjects accessing those sites. This will not be a fishing exercise. As with all investigatory powers, the case for requesting ICR data must be necessary, proportionate and intelligence-led. As Committee members will have heard this week, the benefit to the agencies is in being more, not less, specific.
The new condition will be subject to robust safeguards, including limiting the statutory purposes available, stringent necessity and proportionality requirements and independent oversight, including regular inspections by the Investigatory Powers Commissioner’s Office. Where internal authorisation takes place for urgent and national security-related applications, authorising officers must be independent of the operation and not in the line management chain of the applicant. If an investigator knowingly or recklessly obtained ICRs—for example, if the request was clearly not proportionate—they would be at risk of having committed a section 11 offence of unlawfully obtaining communications data, which can result in a fine or imprisonment.
We are now looking at internet connection records. Whether we are for or against the provisions, the requirement in 2016 for companies to generate and provide internet connection records was a radical departure and makes the UK something of an outlier: as I understand it, there is no other European or Five Eyes country that allows the same sort of requirements to be made, certainly in relation to its own citizens.
As the Minister explained, there are various conditions on who can access the records. At present, the investigating bodies need to know which personal device they are looking for ICRs in relation to or know a specific time when a website was accessed to identify who was responsible for the events of interest to them. There is some judicial oversight, but not always. We are being asked to move a little further from that already fairly radical starting point and remove the need for a particular time to be identified, so as to have a general look at who uses certain internet sites and services over broader grades of time. That risks moving us step by step away from suspicion-based surveillance towards broader mass surveillance. People become targets of surveillance because of websites they have visited that are not only of questionable ethics, but potentially in breach of article 18 of the European convention on human rights. Various examples of how that might work are given in the explanatory notes, particularly in paragraph 120.
The Minister also gave some examples in relation to access to sites that are clearly illegal. I was quite surprised to learn that there are not already other powers that can be used to investigate who is engaging with such sites. If that is not the case, why not confine the power to sites that are clearly illegal in and of themselves, rather than enabling a trawling of data in relation to other sites that are not? I am not a tech geek, as will become more and more apparent the more that we debate the Bill, but the explanatory notes themselves confirm that there is a danger of and huge susceptibility to error here. Paragraph 123 says:
“Whilst clearly having the potential to provide significant operational utility it is recognised that such queries are highly susceptible to imprecise construction. As a result, additional safeguards are proposed in this Bill with the intention of managing access to this new Condition and mitigating public concerns.”
I am not absolutely convinced by the additional safeguards that follow in paragraph 124, which seem to revolve around training and various other requirements.
At the very least, I would prefer to see us go for independent judicial oversight in all cases, including authorisations under condition D2. As I understand it, under condition D1 a judicial commissioner would need to authorise what has been sought, but under condition D2 it could be internal. If the Minister wants us to expand the powers without the need for judicial authorisation in all cases, he needs to explain how often he expects the powers to be used and why judicial commissioner involvement in all such cases would not be realistic. Are there not other ways in which we can make this work while still retaining judicial oversight in all cases under the new provisions? I understand what the goals are here, but this is an example where it could be framed more narrowly and oversight could be strengthened.
I agree with the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East, and the ISC feels strongly on this issue. We are clearly speaking English and the Minister is speaking Japanese, because this is about understanding what is actually being given to the agencies without any judicial oversight, which is being dismissed as if these powers are no greater or more intrusive.
As the Committee will know, under the IPA an internet connection record is a form of communications data. It contains data on who has accessed something: it does not actually provide the content of what they have seen or been in contact with. However, under the IPA information can be sought to develop knowledge of who is speaking to who. I think the ISC see the value of this for not only security services but issues around child protection and organised crime, as has already been argued. We are giving the security services and agencies a degree of authorisation here, which I would argue they have not had up until now.
We then come to the argument made by the Minister and the Government that these regulations are not any more intrusive than what we have at the moment. I would argue differently because the power is broad. Previously, targeted discovery condition A, under section 62 of the IPA, required that the agency and officer know the service and precise time of use to discover the identity of an individual, so that they actually know what they are targeting. The Minister used the words “fishing expedition”—this regulation will be a fishing expedition. By default, it will bring in a broader range of individuals who have nothing to do with the target the agencies are looking at the time and connection records for, and are of no interest to the agencies or anybody else.
The Government are arguing that this regulation is no more intrusive—but it is, if we are dragging in a large number of people in that way. Actually, by not having any judicial oversight, they are allowing the agencies to agree that internally. Although the intrusion is not deeper, it is certainly a lot broader than what we have at the moment. The Bill says that the new powers can only be used for “national security” and the catch-all phrase
“economic well-being of the United Kingdom”.
I am still yet to be convinced of that terminology, but I understand that the Minister and the civil service like consistency across Bills, and that is why it is in this Bill.
Under sections 60A and 61 of the IPA, requests to obtain an ICR are like requests to obtain other communication data: they have to be “necessary and proportionate”, which runs through all of this. Again, the Government are allowing the agencies to decide what is necessary and proportionate. I am not suggesting for one minute that they are going to go on a fishing expedition, but again there is a problem with the Government’s approach to the Bill, and certainly with the agencies’ approach. They want these powers, and I do not personally have an objection, but we have to look at how other people, who are not drowned in the detail of this Bill, will perceive them. Some opponents would say, “Why should I be dragged into this?” It is really about giving public confidence; as the right hon. Member for South Holland and The Deepings said this morning, when the IPA was passed, it was about trying to reassure people.
It would be very simple to ensure that this regulation has independent judicial oversight, as the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East has just said. I know the catch-all phrase that the Minister will come back with, because I am a quick learner: he will say, “The IPC has the ability to look back at anything.” Again, that is the haystack—where is the needle? It would be better and more reassuring if they were to have some judicial approval in advance. I will give the Committee one example. Let us suppose that we are looking at train records and patterns of behaviour on WhatsApp or a train-ticketing website. There is possibly a valid reason to do that—to see someone’s patterns of travel, and so on—but it will scoop up a lot of innocent internet users. The assurance here is that they will not be of interest and therefore they will not be part of it, but their information is being dragged into the system. Then a decision has to be made as to which ones people are interested in and which ones they are not.
That is a big change. I accept that it would not be the exact content that somebody accessed, but the connections would be there. It does not sit comfortably with me to leave such a big change to the security services. Knowing them as well as I do, I do not suspect that they will use the provision illegally or for alternative motives, but we have to reassure the public, and I do not think this does that. Would that be onerous? I am not sure that it would be. This comes back to the point that we have made about the ISC all the way through. If we are giving the security services extra powers, we need the counterbalance of a safeguard.
As the right hon. Member for South Holland and The Deepings said this morning, that was exactly how the IPA was approached. Clearly, he was a very good Minister, because he accepted amendments and suggestions, whereas only one has been accepted for this Bill so far. The Minister spoke this morning about working with the ISC. The Minister speaks to us, but he does not necessarily listen to what we say or take a great deal of interest in what we propose. This is an important point. It comes back to the fundamental point that if extra powers are going to be given, it is only right that they come with responsibilities and safeguards.
New condition D removes the existing requirement for the exact service and the precise time of use to be known. Basically, it will now be possible to do a sweep, which will mean dragging people in. Therefore, I cannot see the problem in having some oversight of these powers. I would like to know why the Minister thinks that condition D is not more intrusive. It is more intrusive, because a lot more people will be affected by it. I think the Government are hiding behind the idea that because it is not possible to identify what the individuals have actually seen, it is not really interesting. If that is the case, why have it in the first place? I know the reason for that, but it would be interesting to know what thought has gone into this and how many people will be dragged in. It obviously depends on how the provision would be used in practice. If we went down the street and said to people that we are giving these powers without any judicial oversight—the Minister will say that IPCO can always look at it, and I understand all that—I think that most people would be quite worried. We would give reassurance by providing that important oversight.
This provision certainly needs to be looked at. Is it of benefit and am I convinced that this is a new power that the agencies need? I am, and I think it is right, but coming back to the previous point, we have to ensure that we do not do anything that undermines what is done or that gives ammunition to those people who want to cast aspersions on what is actually done.
I think I know the arguments that the Minister will put forward. We will no doubt come back to this matter on Report, when there will, I think, be amendments from members of the Committee; and if we have an election wash-up, this is one proposal that I think will be pressed by the Opposition.
To supplement what the right hon. Gentleman has said, this was part of the original legislation and it is and always has been a controversial aspect of it. There are two things that I would emphasise here. First, it is really important to understand that the kinds of inquiries that would necessitate the use of this power are exceptional. When we considered the original Bill in Committee, one of the arguments was around a criminal threshold: in what circumstances would the public bodies that we are talking about need to avail themselves of the powers? I am on the record as saying at that time that I entirely agreed with the then shadow Minister’s argument that it should not be permitted for minor crimes. In other words, the bodies that the Minister listed earlier would not be using the powers on a routine, daily basis for all kinds of things that they are lawfully entitled to do; they would take advantage of the powers in exceptional cases in which very serious matters were at hand. That would be a helpful way of assuaging some of the doubts raised by the right hon. Member for North Durham.
Or we could have what was suggested earlier: when the power is used, that is reported to the Investigatory Powers Commissioner, so that it is aware of what is going on and can do something if it has concerns. At the moment, it is presented with a haystack and has to look for the needle.
Exactly. That point was made when we debated the original Act, and I think that I committed at the time to those kinds of things being detailed in the annual report. To clarify a point that was made earlier, David Anderson was clear at the time, and has been since, that we cannot detail the operational purposes of the agencies if doing so would compromise them. The techniques and approaches that they necessarily use in the performance of their duties could be compromised if we were to talk in detailed terms about the character of their operational activities. However, we can speak in broader terms about the kinds of circumstances in which powers might be used—and all the more so for the other public bodies, in a sense, because even if a serious criminal investigation is taking place, those investigations are not typically as secret as they might necessarily be in respect of the security and intelligence community.
Perhaps those two grounds—greater sight of the processes in those bodies and clarity about the circumstances in which the powers can be used; in other words, exceptionally and for very serious matters—would be helpful ways of dealing with some of the points raised by my colleague on the ISC, the right hon. Member for North Durham.
As usual, right hon. and hon. Members have raised some excellent points. Let me be clear: it is not true to say that there is no judicial oversight. To say that there is no judicial oversight would be correct if the IPC were not in place. I know what the right hon. Member for North Durham is going to say, but that is a form of judicial oversight.
As to the way in which the authorisations work, I hope that I have been clear—I will repeat it to ensure that I am—that an investigating officer would have to make an application to use the powers. That would have to go to a senior officer in their service who is not in their chain of command: someone who is not overseeing the operation or in their management chain—a separate element. Any abuse of that system could mean that that individual, or those individuals, are in violation of section 11. I know that the right hon. Member for North Durham takes his responsibilities on the ISC exceptionally seriously and is fully aware that sometimes there can be a pressing need for operational action at pace. That is what this is also designed to help. It is important that officers have the ability to act under a regulatory framework that means that abuses are, at worst, extremely limited due to various constraints.
I accept that and I have confidence in the internal protocols—do not get me wrong on that—but the Minister does not have to convince me or members of this Committee; it is about the public perception. What is the problem? If we are not going to have judicial oversight in terms of judicial authorisation, what is to stop us having another system whereby, when it is used, the IPC is informed? We could send a simple email so that it would at least have ongoing oversight when these powers are being used.
The right hon. Gentleman is creating his own haystack here. Although I hope as ever that this power will be used only exceptionally rarely, sadly the nature of serious and organised crime and terror in this country means that it will be used more often. There is a slight misunderstanding as to how this will be used. Targeting a train website or a single authority would not be proportionate or meet the necessity provisions within the Bill. It would be neither necessary nor proportionate. In fact, it would be unnecessary and would be vastly disproportionate, because it would be a mass collection exercise that would neither be targeted in a way that would satisfy the proportionality requirement, and nor would it give a useful answer—it would give such bulk data as to be useless—and therefore it would not be necessary.
The whole point of this is that it sets out a series of conditions in which these powers could be used—perhaps against a certain website, that is true—but on the basis of intelligence. It would have to have a particular cause and a particular time. This is not a Venn diagram with a single circle, but a Venn diagram with four or five circles; it must be in the centre of those for it to be necessary and proportionate.
I would be reassured if there was independent advanced judicial oversight. The Minister has said a couple of times that the powers will be used “exceptionally”. What is the difficulty in making sure that there is an exception for urgent cases of advanced judicial authorisation for use of these powers?
“Exceptional” does not mean that there is necessarily huge amounts of time to act; exceptional means that the seriousness of the offence is extremely grave. These powers are for things such as child sexual exploitation. I wish it were not so, but even in this country, the police very often have to act extremely speedily to prevent harm to a child and sometimes, very sadly, multiple children. They have also to act extremely speedily to prevent terrorist plots or other forms of very serious organised violence or criminal activity.
That is why “exceptional” does not necessarily mean that it can be dealt with in a procedural way over a number of weeks; exceptional may mean absolutely pressing as well, and that is what this is designed for. The right hon. Member for North Durham may have been aware from briefings that I believe he has received that, in some circumstances, this Bill will reduce the time taken to interrupt serious abuse of children, from months and occasionally years down to days and weeks. That is surely an absolutely essential thing to do, but that will not work unless these powers are used according to the Act, with the important words being “proportionate” and “necessary”. The reason I repeat those words is that were the intelligence services to go on some sort of fishing expedition—and I know that the right hon. Gentleman is not suggesting that they would—that would not be legally permissible under this Act and nor would it achieve the required results, because it would turn up so much data that it would simply be an unusable, vast collection of fluff. Effectively, instead of targeting the needle, they would have merely collected another haystack.
It is not about a fishing expedition, but they will get into a fishing expedition anyway. He says that train lines would not be affected, but they would. If someone wants to see an individual’s travel pattern, that is what they may do. Therefore, a lot of people’s data will be dragged in, not because it has been looked for but because it will come in anyway.
The problem is that if the argument is about speed—which I do not necessarily think is the case in some cases—the Minister has to do two things to reassure people that the powers are going to be used in the right way. First, he must provide pre-authorisation judicial oversight, and secondly, the IPC should be told, perhaps via a simple email, when the powers are used. That would at least allow it to look at the trends and uncover any concerns. I accept the protocols in place and am 100% sure that they are being followed, but it is possible that some people will not follow them and that is what we have to guard against.
This is a somewhat odd argument, because the right hon. Gentleman and I are slightly together but also arguing at cross purposes. Both of us have a very high regard for the intelligence services and are confident in their integrity, but we are slightly at cross purposes because he believes that we are not satisfying the oversight element, but I believe we are.
Let me be clear. I am not being a stick in the mud about this for any political reason. I actually happen to believe that this is the right way to approach this. There is a constant balance in all forms of oversight between the ability to act quickly and the ability to be controlled from outside. I believe that this sets in place a very significant, burdensome requirement on those who are taking these responsibilities to act according to certain principles. To repeat, the principles are necessity and proportionality. I do not think anybody in here would argue against those. What this requires them to do is make sure that the principles are met by effectively targeting in advance.
The right hon. Gentleman’s comment about train line use would, I am afraid, not satisfy that proportional need. The individual would have to be specifically identified in advance. The pattern of use of the website from the single point and to the point of contact—from a phone to an internet server or whatever it might happen to be—would have to be clarified. These ICRs are Venn diagram circles that are getting narrower and narrower. The idea that this would end up with some sort of week-long or month-long trawl of a train line website is, I am afraid, not permissible under the 2016 Act. Were any intelligence officers to do it—though I do not believe that they would—they would fall foul of section 11 and would not be acting necessarily and proportionately. Therefore, it would not be permissible.
It is pretty clear that existing conditions B and C already enable public authorities to make an application for a known individual’s internet connections. New condition D only enables a request for details to identify individuals who have used one or more specified internet services in a specified time.
I think that is the point. I do not think anyone is arguing against the fact that there will sometimes be exceptional circumstances that require haste. Everybody accepts that, but the issue with condition D is that it is explicit in removing the targeted nature of the other conditions. It is where they do not know the time or person and do not have the data available that they are using condition D. There is nothing in the Bill to make clear that it can only be used in exceptional circumstances. How can we square that circle? I do not think that anyone would disagree with the fact that there needs to be an ability to move at pace at times, but there is nothing here that says that power could only be used in those sorts of circumstances. Condition D creates a situation where we are going to hoover up data on a huge number of people, but there is nothing to say how long we are going to hold on to that data for, or what would be done with it.
To answer the last part of the question first, the holding on to data and what is to be done with it is the same as under the IPA generally. Information can be held or not held according to those provisions. This Bill does not change any of that, which is why that is not covered here, and I know the hon. Gentleman would not expect it to be.
It is worth pointing out that condition D is not only no more intrusive than conditions A, B or C, in terms of data—
Let me just finish the point; I know the hon. Member will come back to me.
Condition D is no more intrusive, and it does require the serious crime threshold, which does add an extra layer before it can be used. I hear the hon. Member’s point; the condition still requires proportionality and necessity, so it could not be simply anybody who is using Facebook, because clearly that is not proportionate. It still requires that targeting; it still requires those Venn diagrams, if he likes, to close over a target; and, even then, it requires the serious crime threshold.
The key thing to understand here is that the agencies have always had the ability to intercept communications data. Communications data is one’s letters. Communications data is one’s phone calls. We speak about communications data now, mindful of the way that people communicate now, and we think of the internet and telephones, but the process of intercepting communications has been a core part of the work of the agencies since the agencies began, so we need to put this in context.
The difference here is the nature of how people communicate. It is right to say that—I rise to be helpful to the Minister—the character of encryption, in particular, is making it harder, even in the kind of serious cases that have been described, for those who are missioned to keep us safe to do so by accessing the information they need. So it is right that the law needs to be updated. The critical thing for me, therefore, is this matter of the threshold, which was debated when we debated the original Act.
As far as I understand, this Bill does not change the threshold; it reinforces the threshold. If that is the case and, as has been said, exceptionality is a measure of significance and not complexity—some cases will be complicated, but it is about significance—then the only outstanding difference, as the Minister has said, is oversight. I think the reporting in the annual report matters—the right hon. Member for North Durham made that point—and that would be a small concession to make, if I can describe it as such. I take the point about alacrity, too. What we cannot do is slow down the process by making it bureaucratic.
I think there is an easy way out of this. Being very clear about thresholds, as the Minister very helpfully has been today, is perhaps the way out of it. To clarify that in writing might be helpful.
I do not think anyone could describe the right hon. Member for South Holland and The Deepings or myself as woolly liberals, but I do have a concern with this. Where we are giving an extra power—which is what this is, although the Minister disagrees about the breadth—I want to ensure somehow that, in a democracy, we have oversight of it. I do not want to make it difficult for the agencies to implement their powers, but there are simple ways of doing so. That could mean telling the IPC when it occurs.
I have faith in the internal mechanisms that the Minister refers to, but I was also on the Intelligence and Security Committee in 2017, when we did our rendition and detention inquiry. All the safeguards were in there then, and they were ignored. That led to some fundamental changes, including the Fulford principles. There are occasions when the best things in legislation are not followed through, and that can lead to some very serious consequences.
I take the right hon. Gentleman’s point and the spirit in which it was made. I reiterate that requests for communications data must be approved by the Investigatory Powers Commissioner’s Office, as he knows, unless they are urgent or for the purposes of national security. That is where this is being focused. Condition D, which we have spoken about, will be restricted to only the intelligence services and the National Crime Agency when it is pursuing a national security element within its remit—that is a separate area, as he knows. Those organisations have the necessary expertise to raise compliant and proportionate restrictions.
Again and again, the principle in the Bill is that the least intrusive power must be used. The oversight starts internally, but very rapidly goes externally, whether it is to IPCO or a judicial commissioner. The ability to review is always there, and the penalties under section 11 of the 2016 Act, which we all hope will never be needed or used, are pretty onerous on anybody who abuses their power or in any way exploits their ability in order to conduct themselves in a way that we would all agree is unsatisfactory in a democracy. It is really important to say that.
Going back to the question raised by the hon. Member for Midlothian, the reality is that condition D applications will limit collateral intrusion as much as is reasonably practical. The returned data may only provide an indication of involvement in an investigation, and further analysis will likely be necessary to allow fuller determination. That is the nature of handling intelligence data and then conducting an analysis on the back of it. In all cases, that activity will have to be justified, and will be no more than is necessary to achieve the desired outcome.
To be absolutely clear, that has to be targeted. This is a series of circles in a Venn diagram to target as narrowly as possible. Were others to be captured in that narrowest possible target, that data could not be held, or a separate application would have to be made in order to hold it. For example, one can imagine a circumstance in which an intelligence agency is targeting a paedophile on a particular street. Using different forms of communication technique, it narrows it down from a handset to an operator, a particular website, a particular time, and so on, so the Venn diagram narrows—it is very focused. If it turns out that there is another paedophile operating in exactly the same area at that time, that would require a separate application, because it is a separate target. The data could not just be held. Nor would it be ignored—I am sure the hon. Gentleman would not suggest it should be. But the judicial oversight needs to be gone through and the application needs to be made. It is a separate warrant, and so on.
In the example the Minister gives, at the same time the agency targets that individual, it will have a lot of other people who communicated with that individual. How long will that information be kept? That is the concern people have. It is not the depth, but this is broad. Most of those people would be completely innocent of anything. There is then the issue of how long that information is kept and who makes the decision about how long to keep it.
Forgive me, but I disagree with the right hon. Member on this. It is unlikely that there would be a large number of people at a specific geographic location, using a specific cell site, from a specific handset, viewing a specific website at a specific time. Once it is narrowed down like that, the numbers are very small. That does not mean that any intrusion that is not legally authorised is acceptable—that is absolutely not what I am saying. But we are getting down to very small numbers of people, and quite deliberately so, in order to achieve an intelligence outcome.
As I understand it, the Minister is describing the powers that already exist under the 2016 Act. If we are down to that level of knowledge of where, when and who, then what in the Bill goes beyond that? I do not follow.
In the existing Act, one would have to be entirely specific about a particular time. It could not be 5.30 pm to 6.30 pm; an internet connection record could be done only at 5.30 pm exactly. The Bill extends that a bit, but it still has to be very targeted. This is a proportionate change in the law to allow the intelligence services to collect information that would enable the targeting of serious and organised crime.
Let me go back to the Trainline example. Suppose it is not child exploitation—the Minister is possibly right that it is specific, and hopefully there are not many people in one street—and someone is trying to look for a person’s travel plans, so they want to know how many people in an area have contacted Trainline. It will be more than one person, so there will be a lot of other people they are not looking for in there. That is the problem, and that is all that the ISC, the hon. Members for Midlothian and for Glasgow South and the Labour Front Benchers are saying.
Earlier the Minister used the words “control from outside”. I am sorry if he sees oversight as control, but I certainly do not. It is about giving confidence to the public that there is independent oversight over these powers, whether that is informing the IPCO when they are used or having pre-authorisation, as was suggested earlier. I do not see the problem with keeping people informed. The Minister is hiding behind IPCO, but it was introduced in the first place to give the public confidence.
I suspect we are not going to come to an agreement on this, so I will probably leave it after this point. The IPCO oversight means that IPCO can look at a request at any point. The maximum period it can go without looking at it is 12 months, but it can look at any point. We have said that requests for communications data must be approved by the Investigatory Powers Commissioner’s Office
“except where they are urgent or are for the purpose of national security”.
That interaction, which the right hon. Gentleman rightly supports, is already there, so I do not accept it is lacking.
On the question of proportionality, the amount of information that one may need to investigate a paedophile network, for example, may mean being slightly vaguer about the specific time, whereas following a known individual may require different forms of flexibility and proportionality. I am afraid I am going to be very cautious about setting out what each one means, because these principles will have to adapt and be applied as appropriate.
We are going to have to close this down and move on because we have other things to do. Perhaps the way through is, as was suggested a few moments ago, that this be reviewed over time. If in the annual report we have a really thorough examination of how the measure has been applied and in what circumstances—in broad terms, of course, because we do not need the details of the crimes—that would give us the assurance we need. Our Committee has made that point emphatically. That would be a terribly good way out of this and it would not be a huge step. If the Minister agrees to that, I would certainly be satisfied.
It is not for me to tell the ISC what it should look into, but I would be surprised if it did not want to look into this in great depth.
I think the Minister might have misunderstood. Forgive me; I did not mean that. I meant that this could be reviewed in the IPCO annual report. That would obviously be considered by the ISC in the way he describes. I think we need a summary of how this will work in practice and a commitment that we do that now. He sort of talked about a retrospective review. Rather than debate this further now, that would be a very good way forward.
I am entirely supportive of the idea that IPCO should update the ISC and the Secretary of State about how it is working and provide information so that a proper view can be taken. I think that is entirely appropriate.
Well, that would be fine if the Government did not redact things in IPCO reports and try to stop us getting access to—[Interruption.] I am sorry, but the Government are doing that. They have done it over the past few years. That is the problem. The Government are paying lip service to the ISC. We are not trying to thwart the work of our security services; we are an important part of the democratic oversight of them. That is why we were set up under the Justice and Security Act 2013. I am sorry to say that the Government are trying to drive a coach and horses through it, including by preventing information from IPCO from being given to us.
I think we have covered the area, and I have said all I am going to about the matter.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16
Powers to require retention of certain data
Question proposed, That the clause stand part of the Bill.
Section 87(4) of the IPA provides that a data retention notice cannot require the operator to retain so-called “third party data”. There is no intention to revisit the principle of this important provision, but technological advancements have highlighted some discrete and unintended consequences. For example, the Secretary of State is prevented from placing communications data retention obligations on a UK telecommunications operator in relation to data associated with users of a foreign SIM card within the UK.
Clause 16 addresses those unintended consequences and makes an exception for that data within Section 87(4), so that data in relation to roamers using a foreign SIM in the UK would be treated in an equivalent way to the data that could be retained in relation to users of UK SIM cards. Clause 16 also clarifies that communication data required for an internet connection record can be subject to a data retention notice. All existing safeguards will continue to apply.
Continuing to clause 17, the IPA already has extraterritorial effect. Data retention notices—or DRNs—and interception technical capability notices—or TCNs—can be given to a person overseas where there is an operational requirement, and it is necessary and proportionate to do so. However, only TCNs are currently enforceable in relation to a person overseas.
Clause 17 amends section 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs, if required, for UK security purposes when addressing emerging technology and the increasing volume of data being held overseas, bringing them in line with interception TCNs. It is vital to have this further legal lever, if needed, to maintain the capabilities that the intelligence and law enforcement agencies need to access the communications data that they need to in the interests of national security and to tackle serious crime.
I have some comments to make about extraterritoriality, but I will do so in the next debate.
Question put and agreed to.
Clause 16 accordingly ordered to stand part of the Bill.
Clause 17 ordered to stand part of the Bill.
Clause 18
Review of notices by the Secretary of State
Question proposed, That the clause stand part of the Bill.
The notice review mechanism is an important safeguard. If operators are dissatisfied with a notice that they are given, or with any part of it, they have a statutory right to refer it to the Secretary of State for a review. Clause 18 is essential to ensure that operators do not make any technical changes during the review period that would have a negative impact on existing lawful access capabilities.
Operators will not be required to make changes to specifically comply with the notice. However, they will be required to maintain the status quo. If there was lawful access at the point at which a notice was given, access to data must be maintained by the operator while the notice is being comprehensively reviewed. This will ensure that law enforcement and intelligence agencies continue to have access to vital data during that period in order to keep people safe.
To be clear, companies can continue to make technical changes or roll out new services during the review period, so long as lawful access remains unaffected. The status quo will apply only to services or systems specified within the notice; anything outside the scope of the notice will be unaffected. If, at the conclusion of a review, the Secretary of State confirms the effect or varies the notice, maintaining the status quo will be vital to ensure that law enforcement and intelligence communities do not lose access to data during the review period that they would otherwise have been able lawfully to obtain. In the Lords, the Government amended the Bill to introduce a timeline for the review of a notice.
I will be very brief. I am grateful for the Minister’s remarks, but I want to raise the concerns of some telecommunications operators and of organisations representing the sector about clauses 18 and 19. These include a view that the role of the proposed new notices regime would hinder and even veto product development.
I know that the Minister and his Department have engaged with stakeholders about those concerns, as have Labour Members. I would be grateful if the Minister briefly set out whether recent engagement has taken place with stakeholders with regard to these matters, and whether he has any further plans to address the concerns that they have expressed about clauses 18 and 19.
I want to make a similar case. We are now getting into territory where I struggle to understand exactly what is going on, because I am not a tech geek. We are speeding past this measure almost as if it were inconsequential, but the language in some of the briefings that we have received about it is pretty dramatic.
The bundle that was emailed to Committee members this morning includes evidence from Apple that I think needs to be addressed:
“At present, the SoS must navigate important oversight mechanisms before they can block the offering of a new product or service they believe will impact…ability to access private user data.”
Apple summarises the suite of clauses that the Committee is considering, including the requirement in clause 18 to maintain the status quo during the review process, as allowing the Secretary of State
“to block, in secret, the release of a product or service even before the legality of a Technical Capability Notice can be reviewed by independent oversight bodies. The effect of this amendment will be to, extraordinarily, hand the SoS the power to block new products or services prior to their legality being ascertained. This result upends the balance of authority and independent oversight Parliament struck in the IPA.”
Given the new definition of “telecommunications operator” in clause 19, Apple has also warned that there will be serious implications for conflicts with other laws, including the EU GDPR and with US legislation.
As well as Apple, we have heard from various other organisations. TechUK has highlighted problems with broadening the definition of “telecommunications provider” before control of provision of a telecoms service, including to UK users, is established overseas. It also highlights the potential conflict of laws. What if the domestic law in the country in which a company is based does not allow for compliance with the notice that the Home Secretary has delivered? That company might not even be able to raise the issue of a conflict of laws, because it would be sworn to secrecy under the Bill.
According to TechUK, the proposed changes mark a departure in the way that the UK approaches the extraterritorial reach of the UK or UK laws and the consequential conflicts of laws. That was all recognised in the 2016 Act, in which a partial solution was found in the form of a UK-US agreement. Currently, however, the Government have not set out any plans to work towards equivalent solutions.
In relation to clause 21, I will raise similar concerns from other experts, but it is clear that some very serious companies and organisations have significant concerns about what the combination of these notices may end up delivering. Those concerns need addressed.
I thank hon. Members for the spirit in which they have engaged. To be clear, it is absolutely right that we listen to representations from companies around the world, as I am absolutely sure all Members across the House would expect. We are still engaged in conversations: the Home Secretary was on the west coast of the United States only last week, I think, and I maintain regular communication with many different companies, including many of the same companies to which the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East referred.
Let me be quite clear about one aspect. There is a real challenge here, and it is absolutely worth getting to the heart of it. The way in which communications data has evolved means that there are now jurisdictions in which the UK cannot protect its citizens without the co-operation of certain companies overseas. That was always bound to happen to a certain degree, but it is now very much the case: I do not know whether the hon. Gentleman has children, but he will know that many children use tablets and internet-connected devices in their bedroom.
The reach of these companies into the personal life of children in our country has to be a matter of concern to the British Government—it just has to be. The question is who governs these spaces. Are they governed by the association agreements and terms and conditions of the companies, or are they governed by the laws of the United Kingdom passed by Members of this House, of whichever party? That is the fundamental question.
The jurisdiction of this House must be sovereign. If sovereignty is to mean anything, it must mean the ability to protect our children from serious harm. That is basic. Under the IPA and previous legislation going back to the 1980s, this House has always exercised a certain element of influence. Yes, the Bill is extraterritorial, but so are many other Bills that this House passes in relation to the protection of our citizens and our interests. We can have operational reach further than the UK border in order to protect our citizens. That is what we are doing here, and that is what makes it proportional.
It is true that there are conflicts of interest that we have to resolve. I must be honest with the hon. Gentleman: this has come up before. It has even come up in my time. It is something that we have to look at in order to ensure that we address those conflicts and see where the balance of proportionality lies.
It is our very good fortune that many of the conflicts arise between jurisdictions with which we are extremely close. The United States, for example, is an extremely close ally. We regularly—in fact, I regularly—have conversations with the US Justice Department and others to make sure that we manage those conflicts of interest in the best interests of all our citizens. It is unusual for us not to find a resolution, but there are means of dispute resolution when we do not. Although I take the hon. Gentleman’s point, it is not exceptional for companies rightly and understandably to defend their interests where they feel that they have a commercial advantage. That is, of course, reasonable.
The reality is that we are not stopping companies doing anything; we are asking them not to change our ability to protect our citizens, until we have found a fix. If they want to introduce a new product or service or change the way they operate, that is fine: it is nothing to do with us. All we ask is that they maintain our ability to protect our citizens during that translation and into the future.
I will come on later to another line of argument that relates to the unintended consequences of these permissions, but for now I have a specific question. The Minister has spoken about how conflicts of law can be resolved. Is there not an added complication? If we put a notification notice—if we are calling it that—on a company, it cannot share the fact of that notification with anybody at all. Does that not make it well-nigh impossible to resolve the issue with conflicts of law?
Without going into details that it would be inappropriate to share: no, it does not. I can assure the hon. Member that this is a long-standing practice that has been tested, and it does operate.
On clause 19, I wish to put one further point on the record. The clause will amend the definition of a telecommunications operator, out of an abundance of caution, to ensure that the IPA continues to apply to those to whom it was intended to apply, building on the work that my right hon. Friend the Member for South Holland and The Deepings has laid out. There are circumstances in which a telecommunications system that is used to provide a telecommunications service to persons in the United Kingdom is not itself controlled from the United Kingdom; we have talked about some of those services. The clause will ensure that multinational companies are covered in their totality in the context of the IPA, rather than just specific entities.
Clause 19 does not seek to bring additional companies within the scope of the definition, nor does it seek to constrain how a company structures itself. It is a clarificatory amendment that will improve the effectiveness and efficiency of the regime and the process of giving notices.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clause 19 ordered to stand part of the Bill.
Clause 20
Renewal of notices
Question proposed, That the clause stand part of the Bill.
Currently, a notice must be kept under regular review by the Secretary of State, but it does not cease to have effect unless the Secretary of State revokes it. The clause will introduce a notices renewal process such that if two years have passed since a notice was given, varied or renewed, it must go through the double lock process to obtain the approval of a judicial commissioner, in addition to a full necessity and proportionality assessment by the Secretary of State. This change will provide reassurance to operators that their notice remains necessary and proportionate.
Question put and agreed to.
Clause 20 accordingly ordered to stand part of the Bill.
Clause 21
Notification of proposed changes to telecommunications services etc
I beg to move amendment 6, in clause 21, page 45, line 7, leave out first “person” and insert “relevant operator”.
This amendment and amendments 7, 8, 10, 11, 12 and 13 provide that the expression “relevant operator” is used consistently in inserted sections 258A and 258B of the Investigatory Powers Act 2016.
With this it will be convenient to discuss the following:
Government amendments 7 to 13.
Clause stand part.
Clause 21 is required to safeguard lawful access to critical data, which is needed by law enforcement and intelligence agencies to keep the public safe from serious threats such as terrorism and child sexual exploitation.
Technology has advanced rapidly since 2016, presenting a risk to lawful access capabilities. Notification notices have been introduced in response to technological advancements and will require relevant operators who provide, or are expected to provide, lawful access to data of significant operational value to inform the Secretary of State of any technical changes that they intend to make that will have an impact on existing lawful access capabilities.
The requirement will apply only to relevant services or systems specified within the notice, which will be agreed in consultation with the operator, prior to the notice being given, and will not necessarily apply to all elements of their business. It should be noted that technical capability notices already contain a notification requirement; this is not a new concept to the IPA. The clause replicates the power as a standalone obligation within notification notices.
To be clear, there is no ability within the notification process for the Secretary of State to delay, prevent or alter the roll-out of the operator’s intended change. The requirement is needed to provide the Secretary of State—and, by extension, operational partners—with time to identify and evaluate any potential impact that the change may have on lawful access capabilities. It will also be important in giving operational partners time to adjust their ways of working to ensure that lawful access is maintained. The primary objective of the obligation is to create an opportunity for collaborative working between operators and Government to protect the crucial capabilities required to keep people safe.
Amendments 6 to 13 are minor and technical amendments to ensure consistency of language throughout the clause and the IPA.
I want to pursue another line of argument that has been put to members of the Committee. I spoke earlier about the principles of the notification regime; I now want to probe the Government on the extent to which they have considered the possible unintended consequences of setting it up.
The evidence circulated this morning includes a letter from academics and experts from the United Kingdom and across North America, who express considerable concern about the outcome of the proposal. During the last debate, the Minister explained that the justification is that companies from across the world have a reach into children’s homes in the United Kingdom, and it is the duty of this Parliament and legislators to keep them safe. I do not think anyone would dispute that at all.
The experts argue that an unintended consequence of being as radical as the proposal in the Bill is that citizens in the United Kingdom could be less safe. Although the Government are trying to restrict the scope of the regime to what happens in the United Kingdom, in reality it will mean that certain updates and security features will not be rolled out to the United Kingdom. In fact, certain organisations may think twice about developing products for the UK market at all.
I am way outside my comfort zone, so I will go straight to what the experts argue in their evidence:
“If enacted, these proposals would have disastrous consequences for the security of users of services operating in the UK, by introducing bureaucratic hurdles that slow the development and deployment of security updates. They would orchestrate a situation in which the UK Government effectively directs how technology is built and maintained, significantly undermining user trust in the safety and security of services and products.”
They argue that this contains a significant risk of increased cyber-crime, as well as of endangering the encryption of important services. They conclude that
“these proposals are anathema to the best interests of UK citizens and businesses and internet users everywhere, and contradict universally accepted security best practices.”
I want to probe the Government on the extent to which they have considered the possible unintended consequences of how these companies may react to their proposals.
I thank the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East for the way in which he has approached the issue, and I am grateful to him for raising it, but I simply disagree. I disagree on the basis of advice that I have received from intelligence services, from UK-based companies, from the National Cyber Security Centre and indeed from many others.
Let us be quite clear. A notification notice does not create any conflicts of law, prevent any updates or prevent the application of any security patches. The only thing that it does is ask a company to keep the UK Government informed if it is going to change the way the UK Government will be able to protect British people. That has led to somewhat more caution in the reading than is necessary in reality; I have had many conversations with companies about that.
This is a difficult area, but as I understand it, the argument is not that the notification notices themselves have that issue, but that the combination of notices, together with the technical capability notice, the new provisions in relation to review and the status quo, could give the Government that sort of power. That is the argument.
I hear the hon. Gentleman’s point. I will just say that many of these powers have been in place for a significant period. The situation that he describes is not one that we have found or noticed in any way at all. I believe that this is a case of people gilding a lily to turn it into lead.
Amendment 6 agreed to.
Amendments made: 7, in clause 21, page 45, line 8, leave out “person’s” and insert “relevant operator’s”.
See amendment 6.
Amendment 8, in clause 21, page 45, line 29, at end insert—
“‘relevant operator’ has the same meaning as in that section.”
See amendment 6.
Amendment 9, in clause 21, page 45, line 35, leave out “notice, as varied,” and insert “variation”.
This amendment provides that references to the variation of a notice are used consistently in Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
Amendment 10, in clause 21, page 46, line 2, leave out first “person” and insert “relevant operator”.
See amendment 6.
Amendment 11, in clause 21, page 46, line 2, leave out second “person” and insert “relevant operator”.
See amendment 6.
Amendment 12, in clause 21, page 46, line 5, leave out “person” and insert “relevant operator”.
See amendment 6.
Amendment 13, in clause 21, page 46, line 6, leave out “person” and insert “relevant operator”—(Tom Tugendhat.)
See amendment 6.
Clause 21, as amended, ordered to stand part of the Bill.
Clause 22
Interception and examination of communications: Members of Parliament etc
I beg to move amendment 3, in clause 22, page 47, line 17, leave out from “and” to end of line 19 and insert—
“(b) has the necessary operational awareness to decide whether to give approvals under subsection (2).”
This amendment replaces the reference to an individual being required in their routine duties to issue warrants under the Investigatory Powers Act 2016 with a reference to an individual being required to have the necessary operational awareness to decide whether to give approvals under section 26 of that Act.
Government amendments 3 and 4 require that any Secretary of State to be designated by the Prime Minister as an alternative approver must have the necessary operational awareness of the warrantry process to undertake the role. This change will replace the current drafting inserted in the House of Lords relating to “routine duties”, which is over-restrictive and will undermine the resilience of the triple-lock process that the clauses seek to safeguard.
Requiring relevant operational awareness will ensure the necessary flexibility and resilience while maintaining a proportionate scope for delegation. It will allow scope to include those who may be new to their role and do not yet carry out such duties routinely, or who no longer carry them out routinely due to machinery-of-government changes but have valuable pre-existing knowledge that makes them a suitable alternative approver.
I am grateful to the Minister for the fact that his amendment goes some way to dealing with the issues that I and others raised in relation to the change from existing practice. At the moment, the Prime Minister provides the element of what has been described as the triple lock. The Government proposal is that other Secretaries of State should perform the role when the Prime Minister is unable to for a number of reasons. My anxiety, reflected by the Intelligence and Security Committee, is that those Secretaries of State who act for the Prime Minister in such circumstances should be people with operational experience. Typically, that would mean people with warranting powers—people accustomed to the business of issuing warrants, with all that that suggests.
The Government amendment speaks of operational awareness. I think “operational experience” is a better turn of phrase, although I accept the Government’s point that if there was a new Secretary of State—a new Home Secretary would be a good example—they would not necessarily have experience. By definition, they would be new in the job, whether that was the Home Secretary or Foreign Secretary and so on. It might be possible to speak of experience and responsibilities, so it could be either responsibilities or experience. Of course, the Government rightly say that a former Home Secretary, Foreign Secretary or Northern Ireland Secretary who was then doing a different job in Government could be one of the people designated, so I take that point.
The issue here is ensuring that the people who perform the role are competent to do so, and I know that is something on which we agree. It is really a matter of the semantics, but semantics are not always insignificant. I am aware of bolshevism and liberalism, but I would not want anything to do with either of them. I am aware of the separatist case on the United Kingdom, but awareness is as far as I want to go with that—I say that without contention or, indeed, acrimony of any kind. I am not sure that “awareness” is quite the right word, and I simply offer that semantic but not insignificant point to the Minister for his consideration.
I rise to speak briefly to Government amendments 3 and 4, which Labour welcomes. The principle of the appropriate Secretary of State giving approvals under section 26 of the Act was raised in the amendments proposed by Lord Coaker and Lord West in Committee in the other place. The amendments are an important further clarification regarding which Secretaries of States are eligible to be delegated the prime ministerial authority on investigatory powers relating to members. Necessary operational awareness demonstrated by the right people is, of course, crucial to ensure that the right decisions are made on what are, after all, very sensitive matters. I am mindful of the remarks made by the right hon. Member for South Holland and The Deepings, so it would perhaps be helpful if the Minister could say something about how recent—mindful of the debate about whether “recent” is the right word—this operational awareness should be.
I think so, because the original wording talked about being able to nominate basically anybody. It was then defined, but the amendment widens it again. It says, “necessary operational awareness”; is that, for example, that any Secretary of State is aware that it is a voluntary process? For example, the Foreign Secretary and the Home Secretary sign warrants, and another Secretary of State could say, “Yes, I’m aware of that.” As the right hon. Member for South Holland and The Deepings said, “operational experience” would be better wording, because “necessary operational awareness” is too broad. What does it actually mean in practice? For example, must they have any experience of having signed a warrant before? Or do they just need to know that the warrantry system exists?
First, I place on the record my gratitude to the ISC, to which I have listened extremely carefully on this matter; indeed, the Bill has been changed because of it. Let me be clear that although many people are aware of things, to be operationally aware is not the same as to be just aware. Many people were aware of the conflict in Helmand, but I argue that only the hon. Member for Barnsley Central and I were operationally aware of the conflict in Helmand. It is rather a different requirement. It does not mean that one knows about the operation; it means one is aware in an operational sense of it. It is not just an observation of the challenge.
I have to say that from my experience as a former Minister in the Ministry of Defence—I said I was never a Secretary of State—I was not only aware of what was going on but operationally aware. Could an Under-Secretary of State at the Ministry of Defence therefore be designated as one of these people? On Tuesday mornings every week, I was very operationally aware of what was going on in Helmand, for example.
First, this goes alongside the code of practice, which challenges the right hon. Gentleman’s point. It would need to be people who were briefed into the warrantry process. It needs to be somebody who understands what a warrant is, so it is not somebody who is merely observing it, such as a Secretary of State for Culture, Media and Sport.
On the point that my right hon. Friend the Member for South Holland and The Deepings made about experience, I understand the debate. There is a possibility—I know that he and I will do everything we can to prevent it—that there will be a change of Government soon. In that case, there will be an awful lot of people who have absolutely no experience at all of these matters. It would therefore be wise not to set up a provision that would immediately require amendment. Disappointed though we would be at that outcome, my right hon. Friend would agree that he would not want a law to be amended in its first year, if we could possibly avoid it.
To be clear, the Government view the four alternative approvers as being likely to be the Home Secretary, the Foreign Secretary, the Defence Secretary and the Northern Ireland Secretary. Only three would be able to act as the triple-locking Secretaries of State, because of course we would have already used up two of them to do the first two functions. That is why the numbers are required, and why I am incredibly grateful to the ISC for pointing it out and being very cautious on it.
If what the Minister has just said is the case, why do the Government push back on a suggestion that I think they actually made earlier on? The Minister is now pushing back on it. Although I understand the need for the code of practice, if there was a change in it—because there might be sometime—would that come back to Parliament to be approved? We are dancing on the head of a pin here. I do not know why, but that is quite common with the Home Office. The Minister says that it will be mainly four people, but I would love to know what he means by “necessary operational awareness”, which is clunky language.
Codes of practice will be brought forward through regulations in the usual way, as the right hon. Gentleman is aware, and the House will scrutinise them in the usual way. This is a very legalistic process, as I recognise from the inside as much as he does from the outside. It is true that if, for example, the Northern Ireland Secretary became the Education Secretary, they could then be included. The idea is to ensure that it is somebody who is appropriate to the task, which is why the measure is worded as it is. I always listen to right hon. and hon. Members across the House. I believe that the amendment is the best version that we have come to so far. I will continue to listen to the right hon. Gentleman, as always.
Given what the Minister said about a change in Government—I do not expect one, but I suppose it is a remote possibility—perhaps the words “operational responsibility or experience” would cover the point made and be slightly tighter than “awareness”. Also, there is the matter of notifying the PM. The Committee made the good suggestion that the PM should be notified as soon as practicable, which may be something with which the Minister agrees. If the Prime Minister were indisposed because of illness or whatever, they would be notified as soon as is practicable that a warrant had been issued.
On the second point, I am sure that, like me, my right hon. Friend finds it absolutely inconceivable that that PM would not be notified. I am not convinced that that must be in primary legislation. I find it genuinely inconceivable that the Prime Minister would not be notified at the earliest opportunity. Obviously, if they could be notified immediately, the provision would not be required.
But, Minister, let us be honest: a lot of things that we would have taken for granted were ignored in Downing Street over the last few years. Until Boris Johnson became Prime Minister, it had been a great part of our constitution that convention was followed. Surely it would therefore be better to have the point about notification in the Bill; otherwise, we are leaving it to the free will of convention. I would have trusted convention, but we have had Boris Johnson as Prime Minister.
I want to help the Minister, because I do not necessarily agree with the right hon. Member for North Durham; occasionally, he and I do disagree, despite the impression that we have created in this Committee. Notification could be covered in a piece of statutory guidance that supports the Bill. It could state that the Prime Minister should be notified as soon as reasonable practicable, exactly in the terms just described. How’s that?
As is so often the case, I absolutely agree with my right hon. Friend.
I will look at putting it in the guidance, as suggested by the right hon. Member.
I have said what I am going to say on the matter.
Amendment 3 agreed to.
I beg to move amendment 17, in clause 22, page 47, line 26, at end insert—
“(2G) If a warrant is issued by an individual designated by the Prime Minister, the Prime Minister must be informed of that decision as soon as it is reasonably practical to do so.”
This amendment would require the Prime Minister to be notified of a decision of a designated Secretary of State to authorise the interception of certain elected representatives’ communications as soon as is reasonably practicable.
With this it will be convenient to discuss amendment 18, in clause 23, page 48, line 21, at end insert—
“(7F) If a warrant is issued by an individual designated by the Prime Minister, the Prime Minister must be informed of that decision as soon as it is reasonably practical to do so.”
This amendment would require the Prime Minister to be notified of a decision of a designated Secretary of State to authorise a targeted equipment interference warrant relating to one of certain elected representatives as soon as is reasonably practicable.
I am conscious of the debate that has just taken place, so I anticipate what the Minister may say in response. Let us give him another go anyway.
Amendments 17 and 18 relate to the decision of a designated Secretary of State to authorise the interception of elected representatives’ communications and interference with equipment relating to elected representatives. As the Minister will know, two similar amendments were proposed by Lord West in Committee in the other place. The reason for tabling the amendments in Committee in the Commons is that the Opposition believe that the Prime Minister’s overall involvement in the warrants must be retained, even if, in designated cases, it could be retrospective. As I said, I am mindful of the debate that has just taken place.
In the other place, Lord Sharpe rejected Lord West’s amendment on the basis that the oversight arrangements for warrant decisions taken by a designated Secretary of State, which include review by the judicial commissioner, are sufficient scrutiny. I understand that argument, but I wonder why it should not be the case that a Prime Minister is at least notified about decisions to issue warrants that they have had to delegate due to their being unable to do so. Furthermore, would a Prime Minister not being notified of a decision unnecessarily diminish their operational awareness in making future decisions to issue warrants?
My amendment would require the Prime Minister to be informed of a decision taken by a designated Secretary of State on their behalf as soon as the circumstances that have prevented the Prime Minister from approving a warrant in the first place have passed. I hope the Minister and the Committee will understand the emphasis on the important nuance in the difference between review and notification. Mindful of the earlier debate, I hope that the Minister will consider accepting the amendments.
For want of repeating myself, I will probably leave that to stand.
We are speaking about elected representatives who are then appointed into Government and make decisions, and we have rightly had an important debate, to which the Minister has responded. If possible, it would be helpful if he could confirm who from the agencies would also be involved in the decision making. That would add some faith as to the robustness of the decision making that takes place when such actions are taken.
I am cautious about answering that question, for the simple reason that it depends on where and how the information was gathered, whether it was gathered deliberately or accidentally as part of an existing operation, and whether it was tangential. It is absolutely inconceivable that the chief of whichever agency it was would not be aware and therefore not part of that conversation.
I suspect that we may return to this matter on Report. On the basis of the remarks made by the Minister, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
With this it will be convenient to discuss the following:
Clause stand part.
Clause 23 stand part.
New clause 1—Requirement for the Prime Minister to appear before the Intelligence and Security Committee—
“After section 26 of the Investigatory Powers Act 2016, insert—
‘26A Requirement for the Prime Minister to appear before the Intelligence and Security Committee
(1) The Prime Minister must appear before the Intelligence and Security Committee of Parliament to provide oral evidence on the matter set out in subsection (2).
(2) The matter is decisions made by the Prime Minister or an individual designated under section 26 to—
(a) give approval to issue warrants to intercept and examine communications of Members of Parliament;
(b) interfere with equipment belonging to Members of Parliament;
(c) other relevant decisions relating to Members of Parliament in the interests of national security
(3) The duty in subsection (1) applies once every session of Parliament.
(4) Subsection (1) does not apply if the Intelligence and Security Committee does not require the Prime Minister to attend.’”
This new clause would require the Prime Minister to appear before the Intelligence and Security Committee to provide oral evidence on decisions made to approve warrants to intercept and examine communications of MPs or to interfere with equipment belonging to MPs, and other relevant decisions relating to MPs.
New clause 4—Interception notification for Members of Parliament etc.—
“After section 26 of the Investigatory Powers Act 2016 (Members of Parliament etc.) insert—
‘26A Interception notification for Members of Parliament etc.
(1) Upon completion of conduct authorised by a warrant under section 26, or the cancellation of a warrant issued under that section, a Judicial Commissioner must notify the subject of the warrant, in writing, of—
(a) the conduct that has taken place, and
(b) the provisions under which the conduct has taken place.
(2) The notification under subsection (1) must be sent within thirty days of the completion of the conduct or cancellation of the warrant.
(3) A Judicial Commissioner may postpone the notification under subsection (1) beyond the time limit under subsection (2) if the Judicial Commissioner assesses that notification may defeat the purposes of an ongoing serious crime or national security investigation relating to the subject of the warrant.
(4) A Judicial Commissioner must consult the person who applied for the warrant in order to fulfil an assessment under subsection (3).’”
This new clause would require members of a relevant legislation who are targets of interception to be notified after the fact, as long as it does not compromise any ongoing investigation.
Clauses 22 and 23 will increase the resilience and flexibility of the warrant system. They will ensure the effective processing of warrants that authorise the interception of, or the use of equipment interference to obtain, the communications of a Member of a relevant legislature when the Prime Minister cannot fulfil their duties due to medical incapacitation or a lack of access to secure communications. The changes will enable the authorisation process to function in an agile manner, thereby enabling the important work of the intelligence agencies to continue while maintaining a high bar for the authorisation of some of the most sensitive warrants.
I rise to speak to new clause 1, which relates to oversight by the Intelligence and Security Committee of warrants to intersect and examine the communications of Members or the interference with equipment relating to Members. The context of the new clause will be clear to those who followed the debates in the other place about the role of the ISC. To be absolutely clear, I am not seeking to debate the Wilson doctrine—I know that Members will be relieved to hear that.
The purpose of the new clause is to probe and seek further safeguards for the ISC to provide essential oversight of this extremely sensitive matter, codified by the 2016 Act as part of a wider context of decisions made by the Prime Minister in the interests of national security. Members of this Bill Committee who also serve on the ISC will know that successive Prime Ministers have, unfortunately, not appeared in front of that Committee since, I believe, 2014. As a result, there has been no opportunity for direct accountability over prime ministerial decision making on warrants to intercept and examine Members’ communications, or on interference with equipment relating to Members.
I shall speak to new clause 4. We are discussing our very important role as legislators—people who have to scrutinise the Government to represent our constituents. Any interference with that role, and any surveillance of us, is a matter of great significance and some controversy, so there should be as much oversight and transparency as possible. I am not a member of the ISC, and I do not know whether this is something the Minister will be able to tell us, but I would be interested to know how often powers have been used to institute surveillance on MPs in each and every of the past few years.
New clause 4 allows us to debate the possibility of post-surveillance notification. That proposal was debated in the House of Lords, but I think it is something that MPs should be alive to as well. Post-surveillance notification would give judicial commissioners a mandatory duty to notify parliamentarians subject to surveillance once a particular operation or investigation had ended. That would typically introduce a further safeguard to protect democracy and our role as legislators, and would ensure the Government are complying with their obligations under article 8 of the European convention on human rights.
Various objections were made to that line of argument in the House of Lords. For example, it was argued that notification would risk revealing sources or methods. That does not have to be the case; post-surveillance notification can inform an individual of the fact of past surveillance without having to disclose such information. Such a post-surveillance notification regime works in Germany, for example.
In particular, there would be no risk—this was alleged by the Government in the House of Lords—of affording judicial commissioners any operational decision-making power. That is because notification would occur only when a surveillance operation was no longer active and, secondly, any such notification regime could allow the judicial commissioner to consult whomever applied for the warrant in the first place. I am absolutely open to a discussion with the Government about the safeguards that would needed to allow such a measure to be implemented.
The other line of argument pursued by the Government in the House of Lords was that redress is already available to parliamentarians thorough the Investigatory Powers Tribunal. As we all know, however, if someone does not know that they have been subject to surveillance, they have no reason to go to the tribunal in the first place.
This proposal is not without some difficultly, but it is worthy of discussion. The Government’s resistance to it has not always stacked up so far, so I look forward with interest to hearing what the Minister will say.
On the point about notification: forgive me, but it is inconceivable that it should be required in law to inform somebody that they have been subject to an investigation by the intelligence services in such a way. I would be delighted to discuss with the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East in a more secure environment why, for a whole series of reasons, that may not be such a good idea. On the question of the Prime Minister appearing before the ISC, my friend the hon. Member for Barnsley Central knows my views—I have expressed them on many occasions—but that is way above my pay grade.
For now!
Question put and agreed to.
Clause 22 accordingly ordered to stand part of the Bill.
Clause 23
Equipment interference: Members of Parliament etc
Amendment made: 4, in clause 23, page 48, line 15, leave out from “and” to end of line 17 and insert—
“(b) has the necessary operational awareness to decide whether to give approvals under subsection (3) or (6).”—(Tom Tugendhat.)
This amendment replaces the reference to an individual being required in their routine duties to issue warrants under the Investigatory Powers Act 2016 with a reference to an individual being required to have the necessary operational awareness to decide whether to give approvals under section 111 of that Act.
Clause 23, as amended, ordered to stand part of the Bill.
Clause 24
Issue of equipment interference warrants
Question proposed, That the clause stand part of the Bill.
The Bill makes minor changes to the equipment interference regime, specifically in relation to the warrantry processes associated with its authorisation. The purposes behind those changes are to correct minor drafting errors in the IPA to provide greater clarity, and to improve the efficiency of the warrantry process for equipment interference.
Question put and agreed to.
Clause 24 accordingly ordered to stand part of the Bill.
Clauses 25 and 26 ordered to stand part of the Bill.
Clause 27
Bulk equipment interference: safeguards for confidential journalistic material etc
I beg to move amendment 19, in clause 27, page 50, line 9, at end insert—
“(2A) Where a senior official acts on behalf of the Secretary of State under subsection (2), they must inform the Investigatory Powers Commissioner of the selection for examination of BEI material as soon as reasonably practicable.”
This amendment would require a senior official acting on behalf of the Secretary of State who has selected BEI material for examination when there has been an urgent need to do so to inform the Investigatory Powers Commissioner as soon as reasonably practicable.
Amendment 19 would require a senior official acting on behalf of the Secretary of State who has selected bulk equipment interference material for examination, when there has been an urgent need to do so, to inform the Investigatory Powers Commissioner as soon as is reasonably practical. It would ensure that every reasonable oversight arrangement was in place concerning the Bill’s investigatory powers provisions.
The amendment does not suggest that the Investigatory Powers Commissioner retrospectively reviews the approval, but instead proposes that they be informed to ensure that there are the most comprehensive and effective oversight arrangements on investigatory powers. We intend not to burden the police and the security services with additional duties, but to ensure that there is the maximum possible oversight with the minimum possible additional work. I hope that the Minister will at least agree with the intentions of the amendment and consider its merits in further strengthening the Bill’s oversight arrangements.
I welcome the amendment, and not only do I agree with it, but I feel that we have already done it. My understanding is that the provision duplicates what already occurs in practice under the current regime, as well as the changes made by clause 27. Currently, the Investigatory Powers Commissioner is already effectively notified when a senior official acting on behalf of the Secretary of State, in urgent circumstances, approves the selection for examination of journalistic material derived from bulk equipment interference. Clause 27 already inserts into the IPA new section 195A(2), which will ensure that the Investigatory Powers Commissioner is notified as soon as is reasonably practical by the Secretary of State when a senior official approves the use of criteria to select for examination journalistic material in reliance on an urgent approval. Effectively, the senior official is informing on behalf of the Secretary of State, or indeed the Secretary of State is informing on behalf of the senior official. We all very much hope it is the former of the two.
Clause 27 enhances the safeguards already afforded to journalistic material within the IPA, and the Government recognise the importance of journalistic freedom within free and democratic societies, which is why we are introducing this measure. Under the current regime, the Investigatory Powers Commissioner must be informed when a communication that contains confidential journalistic material or sources of journalistic material is retained following its examination for purposes other than its destruction. The clause introduces a requirement for prior independent approval by the IPC before any search criteria are used to select such material. Prior independent approval is also required before it is removed.
I am grateful to the Minister for that clarification. On that basis, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 27 ordered to stand part of the Bill.
Clause 28
Exclusion of matters from legal proceedings etc: exceptions
Question proposed, That the clause stand part of the Bill.
Clause 28 will amend schedule 3 to the Investigatory Powers Act 2016 to provide exceptions for disclosures of intercepted materials to inquiries or inquests in Northern Ireland or Scotland into a person’s death. The clause will create parity with existing provisions for coroners in England and Wales. It also adds an exception to enable panel members of the Parole Board in England and Wales to access intercepted materials when considering parole applications and any subsequent appeals. It will also enable relevant coroners in Northern Ireland and sheriffs investigating deaths in Scotland to access intercepted material in connection with their inquiry or inquest.
Question put and agreed to.
Clause 28 accordingly ordered to stand part of the Bill.
Clause 29
Freedom of information: bodies dealing with security matters
Question proposed, That the clause stand part of the Bill.
Under the Freedom of Information Act 2000, the Investigatory Powers Commissioner’s Office is not, and never has been, a public authority within the scope of the Act. The lack of control over the onward disclosure of information related to the functions of the judicial commissioners raises security concerns and has the potential to compromise the IPC’s inspections, which are often, by their very nature, intrinsically sensitive. The clause would prevent sensitive intelligence being further disclosed under the FOIA once such information is supplied by IPCO to a public body.
Question put and agreed to.
Clause 29 accordingly ordered to stand part of the Bill.
Clause 30
Power to make consequential provision
Question proposed, That the clause stand part of the Bill.
With this it will be convenient to discuss the following:
Clauses 31 and 32 stand part.
Government amendment 5.
Clause 33 stand part.
Clauses 30 to 33 are typical clauses that are included in the vast majority of legislation. Clause 30 allows the Secretary of State, by regulations made by statutory instrument, to make provision that is consequential on this Act. Clause 31 details the extent of the Bill. The Bill extends and applies to the whole of the United Kingdom, with the exception of measures contained in clause 28, in which subsection (2) applies to England and Wales only and subsection (3) applies to Northern Ireland and Scotland only.
As national security is a reserved matter, a legislative consent motion is required from Scotland only in relation to a small number of clauses in part 2—the oversight aspect—of the Bill. I am pleased that the Scottish Government have recommended that legislative consent be given.
Clause 32 details when the Bill commences. Part 6 comes into force on the day on which the Bill is passed; the other provisions come into force on such day as is appointed by regulations made by the Secretary of State.
Question put and agreed to.
Clause 30 accordingly ordered to stand part of the Bill.
Clauses 31 and 32 ordered to stand part of the Bill.
Clause 33
Short title
Amendment made: 5, in clause 33, page 56, line 1, leave out subsection (2).—(Tom Tugendhat.)
This amendment removes the privilege amendment inserted by the Lords.
Clause 33, as amended, ordered to stand part of the Bill.
New Clause 2
Report on the Prime Minister’s engagement with the Intelligence and Security Committee
“After section 240 of the Investigatory Powers Act 2016 insert—
“240A Report on the Prime Minister’s engagement with the Intelligence and Security Committee
(1) The Secretary of State must publish a report about the Prime Minister’s engagement with the Intelligence and Security Committee in relation to the investigatory powers regime and lay the report before Parliament.
(2) The report must be published within six months of the passage of the Investigatory Powers (Amendment) Act 2024, and annually thereafter.””—(Dan Jarvis.)
This new clause would ensure the Secretary of State publishes a report on the engagement, including any meeting held, between the Prime Minister and the Intelligence and Security Committee in relation to the investigatory powers regime.
Brought up.
I recognise that we have already had an extensive debate on this matter. I do not intend to detain the Committee any longer, and there is therefore nothing further I wish to say about new clause 2, so I do not wish to move it.
New Clause 3
Impact of Act on EU data adequacy decisions
“Within six months of the passage of this Act, the Secretary of State must publish a report assessing the potential impact of this Act on EU data adequacy decisions relating to the United Kingdom.”—(Dan Jarvis.)
This new clause would require the Secretary of State to publish a report on potential impact of the provisions within this Bill on the requirements necessary to maintain a data adequacy decision by the EU.
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
New clause 3 relates to the impact of the Act on EU data adequacy decisions. When a similar measure to this new clause was proposed by my noble Friend Lord Coaker during the Bill’s passage through the other place, the response from the Minister, Lord Sharpe, confirmed the UK Government’s regular contact with the European Commission about the Bill to ensure that any changes are understood. We welcome that but, as I hope the Minister will understand, such engagement is a continuous process, not a single event or even a series of events. As part of this continuous process, we believe that the Secretary of State should publish a report assessing the potential impact of the Act on EU adequacy decisions.
As Lord Coaker said in the other place:
“The adequacy agreement is dependent on the overall landscape of UK data protections”.—[Official Report, House of Lords, 23 January 2024; Vol. 835, c. 688.]
That is even though the UK protections require some further work. However, given the time pressures, Mrs Cummins, that is all I will say about new clause 3.
First, I welcome the interactions we have had on this point, as well as the work of Lord Coaker and Lord Sharpe to ensure that this is widely understood. The work that has been done is important. We face the challenge that although we obviously commit to fulfilling our side of the TCA and the various agreements we have struck, this is really a matter for the European Commission to determine, so it is not one that we can pass into UK law. It is really a matter for them.
I have nothing further to add. I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
On a point of order, Mrs Cummins. I would like to express my extreme personal thanks to Tom Ball and the Bill team, Phoebe, the Lucys, and the many others who have contributed brilliantly to ensure that this Bill has proceeded with speed and professionalism. I thank not only the members of the Committee, but all Members of many parties, and particularly the ISC, which has contributed so much to this Bill, despite what the right hon. Member for North Durham claims. May I say a particular thanks to my very good friend and shadow, the hon. Member for Barnsley Central? It is an enormous pleasure to think that we have gone from fighting the Queen’s enemies to passing the King’s laws together.
Further to that point of order, Mrs Cummins. I join the Minister in warmly extending my thanks on behalf of Labour to all members of the Public Bill Committee and all the officials, both in the Department and in the House, who have done a sterling job in getting us to this point. I am grateful to the Minister for his collegiate approach, which I very much hope we will be able to maintain during the further passage of the Bill. Thank you, Mrs Cummins.
Further to that point of order, Mrs Cummins. May I say a particular thanks to you for chairing this Committee today in such a fantastic and eloquent way?
Further to that point of order, Mrs Cummins. Since we are having further points of order, I want to say to the Minister, and the shadow Minister, how grateful I think most of the Committee are for the way this Bill has been conducted. This is a really good example of how a measure can be considered in Committee in a way that is not nakedly partisan or, worse, spiteful. I simply say to the Minister that I do regard the original Act as my child, and I see him as its foster parent, so he had better do a good job.
Bill, as amended, to be reported to the House.
(8 months, 3 weeks ago)
Commons ChamberI beg to move, That the clause be read a Second time.
With this it will be convenient to discuss the following:
New clause 2—Requirement for the Secretary of State to publish an annual report on technology-enabled serious and organised crime and technology-enabled threats to national security—
“After section 234 of the Investigatory Powers Act 2016, insert—
“234A Requirement for the Secretary of State to publish an annual report on technology-enabled serious and organised crime and technology-enabled threats to national security
(1) The Secretary of State must publish a report on technology-assisted crime insofar as it relates to measures set out in this Act and the Investigatory Powers Act 2016.
(2) The report must be published within one year of the passing of the Investigatory Powers (Amendment) Act 2024, and annually thereafter.””
This new clause would ensure the Secretary of State publishes an annual report on technology-enabled serious and organised crime and technology-enabled threats to national security insofar as it relates to measures set out in this Act and the Investigatory Powers Act 2016.
New clause 3—Prevention of torture or cruel, inhuman or degrading treatment or punishment—
“(1) The Investigatory Powers Act 2016 is amended as follows.
(2) Before section 260 (and the cross-heading before that section), insert—
“Prevention of torture or cruel, inhuman or degrading treatment or punishment 259A Prevention of torture or cruel, inhuman or degrading treatment or punishment
No public authority may take any action, whether retention, examination, disclosure, handing over to any overseas authority or any other action authorised by this or any other enactment, in relation to material obtained in accordance with the provisions of this Act if the public authority knows or believes that action—
(a) would result in torture or cruel, inhuman or degrading treatment or punishment, or
(b) presents a real risk of resulting in torture or cruel, inhuman, or degrading treatment or punishment.””
New clause 4—Members of Parliament: interception and examination of communications and equipment interference—
“(1) The Investigatory Powers Act 2016 is amended as follows.
(2) In section 26 (targeted interception warrants and targeted examination warrants: Members of Parliament etc.), after subsection (2), insert—
“(2A) The Secretary of State may not issue the warrant if it relates to communications sent by, or intended for, a member of the House of Commons.”
(3) In section 111 (targeted equipment interference warrants: Members of Parliament etc.), after subsection (7), insert—
“(7A) A warrant may not be issued under this section if it relates to—
(a) communications sent by, or intended for, a member of the House of Commons, or
(b) a member of the House of Commons’s private information.””
This new clause would remove the ability of the Secretary of State to authorise the interception of the communications of, or the obtaining of communications intended for, or private information belonging to, Members of Parliament.
New clause 5—Interception notification for Members of Parliament etc.—
“After section 26 of the Investigatory Powers Act 2016 (Members of Parliament etc.) insert—
“26A Interception notification for Members of Parliament etc.
(1) Upon completion of conduct authorised by a warrant under section 26, or the cancellation of a warrant issued under that section, a Judicial Commissioner must notify the subject of the warrant, in writing, of—
(a) the conduct that has taken place, and
(b) the provisions under which the conduct has taken place.
(2) The notification under subsection (1) must be sent within thirty days of the completion of the conduct or cancellation of the warrant.
(3) A Judicial Commissioner may postpone the notification under subsection (1) beyond the time limit under subsection (2) if the Judicial Commissioner assesses that notification may defeat the purposes of an ongoing serious crime or national security investigation relating to the subject of the warrant.
(4) A Judicial Commissioner must consult the person who applied for the warrant in order to fulfil an assessment under subsection (3).””
This new clause would require members of a relevant legislature who are targets of interception to be notified after the fact, as long as it does not compromise any ongoing investigation.
Amendment 7, page 3, line 9, leave out clause 2.
Amendment 8, in clause 2, page 3, line 17, leave out “, or only a low,”.
Amendment 24, page 3, line 18, at end insert—
“(1A) This section does not apply to a bulk personal dataset unless it has been published in accordance with the Data Protection Act 2018.”.
This probing amendment would mean that individual and category authorisations for bulk personal datasets would not apply to bulk personal datasets unless they had been published in accordance with General Data Protection Regulation (GDPR) set out in the Data Protection Act 2018.
Amendment 9, page 3, line 34, at end insert—
“(4) By way of example, bulk datasets of images obtained by CCTV and bulk datasets of Facebook posts are not to be considered datasets where the individuals to whom the data relates could have no, or only a low, reasonable expectation of privacy.”.
This is a probing amendment regarding the scope of “low or no reasonable expectation of privacy”.
Amendment 10, page 5, line 7, leave out “any dataset that falls” and insert “all datasets that fall”.
This amendment would clarify that all the datasets covered by a category authorisation must be “low or no privacy” and not just some of them.
Amendment 11, page 11, line 2, at end insert—
“226DZA Notification and review of bulk personal datasets retained under category authorisations
(1) This section applies where a category authorisation has been approved by a Judicial Commissioner under section 226BB.
(2) The head of an intelligence service, or a person acting on their behalf, must notify the Judicial Commissioner within 28 days of a bulk personal dataset being retained or retained and examined under the category authorisation.
(3) The notification under subsection (2) must include a description of the dataset and the data it includes, the purpose for which it is being used and the number of individuals whose data is contained in the dataset.
(4) The Judicial Commissioner, on reviewing any notifications received under subsection (2), must cancel the category authorisation if the Commissioner considers that section 226A no longer applies to any dataset that falls within the category of datasets described in the authorisation.
(5) The Judicial Commissioner, on reviewing any notifications received under subsection (2), must cancel the relevant individual authorisation if the Commissioner considers that the condition in section 226B(4) is not met in relation to that bulk personal dataset.”
This amendment would provide for ex-post facto judicial oversight of the use of category authorisations, including the conditions for individual authorisations made under them.
Amendment 13, in clause 12, page 34, leave out lines 5 and 6 and insert—
“(e) where the communications data has been made publicly or commercially available by the telecommunications operator or postal operator”.
This amendment would align the new provisions with existing Communication Data Codes of Practice.
Amendment 12, page 34, leave out lines 5 and 6.
This amendment would remove one of the example cases where a relevant person has lawful authority to obtain communications data from a telecommunications operator or postal operator, being where the data has been “published”.
Government amendments 3 to 6.
Amendment 14, page 36, line 2, leave out clause 15.
Amendment 15, to clause 15, page 36, line 35, at end insert—
“(c) the Investigatory Powers Commissioner agrees with the judgment of the officer made in accordance with paragraph (b)”.
This amendment would ensure that all use of new powers in relation to Internet Connection Records was subject to oversight by the Investigatory Powers Commissioner.
Amendment 16, page 38, line 11, leave out clause 18.
Amendment 17, page 44, line 39, leave out clause 21.
Amendment 18, in clause 21, page 45, line 3, at the beginning insert “Subject to subsection (1A),”.
This amendment is consequential on amendment 19.
Amendment 19, page 45, line 6, at end insert—
“(1A) The Secretary of State may not give a relevant operator a notice under this section unless the notice has been approved by a Judicial Commissioner.
(1B) In deciding whether to approve a notice under this section, a Judicial Commissioner must review the conclusions of the Secretary of State as to the matters referred to in subsections (5) and (6)”.
This amendment would introduce judicial oversight of new powers to issue communications providers with notices requiring them to notify the Secretary of State of relevant changes to the service.
Amendment 25, page 47, line 28, leave out clause 22.
This amendment is consequential on NC4.
Amendment 20, in clause 22, page 48, line 13, leave out
“has the necessary operational awareness to decide whether”
and insert
“is either required in their routine duties to issue warrants under section 19 or section 102 or has the necessary operational experience”.
This amendment would permit the Prime Minister to nominate a Secretary of State to act for the Prime Minister under this section if they are required in their routine duties to issue warrants under section 19 or section 102 of the Investigatory Powers Act 2016 or if they have the necessary operational experience.
Amendment 21, page 48, line 14, at end insert—
“(2DA) The Prime Minister must be notified of the individual’s decision as soon as it is reasonably practicable to do so.”.
This amendment would require the Prime Minister to be notified of the decision of the designated Secretary of State as soon as is reasonably practicable.
Amendment 27, page 48, line 21, at end insert—
“(2G) The Prime Minister may not give approval under this section unless it has been authorised by a judge of the Supreme Court.”.
This amendment would require the authorisation of a judge of the Supreme Court before the Prime Minister could approve the interception of the communications of a Member of Parliament.
Amendment 26, page 48, line 22, leave out clause 23.
This amendment is consequential on NC4.
Amendment 22, in clause 23, page 49, line 13, leave out
“has the necessary operational awareness to decide whether”
and insert
“is required in their routine duties to issue warrants under section 19 or section 102 or has the necessary operational experience”.
This amendment would permit the Prime Minister to nominate a Secretary of State to act for the Prime Minister under this section if they are required in their routine duties to issue warrants under section 19 or section 102 of the Investigatory Powers Act 2016 or if they have the necessary operational experience.
Amendment 23, page 49, line 14, at end insert—
“(7DA) The Prime Minister must be notified of the individual’s decision as soon as it is reasonably practicable to do so.”.
This amendment would require the Prime Minister to be notified of the decision of the designated Secretary of State as soon as is reasonably practicable.
Amendment 28, page 49, line 18, at end insert—
“(7F) The Prime Minister may not give approval under this section unless it has been authorised by a judge of the Supreme Court.”.
This amendment would require the authorisation of a judge of the Supreme Court before the Prime Minister could approve the obtaining of communications intended for, or private information belonging to, a Member of Parliament.
It is a privilege to open debate on Report of this important Bill. At the outset, it is worth reiterating that Labour supports the Bill, which updates aspects of the Investigatory Powers Act 2016. That is because it is imperative that legal frameworks are updated to ensure that our police and security services keep up with changes to communications technology. Doing so ensures that they are always one step ahead of criminals and malign forces who seek to harm us and undermine our national security.
I hope the Minister, and all Members who were present in Committee, agree with me that we had a constructive debate, testing the Bill’s proportionality and robustness. Some matters relating to third-party bulk personal datasets and the oversight process for the addition of new BPDs to existing category authorisations have been largely resolved to the satisfaction of Labour Members, but other important matters still need to be addressed. I will speak first about the new clauses and amendments that stand in my name, before dealing with some of those tabled by other Members.
New clause 1 seeks to ensure that the Secretary of State publishes an annual report on the engagement between the Prime Minister and the Intelligence and Security Committee regarding the investigatory powers regime. A very similar amendment was tabled in Committee, but was withdrawn after a lengthy debate on the ISC oversight arrangements did not make any meaningful progress despite helpful contributions from my right hon. Friend the Member for North Durham (Mr Jones) and the right hon. Member for South Holland and The Deepings (Sir John Hayes). We tabled this new clause because the Government must recognise that the ISC has a vital role to play in the democratic oversight of some of the most powerful measures that the state has at its disposal to keep us safe, to intercept communications and to interfere with equipment.
The ISC is and should be the only Committee of Parliament that can appropriately hold a Prime Minister to account on investigatory powers. There must be accountability at the highest level, and the Prime Minister is no exception. However, many Members, not least members of the ISC, know that this important mechanism is not just broken but has stopped working altogether. Not since 2014 has a Prime Minister appeared before the Committee, but, when asked about successive Prime Ministers’ lack of appearance, the Minister said that such decisions were above his pay grade. That might well be true, at least for now, so if the Minister cannot commit himself to reinstating the convention of Prime Ministers’ appearing before the Committee, the new clause would, at the very minimum, ensure that this new convention of non-attendance is reviewed annually, and scrutinised by this House and the other place. I therefore give notice of our intention to push the new clause to a vote.
Does my hon. Friend agree that it is not above the Minister’s pay grade to be able to confirm that the conventions and arrangements that give the ISC a particular constitutional place in the way our system works ought to operate, even if they have not done so for the last 10 years? Does he, like me, look forward to being able to hear the Minister—rather than dismissing this important concern about the dereliction of a constitutional duty—give us an assurance that this will be the case in the future?
My hon. Friend has made an important point, and one with which I suspect the overwhelming majority of Members would agree.
I was the Minister who took through the House the Bill that created the ISC. At the time, the intention was that it would evolve to become a very powerful Committee, but it did not absolve the entire House from some responsibility. Two elements are involved here. One has just been mentioned by the hon. Gentleman—the Prime Minister’s appearance before the Committee—and the other is minimal redaction of the reports that the Committee creates. One of the problems we have encountered in recent years is excessive redaction of those reports. Has the hon. Gentleman any views on that?
The right hon. Gentleman has made two important points, both of which I agree with, about redaction and about the attendance of the Prime Minister. I do not think it unreasonable to expect that once a year the Prime Minister should seek to meet what is a very important cross-party Committee of this House. I should be happy to give way to the Minister should he wish to add his own views on this matter, but given the basis of my sense of where the House is and given previous debates, I think most Members will agree that it is not unreasonable to ask the Prime Minister to turn up once a year.
The hon. Gentleman’s point is made more potent by the fact that the matters the ISC considers are not typically—in fact, not at all—partisan. It operates on a non-partisan basis, although of course its members are drawn from both sides of the House, and the material that it studies is not seen through a party-political prism in any way; this Minister has engaged in sensible and meaningful discussion with members of the ISC in exactly that spirit during the passage of this legislation. Similarly, a meeting with the Prime Minister would be conducted in a way to which I think no Prime Minister could reasonably object .
The right hon. Gentleman speaks about these matters with a great deal of authority, not just as a member of the Committee but as a former Security Minister, and I think he has described the situation very well. I hope the Prime Minister is listening; I hope the Prime Minister accepts what I consider to be the reasonable and constructive invitation that has just been extended to him by the right hon. Gentleman; and I hope the Prime Minister does take the opportunity in the near future to sit down with the ISC and discuss what are, after all, very important matters.
New clause 2 would ensure that an annual report was published on measures in the Bill, and in the Investigatory Powers Act 2016, to defeat and disrupt technology-enabled serious organised crime and technology-enabled threats to our national security. We tabled the new clause because we must ensure that the law is always one step ahead of those who seek to harm us. The police and the security services are not best able to protect us today with the laws to counter the threats of yesterday, which is why we support this Bill to update the 2016 Act, which is now eight years old, but there is an opportunity to go further. The annual report proposed in the new clause would help to ensure that any changes required to primary legislation relating to investigatory powers were identified and implemented as quickly as possible. That would strengthen our legislative framework on national security, and weaken the capability and resolve of criminals and our adversaries.
I think that this is a genuine opportunity for the Government to work better with, and to constructively challenge, telecommunications operators and the wider communications technology industry on the requirements to use investigatory powers—a process that would be separate from the new notices regime included in part 4. A statutory requirement to produce an annual report on investigatory powers to counter threats to our security and safety would strengthen national security, as well as strengthening the oversight and safeguarding of measures to keep us safe. Those are two principles that guide this Bill and the 2016 Act, and that is why we will seek to push the new clause to a vote later this evening.
I hope that this evening will end with a measure of agreement. On the subject of the tech companies, I understand from information I have received that Apple, techUK, the Information Technology Industry Council and the Computer & Communications Industry Association have expressed concerns. Is the shadow Minister aware of their concerns and what this means for their ability to administrate and do their work, and does he agree that what we have tonight is a consensus that protects not just them but ordinary members of society?
I know that the hon. Member takes these matters incredibly seriously, and he has raised an important point. To be absolutely fair to the Minister and to his Department, I know that this is a matter that the Government have considered very carefully, and that there has been an extensive process of consultation with a range of tech companies—I have met a number of them myself—but I think it only fair to conclude that while of course there are important contributions to be made by tech companies to this debate, these are ultimately matters for the Government and the House to determine. Having said that, new clause 2 would provide a helpful and constructive mechanism for the Government, and we have tabled it in a genuine attempt to be helpful and to monitor very closely the significant challenges that our national security faces from serious and organised crime as a consequence of rapid developments in technology.
I thank the hon. Gentleman for the spirit in which he has addressed this issue, and he deserves a proper response. There is a valid concern that this is a process of engagement with tech companies, and there needs to be a partnership. I will be frank with him: I do not support new clause 2, for the very simple reason that the way in which this interaction takes place has evolved a lot, even in the two years that I have been in post. I suspect that during the four or five years that this House will supervise the Bill, under the next Government and in the five years beyond that, the interaction will evolve again.
What concerns me is that we could write into law a system of oversight and regulation that does not properly address the way in which tech companies are involved in this area. Therefore, the best answer is to have a more iterative process, which I have no doubt the fantastic civil servants with whom I have the privilege to work will adapt. Whoever takes over from me in 20 or 30 years’ time will no doubt want to iterate that as well.
I am grateful to the Minister for clarification on the response to new clause 2. He understands that we have tabled it because we genuinely think that it is a mechanism that—let us be honest about it—would not be particularly onerous for the Government, and would be helpful in focusing minds across Government. I completely agree with the point he made about his civil servants, who have been excellent throughout the passage of the Bill. We just happen to differ on this issue, because the Opposition think that the new clause would provide a useful forum for the Government to consider the challenges. He is absolutely right about the rapid evolution of technology, and we think it would be no bad thing to condense Government thinking into a report that would be issued on an annual basis.
I thank the hon. Gentleman for giving way again. May I address the iterative issue that the Minister and he both raised? It is not just the development of technology that is important here; it is also about the development of other countries’ security systems. For example, the Germans are putting in place laws that require end-to-end encryption—the very thing that we were worried about—so we will have to manoeuvre over the course of the coming years to make sure that what we do fits not just with the technology companies, but with what our allies are doing.
That is a very important point, and I completely agree. These are complex and difficult matters of public policy, and I completely understand that none of this is easy from the Minister’s perspective. However, if the right hon. Gentleman does not mind my saying so, his point strengthens the case for new clause 2, because we think it would provide a useful mechanism for the Government to track the development of these important matters, but also provide a mechanism for Members of this House to hold the Government to account on them. I am very grateful for the points he has made.
Before turning to amendment 24 on BPDs, which stands in my name, I would be very grateful if the Minister could say whether any progress has been made on arrangements to notify the Investigatory Powers Commissioner when adding new BPDs to existing category authorisations. It might not be in the Bill, but we think that even a reference to it in the IPC’s annual inspection would be helpful progress on this matter. The Minister, my right hon. Friend the Member for North Durham and I have discussed that, and I would be grateful if the Minister could said something about it.
I acknowledge the amendments on BPDs that were tabled by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald). Both of our parties have concerns about the definition of “low or no expectation of privacy” for BPDs, which we debated in a pretty constructive fashion on Second Reading and in Committee. However, Labour does not oppose the concept of “low or no expectation of privacy” for BPDs, which is why we will not support amendment 7, which was tabled by the SNP spokesman. Instead, amendment 24, which stands in my name, seeks further clarification on how “low or no expectation of privacy” will be applied to BPDs, with the aim that the parameters must be as clear as possible for the House to understand.
In Committee, the Minister used the Panama papers as an example of leaked and widely republished material being defined as a BPD with a low or no expectation of privacy. I understand why the Minister chose to use that example, but most other leaked documents containing personal information do not attract anywhere near the same level of media attention. Again, I would be grateful if the Minister took this opportunity to provide another example of information from a leak without widescale press coverage that would be suitable for the designation of a bulk personal data set with a low or no expectation of privacy.
As always, the hon. Gentleman is quite right to highlight the areas I touched on. The important thing about the Panama papers was that they changed. They would have enjoyed a high level of privacy, but with republication they became “low/no”. It would not be right to say that any leaked document enjoys “low/no”, but the law should reflect the reality of the data that is currently being held. When data goes from being secret to being effectively public, it would be absurd to hold the intelligence services to a different standard from that which would apply to any of us, who would be able to access it on a website.
That is a very useful clarification, and I thank the Minister for it.
I accept what the Minister has just said, but where is the threshold for publicity? As he said, the Panama papers were widely distributed in the public domain, but somebody’s Facebook feed might be put into the public domain. If it gets into the national newspapers and on the internet, or it is shared by a certain number of people, do we then determine that it is in the public domain? We need to be very careful about this.
My right hon. Friend is undoubtedly right: we do need to be very careful. In the end, the Government have to take a view about where they draw the line. These are very difficult decisions that have to be made. We had really useful and constructive debates in Committee about where the line should be drawn, but the issue will no doubt continue to be debated in the future.
Before I draw my remarks to a close, I will briefly speak to other amendments on the Order Paper, including those tabled by my right hon. Friend the Member for North Durham, other members of the ISC, and the right hon. Member for Haltemprice and Howden (Sir David Davis). We support amendment 23, which stands in the name of my right hon. Friend the Member for North Durham. It is very similar to the amendments we proposed in Committee regarding the Prime Minister’s delegation to a Secretary of State to issue a warrant to interfere with equipment relating to a Member. The amendment sets out that the Prime Minister must be informed of a decision taken by a designated Secretary of State on their behalf as soon as the circumstances that prevented the Prime Minister from approving a warrant in the first place have passed.
We believe that the Prime Minister’s overall involvement in those warrants must be retained, even if it is retrospective in designated cases, so it was a positive step that the Minister said he would look into including such a provision in the statutory guidance, in response to the very sensible points made by the right hon. Member for South Holland and The Deepings. However, we believe this does not go far enough, when this important notification arrangement should be on the face of the Bill.
This House should consider as many scenarios as possible when it comes to arrangements for prime ministerial power delegation on investigatory powers, even if scenarios of Cabinet members desperately trying to undermine the Prime Minister by any means possible perhaps belong more appropriately in “House of Cards” or “The Thick of It”. [Interruption.] I am sure that Conservative Members would have no idea about those kinds of activities; I am happy to take their word for that. But these are important matters, and we must seek to legislate carefully. The amendments tabled by the ISC are thoughtful and constructive, and I hope that, even at this late stage, the Government will consider accepting them.
I start from the perspective that we are highly likely to regret some elements of this Bill within the next 10 years, and I will come back to that in a moment. I will also start by commending the Minister for Security, my right hon. Friend the Member for Tonbridge and Malling (Tom Tugendhat), for his approach. It has not always been like this. The real precursor of this Bill was the Data Retention and Investigatory Powers Act 2014, all stages of which was taken in one day because the Government of the day claimed it as an emergency, even though they had spent three months thinking about it and even though they took nine months to implement it afterwards, such was the emergency. As a result, I challenged it in the High Court, and it was struck down. The Investigatory Powers Act 2016, which this Bill amends, was in effect the replacement for that. It was not a terrific improvement, but it was an improvement. As I say, the Minister’s approach to this Bill has been much more democratic, much more open and much more valuable.
I said that we are not going to be partisan in this debate, and the shadow Minister started in that vein, but my right hon. Friend has been highly contentious about the Bill that I took through the House. Bear in mind that it had pre-legislative scrutiny with a Committee of both Houses, it had at least three reports in advance of being considered by this House, and it was debated in this House at length, in the same spirit that I mentioned earlier, and many amendments were tabled, many of which were accepted by the Government. I have described the pretty full consideration and scrutiny that it received, which is why it is such an essential piece of legislation, as the Minister will confirm, and is used by the security services and the police every day.
I will not go over it again, but the High Court and the Court of Appeal came to a different view from that of my right hon. Friend, I am afraid, and that is why the legislation was struck down.
Some of the elements of this Bill are not very wise. The Opposition have agreed that the pre-notification of tech companies will act to drive business away from our shores. That is, as I said earlier, the opposite of what the German Government are doing, and we are going to have to modify our approach to deal with some of our allies along the way.
I also have serious concerns about the bulk collection of data, which the Scottish National party has tabled an amendment on. I think it was Stalin who once said that, at a certain point, quantity has a quality all of its own. That is certainly true of information technology and bulk data. It was interesting to listen to the earlier brief debate on so-called “no expectation” and “low expectation of privacy”, by the way. Those are completely different things. They sound similar but they are completely different, as will become clear, I suspect, when the SNP spokesperson speaks to that amendment. Even today, “low expectation of privacy” data can tell a Government with quite primitive software vast amounts about our lives and about what we are doing every minute of every day, but with artificial intelligence that is going to be multiplied many times and become much more powerful than before.
To give colleagues a feel for how this might work, let us look back to the covid period, which in some senses was almost Orwellian. The Government had three different disinformation units of various sorts that looked at everybody’s comments. If someone commented on flaws in the modelling of the virus, questioned where the virus came from or quite properly stated that the vaccine did not stop transmission—it stopped deaths, but it did not stop transmission—this would lead to all their low or zero expectation of privacy documentation and all their online stuff being monitored by the Government. A number of Members of this House were monitored on that basis—in my view, entirely wrongly. That was all within the law as it stood then, so it was not massively important, but it nevertheless demonstrates the mindset of Whitehall when dealing with these things.
Today, however, nine out of 10 of us—if not more—carry a smartphone. That makes it easy to access our shopping habits, our purchase history, our bank records, our automatic number plate recognition records, and on and on and on. Do we really want the agencies of Government to be able to peer into all that data? It belongs to people who are, remember, entirely innocent of any crime. Our entire approach to law and order in this country has been to focus on people against whom there is a reasonable expectation or a reasonable suspicion, not to monitor everybody. It seems to me that this intrusive surveillance is a dangerous route to take and, as I say, I think we might regret it within 10 years, because the power of artificial intelligence will make this bulk data much more informative than we are conscious of today. I worry about it. I did not put an amendment down on it because others have done so, but it is something that we must concern ourselves with in the longer run.
One of my two principal concerns today is how the Bill relates to the expansion of powers around the surveillance of Members of this House. Until 2015, it was widely understood that the Wilson doctrine protected MPs’ communications from interception. This protection was repeated in unequivocal terms by successive Prime Ministers—even Tony Blair, who is not someone with a great reputation for worrying about Members’ civil liberties. Despite clear and unambiguous statements that MPs and peers would not be placed under surveillance, the Investigatory Powers Tribunal held in 2015 that the doctrine had been unilaterally rescinded by the Government.
In an attempt to ease concerns, the Investigatory Powers Act 2016 created a regime—the one we have now—whereby a Secretary of State must first secure the approval of the Prime Minister and a judicial commissioner before authorising the interception of an MP’s communications. Frankly, I have served under nine Prime Ministers as a Member of Parliament, and I cannot say I am happy that all of them would have taken a very responsible approach to exercising this power. This is an almost judicial power that is given to a person whom it is our job to challenge and hold to account every day.
The Bill seeks to expand the list of people who can sign off on the surveillance of MPs way beyond that, from the Prime Minister to effectively five Secretaries of State. There was a long argument in the Lords and in Committee about introducing words such as “unable” or “unavailable.” I think they had in mind that Boris Johnson was sick and laid up for a month or so and perhaps could not act in that capacity. Even by that logic, we do not need five Secretaries of State to be able to deputise, unless we are imagining a mass-casualty event in the Cabinet. Frankly, this seems far more like a precursor to a general loosening of the policy than a serious and sensible protection of the ability to sign this off. I worry about that, and I do not like it at all.
I do not like the idea of the surveillance of MPs except under incredibly strict circumstances. I am not casually asking for MPs to be somehow above the law, not at all. This protection is vital to safeguarding what we do. We are here to hold the Government to account, not the other way round. The relationship between constituents and their elected representatives is sacrosanct. It is the bedrock upon which our representative democracy stands, and constituents expect that, as they should. But it is not just constituents who rely on the sanctity of their communications with Members.
It is truer and more obvious today than at almost any time in my 30-odd years in this House that, in doing our job, we deal with campaigners—think of the sub-postmasters—journalists, whistleblowers, victims of injustice who may be terrified of being identified and, of course, other Members of Parliament, and that is just a few. They all trust us to keep what they tell us absolutely rock solid, private and confidential.
This Bill will do nothing but further undermine people’s trust in bringing serious matters to our attention. The Horizon scandal, Mid Staffs, sweetheart tax deals with large companies, the mistreatment of prisoners by the British Army, involvement in rendition and torture, and dishonest briefings for immoral wars—every single one of them was brought to our attention by a whistleblower who, in many cases, faced criminal prosecution if they were discovered. Are people likely to continue blowing the whistle with a loosening of the Wilson doctrine? I do not think so.
If I had my way, I would amend the Investigatory Powers Act to prevent communications to and from Members of Parliament from being intercepted at all. At the very least, I would change this proposal to require that the Prime Minister secures the approval of a Supreme Court judge before signing off on any warrant permitting the interception of a Member’s communications. That would take the process completely outside the normal approach under which the Investigatory Powers Tribunal and all the machinery around it routinely says yes to requests, day in and day out. Calling for, allowing or permitting the interception of the communications of a Member of this House or the other place ought to be something clearly extraordinary in the life of a Prime Minister. A Supreme Court judge is far more likely also to have the authority required to face down poorly justified demands, which has not always happened in the past. The Executive should not wield the power to order the surveillance of Members of this House at their sole discretion. The very senior judiciary should provide a vital check on that power.
First, let me put on record the apologies of the right hon. Member for New Forest East (Sir Julian Lewis), who chairs the Intelligence and Security Committee. Unfortunately, he is attending Lord Cormack’s funeral, and I thought it was important to put the reason why he is not here on the record.
First, let me refer to new clause 1, which stands in the name of my hon. Friend the Member for Barnsley Central (Dan Jarvis), and say that it is disappointing that we have to have this debate. I am the longest serving member of the ISC, having been on it for nearly eight years. It is a serious Committee; its members take its work seriously and work collegiately. We work on the basis that we support the work of our security services, recognising the difficult job they sometimes have and the dangerous work they do, but that we are also there to provide scrutiny and oversight. If anyone cares to look at our reports over the years, they will see that they are not only thorough, but forensic in their approach. So it is disappointing that the current Government and the previous few have downplayed the Committee’s role.
On Second Reading, I referred to the scrutiny of our intelligence services being a bit like a three-legged stool, as we have the Investigatory Powers Commissioner, the tribunal and the ISC. Together, we should be an effective mechanism to reassure the public that there is oversight of our security services. This is important because the work they do cannot be discussed in open session, and that mechanism gives the confidence that in a parliamentary democracy, where we take freedom of speech and democracy seriously, we have that oversight. The problem with the Government is that, for whatever reason, they have set out their course to undermine our work—I put that on the record.
The new clause will say that the Prime Minister should attend our meetings. It should not be necessary to include such a provision—I believe you served on the ISC at one stage, Madam Deputy Speaker, and so you understand the work we do—but we have a situation where it seems this is seen as not important. The only one in recent times who offered a meeting was the right hon. Member for South West Norfolk (Elizabeth Truss), but that was because she was looking for friends in the last dying days of her Administration, so I do not think it counts. Again, I do not understand the reason behind this. The walls on the way into our office have various photographs of the Committee—you are on one of them, Madam Deputy Speaker—with various Prime Ministers of the day. But this is not about that; it is about the Prime Minister of the day knowing exactly what we are doing and our being able to raise things directly in our secure setting, which we do. That is important, but there is also a wider point to be made about how we scrutinise our security services and give the public that opportunity.
The amendments I have tabled also stand in the names of five other members of the Committee, and we support this Bill. Will we be back in a few years’ time with another Bill? Yes, we will, because, as was said by my hon. Friend the Member for Barnsley Central, technology is changing very fast and we will have to react to it. When the original Bill was taken through by the right hon. Member for South Holland and The Deepings (Sir John Hayes), he recognised that it would not be set in tablets of stone and that this new Bill would be required. The right hon. Member for Haltemprice and Howden (Sir David Davis) is right to say that AI will set some other tests that we have not perhaps thought about yet and those might have to be covered by future legislation. Are we reactive as a Parliament? We always are reactive, but this Bill is important because it will give our security services the abilities to react to the ever-changing world that we face.
I wish to refer to two pairs of amendments that relate to clauses 22 and 23, which go to the issue associated with the triple lock and the authorisations—
Before the right hon. Gentleman moves on, I wish to pick up on his point about the need for continually keeping up with the changing technology. One thing that was expected when the ISC was created was that it would become, if not quite a grandees Committee, a Committee of people who knew exactly what they were doing and took very seriously the issues before them, including the confidentiality of what they do. At least one of the Chairmen of the ISC has complained in the past about the level of redaction of ISC reports. That matters in the context of keeping up with the times because the only way the House of Commons has of understanding the ISC’s opinions is by reading its reports, and if Members are reading a lot of blank or black lines, they will not learn very much.
I understand the right hon. Gentleman’s frustration, but, as Madam Deputy Speaker knows, there are good reasons for those redactions. The Committee does not just agree to everything being redacted; a thorough process takes place and we have some long arguments with the agencies. I would not want anyone to go away thinking that the members of the ISC are a pushover on redacting information. A lot of attention was given to why certain things were redacted from the Russia report. I am comfortable in the knowledge that the things redacted in that report could not have been put in the public domain. The main reason for this is not to save embarrassment for government or any of the individuals; it is about the ability to protect the tradecraft of our services. If we did put certain things in the public domain, our adversaries who want to do us harm would be able to work certain things out. I assure the House that we push back hard and some redactions that have been put forward over the years have been silly, as other ISC members in the Chamber tonight will recognise.
Let me get back to the issue about the triple lock, which is important. The issue is sensitive because it relates to intrusion into the communications of Members of this House and of devolved Administrations. We are talking about what is commonly known as the Wilson doctrine, but, it is like a lot of things in this age; it was announced in 1966, when it was about telecommunications and picking phones up, but we are in a different world now, as the right hon. Member for Haltemprice and Howden said. We now have smartphones, and God knows what is going to be invented in the next few years in terms of how we communicate. As with a lot of things, the convention was thought to be the way forward, but clearly in 2015 it was found that the devolved Administrations were not covered by it and neither were MEPs. The Investigatory Powers Tribunal found that it had no legal enforcement at all, so it was credit to the right hon. Member for South Holland and The Deepings and the Investigatory Powers Act 2016 that a formal process was put in place for it—that is important.
Currently, the 2016 Act has three layers of safeguards: the Secretary of State who asks for the warrant; a judicial commissioner who examines the communication that is the target of interception and the type of equipment involved, if it relates to a member of a relevant legislature; and, thirdly, the Prime Minister, who, as the final stop, has to agree this.
The Bill will allow the Prime Minister to designate “up to five” Secretaries of State who can approve the warrants in the event that he or she is unable to be available. As has been raised, the obvious example was when Boris Johnson was incapacitated through covid. When we think about the issue, this measure makes sense. The ISC recognised other unique situations when a Prime Minister may not be available, for example if they were abroad and secure communications were not possible. The ISC was keen that the circumstances needed to be exceptional, but we accept that there is a need for the requirement.
I very much hope the right hon. Gentleman has brought Lord West’s smelling salts with him, because I would like to clarify the concession that Lord West got in the Lords here in the Commons. I can happily commit to strengthening the language on notification requirements in the code of practice, when it is formally brought forward in due course, to require that the Prime Minister “will” be notified of any decisions under the alternative process, rather than “should” be.
I welcome that, but can I hear it again and pin the Minister down a little more? I am sure it is a massive victory, but is he giving a solemn pledge to the House that the code of practice will remove the word “should” and insert the word “will”? Is that what he is agreeing to?
Victory at last—there is such power in changing one word. The Minister has given a solemn undertaking on the Floor of the House that the code of practice will change the word “should” to “will”. A small victory for the ISC, but I am sure my colleagues will take it in the spirit in which it is offered. I say to the Minister gently that we could have agreed that the other day when we met, but no doubt the issue that we will be voting on tonight was concentrating his mind.
With that great victory under my belt and those of the members of the ISC, I turn to other amendments. New clause 3, in the name of the right hon. Member for Haltemprice and Howden, deals with
“cruel, inhuman or degrading treatment”.
I understand why he has proposed the new clause. It is always worthwhile debating the issues, which run through the entire Bill. Am I assured that there are processes in place that protect our civil liberties? Yes, I am. However, there are occasions when things can go wrong or people ignore them. I think they have been strengthened greatly, but the right hon. Gentleman refers to an important point. I was on the Committee in 2017 when we did the inquiry into detention and rendition. That took a long time, but it was a good report given where it got to. It unearthed things that were not pleasant but had been done in our names as a democracy.
One conclusion the Committee came to was that in its view the UK tolerated actions and took others that were regarded as inexcusable. Well, they were inexcusable, because as the report outlined, we passed on information to allies who then used it. I think things have changed, and to give Members an example of how the ISC can improve things, we called for a review of the consolidated guidance surrounding the way that security operatives should operate regarding issues of rendition or torture. That led to the Fulford principles, which I think have moved on and tightened up the rules and guidance for members of our security services. That was a big movement forward.
I do not think the right hon. Member for Haltemprice and Howden will push the new clause to a vote, but it reinforces the point that if we have a situation whereby, again, we get information that is passed to one of our allies, we must ensure that those principles are upheld. Am I confident that they are upheld now? I think I am, but how did we get to that pretty damning report in 2017? We got there because those principles and the guidance in place were not followed. We must be vigilant about that, and over the years the right hon. Gentleman has done not only this House but the country a service through his tenacity on these subjects.
I will not press new clause 3 to a vote, but I tabled it because in 2010-11 David Cameron, the then Prime Minister, made a promise that there would be a review and that the issue would be investigated properly, but that never happened. The implicit undertaking was that we would not do it again, and we did it again—over and over again. That is why at some point we needed to put our foot down. The problem is that whenever we put our foot down and make an absolute requirement, somebody says, for example “What about the Russians, with the terrorist attack in the last few days?” I am afraid there comes a point where we say, “We are not going to provide information if you torture people.” If we are clear about that, it helps the country and probably also helps the international battle with terrorism.
I agree totally with the right hon. Gentleman, and I think that is where we are as a Government. Certainly those are the Fulford principles—that we do not share information. Again, some of the people who perhaps do not understand what our security services do, and those who want to malign their great work on our behalf sometimes say, “They are doing x, y and z.” Well as I know from seeing some examples, there are occasions where we deliberately do not pass on information to our allies because of the fear that the right hon. Gentleman set out. The detention and rendition report raised that issue, and the Fulford principles now give us strong guidance. Those principles have been put into being and sewn into the DNA of all new officers. As a result of a huge training programme, not just for existing officers but for new entrants into the service, officers now see that as an important part of their work. That is how it must be done, but it is always important to have this debate.
Again I do not intend to press the matter, but if the ISC discusses this issue in the future, I point the right hon. Gentleman to the German model. They look at something and do not always release information if it is operationally sensitive.
I agree, but that then places an unnecessary burden on the system. The current process with the Secretary of State, the judicial commissioner and the Prime Minister is robust enough to ensure that people are not doing this to find out what someone ordered on Amazon Prime this weekend or to look at their Tesco account, so I think those assurances are fine.
New clause 4 would
“remove the ability of the Secretary of State to authorise the interception of the communications of, or the obtaining of communications intended for, or private information belonging to, Members of Parliament.”
Again, it is good to have this debate, but I would support such a measure for the reasons I have outlined.
The other change in the Bill concerns bulk data. The right hon. Member for South Holland and The Deepings covered the original investigatory powers in detail, but there are now big data sets held not only by public authorities but by others, and that has made it more important that our security services are able to access them. Whenever we do this, however, it means more intrusion, so let me deal with the issue of oversight in the Bill, and with the broader, more intrusive powers to obtain internet connection records for the discovery of targets.
Again, that is something that I and other ISC members totally support, but the authorisation process is internal. One stance that the ISC has taken throughout all this is that if we are to give more powers to our security services, there must be a balance. There will not be a situation whereby what people have seen can be identified, but this power will drag in a lot of people who, as the right hon. Gentleman said earlier, are completely innocent. As I said, there is a need for such a power, but we thought there should be more oversight from the Investigatory Powers Commissioner. Therefore, the points I made about amendment 15 are important.
The Investigatory Powers Commissioner’s Office does a great job of ensuring public support for what we do, but, again, there is an issue around bulk datasets. Some of the examples that were given to ISC members—thanks must go to the Minister, who arranged a meeting for the Committee to be briefed on this—make sense when it comes to the issue of low or no reasonable expectation of privacy. It is burdensome, for example, to access the electoral register, but today the Government have said that somehow that is a secret document. Well, that is not the case under this Bill, in which case it is important that the security services should be able to use it, rather than having to go through the warrantry process. That goes to the point, which my hon. Friend the Member for Barnsley Central raised earlier on, about the definition of “low expectation”.
Another perfectly legitimate reason that the security services need these measures is related to testing new AI models of learning. They need access to these new big datasets, which are out there and which companies use, and the Bill will allow them to have it without going through the warrantry system. If intelligence is going to be on the front foot when it comes to AI, we will have to have these big datasets that will teach the systems how to do it.
The problem comes back my hon. Friend’s question of what is deemed a low or no reasonable expectation of privacy. That is something we have considered throughout this process. One thing the ISC has considered is adding to the existing categories. One suggestion we put forward was that, when the agencies do this, they should have to email the Investigatory Powers Commissioner to notify them that they have done it.
I hope the Minister is not going to intervene again. My legs might get wobbly if I have to sit down again. I might even need some smelling salts. He has explained the internal system, which I am quite satisfied with, but as I said to him and his civil servants—I think other members of the ISC have also said this—it is not us that he has to convince, but the public.
I thank the right hon. Member for giving way. I just want to assure him that I have taken on board his points. I went back to the agencies and assured myself of the challenge that he had raised and found what I think is a better answer than the one we looked at when we were chatting. I wrote to Sir Brian Leveson and I am delighted to say that he responded, confirming that he will pay specific oversight to this regime in the early years until he is content that it operates in the way that the ISC, the Government and the British public would expect. IPCO has taken on this responsibility, which, I think, answers the question more succinctly than it would be if it were included in the Bill.
May I just get some clarity? That is a perfectly legitimate way of doing it, and it will mean not interfering with the existing system, which was the concern of both the services and the Minister. I understand that this not as simple as an email being sent. Will that mean that there will be a section looking at this issue in the first annual report? If that is the case, we could at least say to the public that it is actually being considered and the promise is being followed up.
The right hon. Member will understand that IPCO is operationally independent, so I will not instruct the office or speak for Sir Brian, who has been unbelievably rapid and helpful in his response today. I am sure that he will have heard the comments that the right hon. Member made and, no doubt, will want to draw attention to any areas where he has any doubts at all.
I note the right hon. Gentleman’s proper consideration of the balance between privacy and security, which lies at the heart of the Bill, but I also recognise the Minister’s concern that we must not make the process too unwieldy and bureaucratic. I wonder whether the right hon. Gentleman might invite the Minister to commit to a regular report going to IPCO as authorisations are made. That might be monthly, but it would at least mean that there was some iterative process of a kind that might reassure the right hon. Gentleman, me and others about that balance.
I understand where the right hon. Gentleman is coming from. Our original idea about having an email was explained when I met the Minister and his civil servants. I think that that would really cut across some of the processes that we have in place. The suggestion that has been made would be one way of doing it, but IPCO already has the powers to look at such things. The only problem with doing that is that we would then have to set up someone in the agencies to produce another report. I do not want to do anything that holds up their work, and I think that that might do it.
Possibly the Minister’s suggestion of how Sir Brian Leveson is going to do it will give the public some reassurance. Let us not forget that Sir Brian has the power to take action if things are not being done correctly. If we read his reports, we can see that he is not fearful of doing these things. A fair compromise has been put forward. I think we have one and a half victories so far—
Is this an example of my being more hardline than the right hon. Gentleman? It seems like it to me, but perhaps not.
I would not have thought that the right hon. Gentleman could be seen as hardline on anything, pussycat that he normally is. He portrays himself as hardline, but I know from working with him very closely on the ISC that he cares about this information. He has referred to the Investigatory Powers Act as his baby. It has grown up a little bit and is now being brought into the modern age. I should put on the record again his dedication and work as a Minister to bring in the original Act, which was groundbreaking for this country. It has stood the test of time. We know that we will be back here, so the measures will change. I have no problem with that. It is just that, as technology changes, things will change.
May I finish by thanking the members of our security services for the work that they do? I also thank them for the way that they have engaged with the ISC on the Bill. Hopefully, with the changes that have been brought forward, we can reach agreement on the Bill and our security services will have the ability to face up to the challenge that is coming forward: the ever growing use of larger datasets, and the more sophisticated way in which state actors and non-state actors have access to technology. That will enable the security services to do what we all want to do, which is to keep individual citizens and, just as importantly, our democracy safe.
It is a pleasure to follow the right hon. Member for North Durham (Mr Jones), who is a fellow member of the Intelligence and Security Committee. As he mentioned, we work collegiately, and one of the many advantages of that collegiate approach is that I do not need to repeat everything that he has just said; I need only say that I agree with him. I realise that that is a radical approach in this place, but I will not say it all again. I will simply say that I agree with him; he is absolutely right. His point is that, when it comes to the consideration of warrants to authorise the interception of, or interference with, the communications of Members of Parliament, there is huge significance to such a decision. That is the reason the Prime Minister has had to be involved in it, and it is the reason we should not widen too far the pool of deputies who, for sensible and understandable reasons, as the right hon. Member explained, we now need to provide for.
That is why I hope that the next concession that the Minister will make will relate to the pool of deputies, and that in the language the ISC suggests that he adopts we ensure that it is a controlled group, based on either current responsibilities or previous experience. I am sure that we can discuss with him any changes to the wording that he thinks are necessary, but as the right hon. Member for North Durham explained, the current provisions allow for only one restriction: that the member of the Cabinet in question should receive a briefing on how to conduct their warrantry responsibilities. We do not think that that is restrictive enough, given the significance of this decision-making process. I am grateful to the Minister for what he has already said about notification of the Prime Minister in the process. That is a sensible change, which I welcome.
It is a pleasure to follow the right hon. and learned Member for Kenilworth and Southam (Sir Jeremy Wright), and to take part in what has already been a very thoughtful debate. We also had a very constructive Committee stage, so the amendments in my name and that of my hon. Friend the Member for Midlothian (Owen Thompson) are designed first to pose some further questions to the Minister, particularly in relation to the offence of unlawfully obtaining communications data, which we discussed in Committee. Secondly, and perhaps more significantly, we again seek to remedy some of the serious concerns that we continue to have about the Bill extending powers beyond what we regard as necessary and proportionate, and the absence of sufficient judicial oversight where such judicial oversight is really required.
First, and briefly, our amendment 13 builds on the discussion in Committee about the offence created by the 2016 Act that will be amended by clause 12. We argued in Committee that the so-called example of “lawful authority” for obtaining communications data in proposed new subsection (3A)(e) of the 2016 Act was an extension of the power rather than a restatement of it. The Minister countered that he was actually seeking only to put existing codes of practice into statute. There is obviously a line of argument that codes of practice do not always necessarily comply with the law, but having gone away to look at the codes of practice it seems that there is a difference between what is currently in the codes of practice and what is currently in the Bill. The wording of amendment 13 reflects the code; the wording of proposed new paragraph (e) seems potentially broader than that. The question for the Minister is why the wording is so different, and whether he can assure us that it is not meant to be interpreted any more broadly than the existing exception in the codes of practice.
The remaining amendments set out our more fundamental concerns with the Bill. In particular, there are three areas where we question the strength of the oversight regime: in relation to bulk personal datasets, internet connection records, and Government notices to companies under clause 21. We regard advanced judicial oversight as important and reassuring not just for members of the public but for those who are exercising the powers. Clause 2 on bulk personal datasets is the first example of where we believe that oversight is being unnecessarily watered down. We are told that the system of advanced judicial authorisation is causing delays and stifling operational flexibility, but to us the answer is to fix those logjams in the oversight system, not to water that system of oversight down. The case for a lighter-touch system of category authorisations has not been made to our satisfaction. That is why we tabled amendment 7, which would take out clause 2.
At the very minimum, why not strengthen the ex post facto oversight beyond annual reviews and reports? Amendment 11 highlights one way to do that, so that the judicial commissioners are reviewing whether what is being done under category authorisations is lawful, cancelling authorisations where that is not found to be the case, and ensuring therefore that we have a clear picture of how the new powers are being used. I noted with interest what the Minister said about the role of IPCO, which we absolutely regard as helpful. However, it would be insufficient, and certainly less robust than our proposal in amendment 11.
As the hon. Gentleman set out, amendment 11 would strengthen the hand of the judicial commissioner, and I have some sympathy with that. My concern is that his proposed new subsection (4) says:
“The Judicial Commissioner, on reviewing any notifications received under subsection (2), must cancel the category authorisation if the Commissioner considers that section 226A no longer applies to any dataset that falls within the category of datasets”.
I wonder why he thinks that the wrongful inclusion of one individual dataset in the category would invalidate the category as a whole, because that seems to me to be the effect of what that part of his amendment would do.
I am grateful to the right hon. and learned Member for that intervention. He possibly makes a fair point. If I recall correctly, the wording of that proposed new subsection was borrowed from another part of the Bill. I might be wrong about that; I need to go away and have a look. I suppose the argument would simply be that if a category authorisation is to any extent being abused, it is right that the category authorisation is cancelled, and if somebody wants to come back with something similar, they can do so. However, I am not without sympathy to his point. I take it in the spirit in which it was intended, and will reflect upon it.
Let me move on from the question of oversight in relation to bulk personal datasets to the issue of “no” or “low” expectations of privacy in relation to such datasets, and how that test will operate in practice. Throughout the passage of the Bill, we have been repeatedly given some very easy examples of so-called “low/no” bulk personal datasets. For example, we have spoken about phone books, academic papers, public and official records, and other data that many people would have access to routinely. It was helpful that, in relation to what is now our amendment 9, the Minister said in Committee that Facebook posts and CCTV pictures would be considered sensitive and would not be caught by these provisions. It is very helpful to have that on the record.
None the less, it would to be useful to have greater precision in the Bill. Amendment 8 would take out reference to “low” expectations of privacy altogether, so that only “no” expectations would be covered by the new provisions. To us, “low” is such a difficult question to adjudicate—low expectations in particular. That is especially the case when we are dealing with datasets of potentially huge numbers of very different people with very different reasons for having very different expectations of privacy, particularly in how that would relate to different organisations. We cannot think of a single dataset example provided during the passage of the Bill that would not be adequately covered by “no reasonable expectation of privacy”. If that is the case, if that is really all the Bill will be used for, why not just accept the amendment? It would be useful to have an understanding of what “low” expectation of privacy is designed to cover.
Amendment 15 brings us to internet connection records. In 2016, the Government emphasised the very targeted nature of the ICR powers, but here we are being asked to incrementally expand those powers so that they are slightly less targeted. To us, that means that the independent assessment of proportionality and necessity is pivotal, so we think that it should be subject to advance judicial oversight. Even the explanatory notes accept that there are difficulties in formulating sufficiently targeted queries, noting that
“such queries are highly susceptible to imprecise construction”
and that “additional safeguards” are required.
For us, the required additional safeguard is judicial oversight. We were led to believe that the powers would be used only exceptionally, so it is hard to see how a judicial authorisation requirement would cause any significant problem. The Government argue that there may be times when warrants are needed on an emergency basis, but that could be dealt with by having emergency processes or very limited exceptions—it is not an argument against a general rule of advance judicial oversight.
I turn to the impact on technology companies of the Bill’s various provisions relating to notices—although the right hon. and learned Member for Kenilworth and Southam probably made more sensible and eloquent points than those I am about to make. The written evidence that the Bill Committee received shows that tech companies, academics and human rights and privacy campaigners are still a million miles away from the Government in their understanding of how the provisions will work and of the impact that they will have on products and services. Apple wrote to the Committee that these provisions
“would dramatically disrupt the global market for security technologies, putting users in the UK and around the world at greater risk.”
It is frustrating and disappointing that we did not have the opportunity to explore those differences in detail through witness testimony. The Minister did his best to reassure us, and he made some important arguments about extraterritoriality and conflicts of laws, but given the serious concerns that have been raised, it is worth again asking the Minister to explain why those witnesses are wrong and he is correct. In particular, the Government’s explanation that the new pre-notification requirement in clause 21 is
“not intended as an approval mechanism”
has not dampened concerns. Apple argued in evidence to the Committee that
“Once a company is compelled to provide notice of a new security technology to the SoS, the SoS can immediately seek a Technical Capability Notice to block the technology.”
Other provisions in the Bill around maintaining the status quo during notice review periods work in tandem with these provisions to deliver what Apple and others see as a de facto block on adoption of new technology—that is the risk that they are highlighting, and it is what the Minister must address in his speech. It is why we have tabled amendments to take out some of those provisions. It is also why we have tabled amendment 19: an alternative that would introduce advance judicial oversight and, hopefully, a degree of reassurance that the new notification notice regime under clause 21 will not deliver the unintended effects that many fear.
Finally, I put on the record our support for the amendments tabled by members of the Intelligence and Security Committee, whose work on the Bill has been as helpful as ever—I congratulate them on their one-and-a-half victories so far. As is often the case when it comes to Bills of this type, we also put on record our support for several of the amendments tabled by the right hon. Member for Haltemprice and Howden (Sir David Davis), some of which are similar to amendments that we tabled in Committee, while others are similar to amendments that we supported during the passage of other Bills, including the National Security Act 2023. In particular, new clause 3, which is designed to place an absolute prohibition on the UK sharing intelligence with foreign Governments where there is a real risk of torture or cruel, inhuman or degrading treatment, is long overdue and would close a serious gap in the law. For us, that is self-evidently the right thing to do.
As you will know, Madam Deputy Speaker, and as other Members have made reference to, I was the Minister who took the original Bill, which this Bill amends, through the House—indeed, it became the Investigatory Powers Act 2016.
The purpose of that legislation was both to draw together a number of the capabilities of the agencies necessary for them to keep us safe, and to put in place a series of mechanisms to ensure that there was proper scrutiny and accountability for those powers. We introduced the principle of a double lock, whereby both politicians and judicial commissioners were necessary to authorise some of those very powers. They matter because of the threats we face. Those threats are, as has been said by a number of contributors, metamorphosising. They were bound to do so, and we anticipated that when the original Act was considered in this place.
I accept the argument used by the shadow Minister, the hon. Member for Barnsley Central (Dan Jarvis), that that does not end here tonight. Those threats will continue to change, and it will be necessary to update the legislation to reflect those changes, for our security services and police need two things to do the job that we expect them to do on our behalf: capacity—namely, skills and resources—and capability, which includes legislative powers.
I will satisfy my right hon. Friend immediately and, I hope, save him time in his speech. Local authority trading standards teams are responsible for a range of legislation where enforcement requires investigation and may need to draw on communications data. The idea is that the powers in this Bill will be in keeping with those powers, not for them to be expansive, so my right hon. Friend is right: it is for serious crimes, as has already been set out.
That is excellent—it helps, because the schedule associated with that part of the Bill does not make that explicit. I hope that the Minister, having given that binding assurance to the House, will reinforce it in the explanatory notes associated with the Act and in the code attached to it.
I am seeing the Minister nodding. He might want to say a word or two more when he sums up.
May I gently suggest that the right hon. Gentleman goes back to the Minister now, just to pin down exactly what he is agreeing to? We on the ISC have no problem with the idea of our security services having these powers, and I do not think the public would either. They would be less comfortable, as I and the right hon. Gentleman are, with other organisations having them.
The Minister may want to intervene on me again to do exactly what the right hon. Gentleman has suggested.
On the grounds that it will save me time when I wrap up at the end of the debate, I will make it clear now. His Majesty’s Treasury is responsible for civil enforcement of financial sanctions regulations, and some information that is essential to carrying out its civil enforcement functions is now communications data, such as the timestamp on online banking transactions. His Majesty’s Treasury cannot currently use its information powers to compel that information to be provided by a telecoms operator, so to go back to the statement I made earlier, local authority trading standards teams are responsible for a range for legislation where enforcement requires investigation and may need to draw on communications data.
That is very helpful and, I think, goes a fair way towards what I want to achieve. The Minister has therefore made clear that the power will not be permissive. If he uses those very words—forgive me for putting them into his mouth, Madam Deputy Speaker—that would also help. These are going to be rarely used, particular powers associated with regulatory or legal functions of local authorities, not permissively available to those local authorities at their whim. That is clear as crystal, is it not?
If my right hon. Friend will forgive me, I will use the words I am using. Those powers will be used as infrequently as we all hope they will be, but they will be used in keeping with the law as described. If the frequency increases, it will be because of the need to act; I am very cautious about saying that these crimes will disappear, and therefore the frequency will change. I am not willing to predict that criminality now.
I entirely understand. I used the example myself of trading standards: in Lincolnshire, we have an issue with the sale of illegal cigarettes that has become not a trivial matter, but one of organised crime. It is not restricted to my county or locality: it is a national problem, and it is of course an example of where a local authority, working closely with the police, might well need to use those powers. By the way, those local authorities will be working with other agencies too: because money laundering is involved, His Majesty’s Revenue and Customs might be involved, and so on and so forth. That is a good example of where those powers might be useful in catching very serious criminals indeed, but the word I wanted the Minister to use is that these powers are not permissive. He will understand what I mean by that, and I cannot see why that would present any problem at all, given the reasonable, sensible man he is.
I apologise to my right hon. Friend. These powers are not permissive in the sense that they are expansive: they are permissive only in the sense applied to them by this law, with the restriction of the powers that local authorities already have. They are not to be used in any way other than as set out very clearly in the Bill.
I think that is helpful. The Minister will remember that when we debated the original Bill that became the Investigatory Powers Act, one or two newspapers used the term “the snoopers’ charter”, and images were used of local authorities using those powers to investigate people’s rubbish to make sure they were recycling properly, for example. I do not want to add unnecessary levity to our consideration tonight, because we are dealing with very serious matters indeed, but the Minister will understand how that kind of misunderstanding—indeed, misinformation—could do far more harm than good.
Again, just to clarify for my right hon. Friend, this Bill offers no greater expansion than his own Bill did in 2016. In the same way he ensured that Bill was no snoopers’ charter, I assure him that this one is not either.
I was going to say that I have done this matter to death, but I can see that the right hon. Gentleman wants to intervene.
I think the Minister is getting another “dancing on the head of a pin” award for his explanation. What I think the right hon. Gentleman is trying to get on the record—perhaps not for the benefit of people in this House who understand this Bill, but for the wider public—is that the way the Bill will be used is that it will include, for example, a local authority when an investigation is being driven by a security issue, such as in his example of organised crime in cigarette smuggling.
Yes, exactly. The right hon. Gentleman has put it very clearly, and the sense of what the Minister has said has reassured me that it is not the Government’s intention to extend those powers beyond the very strict legal limits associated with the kind of organised crime that he and I have both cited. For me, that is considerable progress. The right hon. Gentleman spoke earlier about half a win; I think that is three quarters of a win, at least. For that reason, I feel that I can move on to my next request of the Minister.
We spoke earlier about IPCO, and its role and association with Government. As the Minister will know and as the right hon. Member for North Durham referred to, this legislation provides for a report to be made available to the ISC on an annual basis. There has been some concern that that report might be rather different from the one that is made available to Ministers and others, and my anxiety is that it should not be different. All that it should exclude is current operational matters; nothing else should be excluded from what my Committee considers, and clearly, it needs to be the same as what IPCO gets. We cannot have three or four different reports.
That is a 100% win. It is not half a win or three quarters of a win; it is just a win. So we are making huge progress tonight, partly due to the diligence of the members of the ISC and other Members of this House, including the official Opposition, but largely due to the reasonableness of the Minister. He is a listening figure, and he is growing in stature and reputation as a result. I am delighted that the Minister has agreed to the fourth of my requirements.
It is a pleasure to follow the right hon. Member for South Holland and The Deepings (Sir John Hayes), and indeed all the fellow members of the ISC who have spoken on both sides of the House in our debate on seeking to improve this important piece of legislation. I must say that it is very rare, when one is called towards the end of a debate, for there to have been concessions on most of the areas at issue, leaving very little else to say. It makes me happy that I did not write my speech in advance, since I would have had to rip most of it up following the Security Minister’s very welcome concessions on a range of issues during our debate. They are on the record, and they are indeed extremely welcome.
However, there is one area of detail that I want to comment on, which is about the triple lock amendment—amendment 22—on the qualifications and experience of the Secretaries of State who, under the widening of the triple lock, could if the Prime Minister of the day is incapacitated for some reason, be drawn into making a warrant to intercept the communications of a Member of this Parliament, or indeed a Member of any of the devolved legislatures in the UK. The right hon. Member for Haltemprice and Howden (Sir David Davis) was very explicit about why that particular protection should be in existence, and I completely agree with his analysis. One of the ways we defend our democracy is by allowing Members of Parliament to do their unique jobs without interference unless it is for an exceptional and a very good reason, and has been authorised at the highest level.
There has been a lot of to-ing and fro-ing while the Bill has been going through its parliamentary stages about precisely how this widening of the power to make such a warrant away from the Prime Minister, if he or she is indisposed or unable to be near secure communications, should actually be defined. We have got down to the stage where everybody agrees that to make the system robust there should be an expansion, and we have even come up with a number of Secretaries of State—five—who should be authorised in such exceptional circumstances to make that warrant.
We are now down to the last piece of disagreement between the ISC and the Minister, which is about what the qualifications of those Secretaries of State should be. In seeking to try to draw out precisely what the Government mean, we have asked as a Committee that the relevant Secretaries of State who may be down to do this duty ought already to be responsible for warrantry, or have had previous responsibility for it. Thus far, however, the Government and the Minister have been unwilling to be that deliberate in the arrangements they have made.
As the right hon. and learned Member for Kenilworth and Southam (Sir Jeremy Wright) said in his contribution to the debate, the only qualification apart from being a Secretary of State that the Government appear to have admitted is that the person standing in for the Prime Minister ought to have had a 20-minute security briefing about warrantry.
Does my hon. Friend agree with me that this is so important, because the Secretary of State will be acting as the Prime Minister at that time? Once that decision has been taken—even though we now have the commitment from the Minister that the Prime Minister will be told, not should be told—they will not be able to overturn or review it in any way, so that person is acting as the Prime Minister at that stage.
Yes, and it is clearly important that there is a reassurance that the Secretary of State who is picked to do that job in these exceptional circumstances will either have previous experience of being responsible for warrantry and issuing warrants, or have current experience. I do not see why the Security Minister cannot concede that that is where we should be. I do not understand why, over all of the parliamentary time spent on this Bill, the Government have not been able to give us that assurance, which just shores up the important nature of the commitment to widening the triple lock.
Clearly, the Minister’s very welcome decision to make the concession on amendment 23, as my right hon. Friend the Member for North Durham (Mr Jones) has just pointed out, strengthens the situation, because that means the Prime Minister will have to be notified of such a warrant. However, my right hon. Friend is also correct in pointing out that the warrant cannot be rescinded if it has already been granted. I therefore gently ask the Security Minister whether he will not take the opportunity, in responding to the debate, to give the ISC members and the public we all represent the reassurance that the Secretaries of State who may have this power delegated to them either will already be responsible for warranting, or will have previously had responsibility for warranting. I do not understand why he cannot just get up and give us that final assurance. If he does, I think we will have done extremely well on Report and in Committee. I am rather disappointed that the Minister is not leaping to his feet, since he has been leaping to his feet a lot while my colleagues have been making their speeches. I see no such flicker in him as I am making mine. I suspect and hope that that is because he is just thinking about how he will wind up the debate and give us that final assurance that we need.
The measure is doable, because we are not asking for something in the Bill; it could be done in the guidance. The Minister has already agreed on changing the “should” to “will”, so this measure could be reflected in the guidance that goes alongside the Bill.
I can see that the Minister is looking pensive, so I hope that means he is thinking of some way to reassure us on this final, important point with respect to the triple lock and the widening of those powers to other Ministers who are not the Prime Minister.
The whole debate around the Investigatory Powers (Amendment) Bill demonstrates that when threats evolve, the requirement to meet them also has to evolve. We know that this area is rapidly developing, and we know also that we will probably be back in the not-too-distant future to see how these powers can be changed again to defend our democracy and meet some of the threats of serious organised crime and terrorism, which our security forces help us deal with day in, day out. We also know that if our citizens are to give us effective permission and consent to take some of these powers, any increase in powers has to be accompanied by an increase in proper oversight, to reassure them that democracy is being defended, not undermined. That includes oversight by the ISC, which is why I am a big supporter of new clause 1 as tabled by my hon. Friend the Member for Barnsley Central (Dan Jarvis). It is important that that can be an ongoing reassurance.
I do not want to repeat a lot of the arguments made by colleagues, and it is important now to listen to what the Minister has to say. I thank him for the concessions he has made, and I hope he can make just a slight move towards us on the warrantry issue in the instance of the triple lock, so that we can be even more content than we are now.
I rise to speak to amendments 15, 20 and 22, and Government amendments 3 and 6. I highlight that the investments declared in my entry in the Register of Members’ Financial Interests include a data company.
The intelligence services carry out vital work in keeping us safe in a dangerous world, as we have heard from many colleagues this evening. The secrecy that surrounds what the agencies do inevitably means that the majority of people who work for them will never receive public praise or recognition, so I take this opportunity to thank them for their brave and dedicated efforts on our behalf. This Bill provides important updates to the law to enable them to operate effectively and to adapt to fast-moving technological change and innovation. This kind of update to legislation will be essential again and again in years to come to enable our intelligence services to keep ahead of those who would seek to do us harm. For example—this is at the heart of what we are doing today—it makes no sense to require, as the current law does, that the intelligence services undertake the full range of actions designed for holding sensitive, confidential and private information when dealing with datasets that are readily available to the public or to commercial users and over which there is little or no expectation of privacy.
Before I call the hon. Member for Strangford (Jim Shannon), I am sure that the whole House will want to join me in wishing him a very happy birthday.
You are most kind, Madam Deputy Speaker. When you get to my age, you do not count the years, but you make the years count.
It is an absolute honour and pleasure to follow the right hon. Member for Chipping Barnet (Theresa Villiers). May I put on the record my thanks to her for her time as Secretary of State for Northern Ireland? We appreciate her commitment and efforts over those years. Her intelligence about and interest in Northern Ireland have not dissipated because she is no longer the Secretary of State for Northern Ireland; indeed, they have added to the occasion.
It is a pleasure to speak on the Bill, which, as the Minister will know, I have done on numerous occasions. I am aware of the complexity of the issue and of the need to give privacy its rightful place in our national security. As others have done, I put on the record my thanks to all the security and intelligence services for all that they have done and still do. We owe them a great debt.
During the previous debate, I asked the Minister for his assurances regarding whether the right balance had been struck, yet I have still been contacted by constituents who continue to express their concerns. I will not detain the House for long—about five minutes—but will highlight again the concern that my constituents continue to express, to give them one last chance to receive assurances on the Floor of the House.
My constituents’ remaining concerns relate to something that we in this place have much cognisance of and that we treasure: the freedom within a democratic society to live our lives in peace as long as we are not adversely affecting the lives of others. That is a precious right, and one that none of us in the House wants to remove. I will refer to clauses 1 and 2 and highlight four companies that have expressed concerns to get the Minister’s response. My constituents have highlighted the following:
“In addition to the concerns of civil society, I would like to draw your attention to some of the comments submitted in evidence to the Bill’s Committee from the tech industry.
Apple: ‘In addition to impacting the safety of billions of users around the world who rely on security technologies developed by Apple and other companies, the Bill in its current form would undermine fundamental human rights. In fact, just this year, the European Court of Human Rights held that requiring a company to provide a means to decrypt all encrypted communications on its platform violated the right of privacy in Article 8 of the European Convention on Human Rights.’
TechUK: ‘This could impede the ability of TechUK members to modify products and services over time to protect users from active security threats, to innovate, and enhance their services for their users.’
Information Technology Industry Council: ‘We strongly encourage greater scrutiny of these implications so that the Bill will not have a chilling effect on a company’s ability to conduct business or in current or future innovations, and that it will serve to further international efforts on shared goals around trust and security.’
Computer and Communications Industry Association: ‘Over time, this will push tech firms to refocus product development away from addressing the priorities of UK consumers, towards Government demands for access. The obstacles the new regime creates will be a drag on innovation and therefore undermine the quality of digital services on offer.’”
I am listening carefully to the hon. Gentleman’s speech, not least because it is his birthday. Let me put it to him in this fashion. I think that the public have as much to fear from those corporate organisations as they do from any democratically elected Government. I am much more concerned about the way that they gather and sell data, and, dealing with the matter of expectation, the vast majority of people do not know that they are doing it. Rather than more a more permissive attitude towards those organisations, I want to see a less permissive one.
I thank the right hon. Gentleman for his intervention. I share those concerns, but I wish to put on the record my concern for my constituents in relation to how the changes are interpreted and how they will affect people.
I will give the last sentence of the quotation from the Computer & Communications Industry Association:
“They could risk deterring investment in improving service for UK consumers and contribute to a sense that the UK is not a safe market in which to invest.”
Those are the four tech companies, and the questions are on the record—I put them in Hansard—so that perhaps the Minister can give me an answer. Will he outline what mitigations are in place for the matters affecting those four companies in order to secure the tech industry’s place in the fabric of our lives in the United Kingdom?
I am pleased that the Minister has accepted amendment 23, which was tabled by the right hon. Member for North Durham (Mr Jones). The Democratic Unionist party was minded to support that amendment, but, because it has been accepted, we will not need to do so.
While I am aware of valid concerns, I am also aware of the need for this Bill, which the gallant Minister will know about better than most in the House. He served in Northern Ireland, so he understands the implications for us in Northern Ireland and the lives that we have led for some years. I was a part-time soldier in the Ulster Defence Regiment and in the Territorial Army for 14 and a half years. I have been a recipient of security intelligence and know how it can save lives. I am here today because of intelligence, which found out what the IRA’s intentions were. That is a fact. That has affected not just me; over the years, the intelligence services have saved the lives of other hon. and gallant Members. I have many friends who served and who are alive today because of the intelligence service or the Security Service. I had many other friends who unfortunately are not alive today; I remember them as well, so I do.
We must remember that the whole objective of the Bill is to keep us safe, to keep us secure and to ensure that our lives with our families can continue. I do hope that a balance has been struck, as the Minister outlined, because freedom is a prize worthy of getting it right. I know that the Minister wants to get it right, and I want it to be right. Madam Deputy Speaker, you want it to be right as well. Let us do it and get it right tonight.
Right hon. and hon. Members will be delighted to hear that, having answered colleagues as we went along, I have only a few short words to conclude. [Hon. Members: “Hear, hear!”] I know how to keep them happy.
Amendments 3 to 6 to clause 14 concern the restoration of specified public authorities’ general information powers to secure the disclosure of communications data from a telecommunications operator by compulsion. I pay tribute and thanks to my right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes). I hope that Members will have noticed that I have listened carefully to Members across the House, and I believe that this Bill has been pulled together carefully alongside the Intelligence and Security Committee. It is a slight shame I cannot thank the right hon. Member for New Forest East (Sir Julian Lewis) in person, who is sadly at a funeral today. He has played an important role in contributing to and leading the engagement of which I have had the advantage in preparing this Bill.
Let me quickly touch on one or two points. My right hon. and learned Friend the Member for Kenilworth and Southam (Sir Jeremy Wright) spoke about notices. It is important to note that the notices do not block innovation. They do not stop a technical patch or infringe on companies’ ability to update their systems. All they do is make sure that the existing level of access remains while that is being looked at. That is a reasonable element to ensure that the British people are kept safe by the British law enforcement authorities.
I understand what my right hon. Friend is saying, but the practical consequence of issuing such a notice is that the development of the product about which concern has been expressed has to stop. Therefore, the infringement on commercial liberty, in practice, is exactly what I have described, is it not?
If my right hon. and learned Friend will forgive me, I will be able discuss that in a more secure environment, but I can only say, “Not necessarily.” I will be able to describe why that is in a different environment, but I cannot do it here.
The reason for not accepting amendments 22 and 23 —I understand the points made by right hon. and hon. Friends and Members across the House—is that we are talking about a very limited number of people. One Secretary of State is already used to do the initial request. The second person on the triple lock is a judicial commissioner—a judge. The third therefore has to be one of the four Secretaries of State left. Therefore, it is important that we make sure that it is somebody in whom the Prime Minister has confidence. Given that we are about to have a new Government—I hope the new Conservative Government, but still a new one—it is entirely possible that there will be a new Cabinet and that the routine explanation will not be satisfactory. As routine duties do not have legal clarity, we will not use them.
The Minister has used that argument before about new Secretaries of State, and it is complete nonsense, is it not? It would not happen on day one unless the Prime Minister suddenly got covid or was indisposed. By the time this came in, those three people would be there anyway. His argument is pretty weak.
The right hon. Member has made his point and I have made mine; I am afraid I will leave it there rather than continue. The ways in which we have been able to engage on the Bill has been incredibly supportive and helpful.
The removal of clause 15 from the Bill would prevent the intelligence agencies and the National Crime Agency from detecting some national security and serious crime threats, and those intent on committing child sexual exportation and abuse. Given the robust oversight of the regime in general, and the internet connection records in particular, we simply do not believe that this is in the best interests of the British public. Removal would benefit only those who threaten our safety and serve to make the work of the intelligence services and the NCA significantly harder as they seek to protect us and bring paedophiles to justice. The Investigatory Powers Commissioner already has the necessary powers to inspect and report on all parts of the CD regime. If the Investigatory Powers Commissioner wishes is to focus attention on condition D of the internet connection record, they have the power to do so. With those clarifications, I commend the Bill to the House.
Question put, That the clause be read a Second time.
I beg to move, That the Bill be read the Third time.
I pay huge tribute to all the contributions from across this House, and particularly to my hon. Friend the Member for North Cornwall (Scott Mann), who whipped this through in exemplary fashion and will be delighted that since my appointment he has not had to take a Minister’s place on a Bill. He will also be grateful, along with me, to Lord Sharpe in the other place who has led on this Bill brilliantly, and taken us through with exemplary speed. I thank the hon. Member for Barnsley Central (Dan Jarvis), who has been a great friend for many years. We have now completed a Bill together, which really does bring us that bit closer. I also say an enormous thanks to Phoebe, Fintan, Francesca, James, Emer, Lucy x 2, Megan, Sophie, and Tom Ball, whose exemplary work in the Bill Committee has been fantastic.
It is gratifying that we will get this Bill on the statute book, because it will give our security services the necessary powers to keep us all safe. I add my thanks to the staff of the Committee on which I and other Members served, and like the Minister I thank the civil servants who I have engaged with throughout the passage of the Bill. I also thank my hon. Friend the Member for Barnsley Central (Dan Jarvis) for his engagement on the Bill. The right hon. Member for New Forest East (Sir Julian Lewis) would have liked to have been here today. He has played an integral part not just in speaking about the Bill, but in his work on the ISC. As I said earlier, unfortunately he is at the funeral of Lord Cormack; the House will understand his reason.
As I said, the Bill will improve our abilities. Perhaps the Minister would also like to put on record his thanks to the ISC, which he forgot to do. It might have been a painful process at times, but can I give him some advice, possibly for the future? He may well have been able to solve some of these issues earlier in our discussions, and avoided keeping his colleagues here on a Monday night—[Interruption.] The Secretary of State for Levelling Up, Housing and Communities says from a sedentary position that that was impossible, but the Minister has agreed to our amendments.
Some of us should take yes for an answer.
Well some of us do, but if the amendments had been agreed to last week, we could have had a shorter debate today and the Minister’s colleagues would not have been kept here for so long.
Finally, the biggest thanks we need to give is to the men and women of our security services who, as the Minister said in his earlier contribution, do not get any recognition publicly. They do their work day in, day out, some in very dangerous circumstances, to keep us all safe.
I, too, thank all colleagues who have taken part in the proceedings today, in Committee stage and before, especially members of the ISC whose expertise really does benefit our scrutiny processes. I also thank all the various organisations that have provided written evidence and briefings, both in support of, and in opposition to, the Bill. Finally, may I also thank the Committee staff and the Clerks of the House for helping us through what has in some ways been quite a technical Bill?
The Investigatory Powers Act 2016 set out a detailed framework for use of investigatory powers. The existence of such a legislative framework was welcome, as were some aspects of the framework itself. We worked hard to try to improve that framework, but, ultimately, believed that it fell short of what was required and so we voted against that Bill on Third Reading. We are in much the same place today. We get the motivations for this Bill; they are understood and we are sympathetic with some of what the Bill seeks to achieve. However, we are not convinced that all the powers are shown to have been necessary and proportionate and that there are not other ways to get to where those seeking the new powers need to be.
At the same time, with more extensive powers and more extensive use of those powers, there should come greater oversight. In our view, the Bill heads us in the opposite direction, watering down or failing to put into place necessary advanced judicial oversight. Such oversight, we believe, is of benefit in providing reassurance not only to members of the public concerned with implications for their private lives, but to the very people who need to navigate these powers—members of our security and intelligence services and other public bodies. Instead, they are left to make difficult almost impossible judgments as to their lawful use, necessity and proportionality. Therefore, we do not take this step lightly, but for those reasons we will be voting against Third Reading tonight.
I rise to confirm that we on these Benches support the Third Reading of this Bill. It is the first duty of every Government to keep their people safe. It is right that we take the opportunity to pay tribute to the exceptional men and women who serve in our police and security services, often in the shadows and often without recognition, working tirelessly to keep our country safe. We owe them all a debt of gratitude. We also owe it to them, as Members of this House, to provide them with the powers they need to discharge their duties. The Bill does that, in part, because it has been the product of constructive cross-party efforts both in this House and in the other place.
I wish to take the opportunity to thank the Minister for his work on the Bill. I wish him well with future endeavours. I also thank the SNP and all those Members who have contributed to this process, particularly those members of the ISC, who have made an outstanding contribution to proceedings.
On behalf of the whole House, I express our thanks to the civil servants working in the Home Office who have done an exceptional job, as have the Clerks of this House, who have worked very hard on what is after all a technical Bill.
It is always welcome when collegiate, cross-party working takes place in this House. I am very grateful that, on this occasion, we have been able to work together on getting this important Bill right.
Question put, That the Bill be now read the Third time.
(7 months, 4 weeks ago)
Lords ChamberThat the House do agree with the Commons in their Amendment 1.
My Lords, with the leave of the House, I will also speak to Amendments 2 to 17.
The Investigatory Powers (Amendment) Bill has returned to us in good shape thanks, in great part, to the expert input of noble Lords when we first considered the Bill. The Government have therefore made only a small number of amendments to the Bill in the other place, which we will consider today.
Clause 11 ensures that there is clarity for tele- communications operators operating within the IPA framework, as to which regulatory body certain personal data breaches should be notified to. It also provides a statutory basis for the Investigatory Powers Commissioner to be notified of such breaches.
Amendments 1 and 2 update this clause to provide a clear route to redress for those impacted by personal data breaches committed by telecoms operators. They ensure that the Investigatory Powers Tribunal has the jurisdiction to consider and determine complaints about such breaches, within the context of the use of investigatory powers, and grant a remedy.
Turning to Amendments 15 and 16, noble Lords will recall that the Government accepted several amendments tabled by the noble Lord, Lord West of Spithead, on Report in relation to the alternative triple lock process for warrants which enable the intelligence agencies to acquire the communications of parliamentarians. As I set out at the time, while the Government agreed with the bulk of these amendments, our view was that we would need to clarify one relatively small aspect. The inclusion of “routine duties” was overly restrictive and would have undermined the resilience of the triple lock process that these clauses seek to safeguard. Amendments 15 and 16 therefore replace this with “relevant operational awareness” to ensure the necessary flexibility and resilience while maintaining a proportionate scope for delegation.
I turn now to Amendments 3 to 6, which make changes to Clause 14. This clause concerns the restoration of specified public authorities’ general information powers to secure the disclosure of communications data from a telecommunications operator by compulsion. These amendments do not create new powers for these bodies. These amendments limit the restoration of the powers to those public authorities already listed in Schedule 4 to the IPA and those in new Schedule 2A.
Bodies in Schedule 4 to the IPA may use powers within the IPA to acquire communications data for the statutory purposes within the Act. Therefore, it is right that they are also able to use their existing statutory regulatory and supervisory powers outside the IPA in support of their statutory functions, provided there is no intention to use the communications data for the purpose of investigating or prosecuting a criminal offence.
The creation of new Schedule 2A ensures that those bodies which are not in Schedule 4 but have a clear requirement to utilise their existing supervisory and regulatory powers can continue to do so, such as His Majesty’s Treasury in respect of the sanctions regime. This schedule can be amended in future via a new delegated power, ensuring continued parliamentary oversight of which bodies are included.
Once again, I would like to thank the noble Lord, Lord West of Spithead, and members of the Intelligence and Security Committee for their engagement on improving this clause. I hope that noble Lords will agree that the amendments provide greater clarity and ensure that Parliament has oversight of the bodies to which the relevant powers can be restored.
Finally, Amendments 7 to 14 make minor and technical changes to Clause 21 on notification notices, ensuring consistency in language across the Investigatory Powers Act. Amendment 17 removes the privilege amendment inserted by the Lords and is procedural. I beg to move.
My Lords, when I heard that the Government were bringing forward amendments to this Bill in the Commons, I was somewhat suspicious, but I am pleased to say that it seems, after yesterday, the Minister has migrated to a slightly calmer situation today, as the amendments in front of us are all amendments that we can pass without too much ado. Amendments 3 to 6 are useful clarifications of where we should be; the Commons has done a good job in clarifying that area and that should be noted. I am sure that Amendments 15 and 16 will be an understandable change to the original amendment of the noble Lord, Lord West. I would like again to thank the Minister and the Bill team for their openness and their help in working through these amendments and, of course, the previous Bill. With that, we on these Benches are happy to accept these amendments.
My Lords, once again, I thank those in the intelligence community who defend our country. I thank all MPs and Peers from both Houses for their dedicated scrutiny of the Bill, which we fully support. As the noble Lord outlined, it is a good Bill that has been improved by your Lordships’ scrutiny, and it benefited from starting in your Lordships’ House before it went to the other place. I thank—as did the noble Lord, Lord Fox—the Bill team for their work and for their genuine engagement with us as the Bill progressed. I thank the noble Lord, Lord Anderson, for the detailed report that he did, which led to much of what we see in the Bill, and it is good to see the noble Lord in his place.
My Lords, I thank all noble Lords who were involved in the passage of the Bill. I restate my thanks to the intelligence agencies and law enforcement for their contributions to the Bill and of course for the work they do every day to keep this country safe.
I have to say to the noble Lord, Lord Coaker, that I genuinely thought that I had got away with being the Prime Minister’s diary secretary for once. I am afraid the answer is that I have not.
I thank both noble Lords for their appreciative comments about the Bill team and indeed about the Government. We have tried hard to engage to make the Bill as good as it can be, and by and large I think we have succeeded.
I shall address the specific points that were raised. The noble Lord asked about His Majesty’s Treasury and local authorities. New Schedule 2A has been created to provide Parliament with further clarity on which public authorities will have their regulatory and supervisory information-gathering powers restored by Clause 14. That follows concerns raised by the noble Lord, Lord West, and other members of the ISC.
We are aware that His Majesty’s Treasury and local authorities in particular require legal certainty on the exercise of their pre-existing statutory powers in respect of their supervisory and regulatory functions. Other bodies which have been affected by the revocation of powers by Section 12 of the IPA, such as His Majesty’s Revenue and Customs and the Financial Conduct Authority, are already listed in Schedule 4 as they are able to acquire communications data in support of their criminal investigations under Part 3 of the IPA. There will be other public authorities which have pre-existing information-gathering powers in respect of their supervisory and regulatory functions, but it has not been possible to establish a complete list at this time; instead, we have created a new delegated power to add further bodies to Schedule 2A as necessary.
On the specific questions asked by the noble Lord, Lord Coaker, the existing definition of “local authority” as found at Section 86 of the IPA applies in respect of the communications data acquisition powers under this Act, so it is not mayors. I have, helpfully, been sent what “local authority” means and I will read it into the record. It is a district or county council in England, a London borough council, the Common Council of the City of London in its capacity as a local authority, the Council of the Isles of Scilly, a county council or borough council in Wales, a council constituted under Section 2 of the Local Government etc. (Scotland) Act 1994 and a district council in Northern Ireland. In terms of the Treasury and what that involves, it is the Treasury and its arm’s-length bodies.
The noble Lord also asked why we are using the negative procedure, rather than an affirmative one, to add new bodies to Schedule 2A. These amendments limit the effect of Clause 14 and will afford Parliament greater scrutiny than under the original drafting. The House did not object to the original drafting, so I hope we will welcome the additional parliamentary oversight that the amendments provide. As the process will focus solely on ensuring that pre-existing statutory powers can be effectively exercised, an affirmative procedure would be disproportionate. This is because the appropriate in-depth parliamentary scrutiny will have already occurred when relevant bodies were given their statutory responsibilities in the first place. The negative procedure is more appropriate as it allows for additions to be made to the schedule swiftly to ensure that existing statutory powers are not unduly inhibited from being exercised. Since the information-gathering powers are necessary for these bodies to fulfil their regulatory and supervisory functions, any delay could hinder a body from operating effectively. These reinstated powers will be available only where there is no intention to use that data for the purposes of investigating or prosecuting a criminal offence.
The Bill will help our intelligence agencies and law enforcement agencies keep pace with developments in technology and changes in the threat landscape. They will help to make the UK a safer place. I remain hugely grateful for their work, and I hope that noble Lords will see fit to agree to the handful of Commons amendments before us today.
That the House do agree with the Commons in their Amendments 2 to 17.
(7 months, 3 weeks ago)
Lords Chamber