Lord Sharpe of Epsom

- View Speech - Hansard -

Copy Link

- - Excerpts

That the Bill be now read a second time.

The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, the number one priority of any Government is to keep our citizens and our country safe. The Investigatory Powers (Amendment) Bill seeks to make a set of targeted amendments to the Investigatory Powers Act 2016, which I shall refer to throughout as the IPA.

The measures in this Bill will support the security and intelligence services to keep pace with a range of evolving threats against a backdrop of accelerating technological advancements. Such advancements provide new opportunities for terrorists, hostile state actors, child abusers and criminal gangs. They also mean that data is generated in more places, in more formats and by more different entities than before. The security and intelligence services need to identify nuggets of threat in increasing quantities of data.

Importantly, the Bill will also ensure that we maintain and strengthen the world-leading safeguards that underpin the use of the powers in the IPA. The measures in the Bill are narrow and relatively modest in scope, which reflects the strength of the existing legislation, but they are none the less critical to the task of protecting national security and countering other serious threats.

It may be helpful to briefly remind the House of the parent legislation that this Bill seeks to amend. The IPA provides a clear legal framework for the security and intelligence services, law enforcement and other public authorities to obtain and utilise communications, and data about communications. These powers and the resulting capabilities are essential in supporting these public authorities in carrying out their statutory functions, including detecting and preventing terrorism, state threats and serious crime.

But since 2016 the nature of the threats we face has evolved, and we need to ensure that the UK’s investigatory powers framework remains fit for purpose. The use of these powers is underpinned by the IPA’s robust and world-leading safeguards—including the double lock for most of the powers, whereby a judicial commissioner must approve the decision by the Secretary of State to issue a warrant under the IPA. All use of the powers must be assessed as necessary and proportionate, with strong independent oversight by the Investigatory Powers Commissioner. The right to seek redress is available to anyone via the Investigatory Powers Tribunal.

I emphasise that this Bill is about delivering focused and targeted changes to the existing regime and not about creating new powers beyond those to which Parliament has previously given its agreement during passage of the IPA.

This Bill follows the publication of a statutory report on the implementation of the IPA in February this year by the previous Home Secretary, and a subsequent independent review by the noble Lord, Lord Anderson of Ipswich, which was published in June this year. These reports set out the operational case for change and have informed the contents of the Bill. I thank the noble Lord, Lord Anderson, for his considered review of the IPA; he was instrumental in its initial design as the author of A Question of Trust during his tenure as the Independent Reviewer of Terrorism Legislation.

Building on the areas of focus identified in the Home Office review, the noble Lord’s report focused on: the effectiveness of the bulk personal dataset regime; criteria for obtaining internet connection records; the suitability of certain definitions within the Act; and the resilience and agility of warrantry processes and the oversight regime. His review helpfully highlighted several areas in which the IPA could be improved, and we are pleased to say that this Bill aligns nigh on entirely with his recommendations.

Your Lordships may note that there is one area of the Bill that the review by the noble Lord, Lord Anderson, did not touch on: the changes to the notices regimes. This was subject to a separate public consultation, and the Government are grateful to those who responded for helping to shape this element of the Bill.

I will turn now to the main elements of the Bill. Part 1 deals with bulk personal datasets, more commonly known as BPDs, and makes changes to the way in which the intelligence services may use them. Building on the findings of the review by the noble Lord, Lord Anderson, the Bill provides a narrow group of provisions to: create a set of new safeguards for the retention and examination of BPDs where there is low or no reasonable expectation of privacy; allow for the extension of the duration of a BPD warrant under Part 7 of the Act from 6 to 12 months; and make clear that agency heads can delegate certain existing functions in relation to BPD warrants. Under the current regime, all BPDs—including those that are publicly or commercially available—must be subject to the double-lock warrantry process and strict examination safeguards.

While these safeguards are in many cases entirely appropriate, that is not always so, particularly where a dataset is publicly available and widely used. This has a detrimental effect on the agility of the agencies, particularly where these datasets could be used to develop new capabilities. It also inhibits their ability to work flexibly with allies and partners in academia or the private sector.

Creating a new regime for datasets that have low or no expectation of privacy will increase operational agility while ensuring that proportionate safeguards are in place, including prior judicial approval. This change will be an important step in preventing our agencies falling behind our adversaries.

The Bill also seeks to insert a new statutory oversight regime for examination by the intelligence services of third-party BPDs. Under the new measures, an intelligence service may examine a dataset on a third-party’s systems without taking control of the set itself. However, if the dataset is not publicly or commercially available to other users, the new warrantry process and requirements will apply. The regime will be subject to safeguards such as the double lock already in other parts of the IPA.

Part 2 will make changes to the role and remit of the Investigatory Powers Commissioner and their supporting functions. The Bill will enhance the world-leading oversight regime in the Act, including the role of the IPC. The changes will ensure that the regime is resilient and that the IPC can effectively carry out their functions. This will maintain and enhance the robust, transparent safeguards in the regime.

In addition to putting oversight of third-party BPDs on a statutory basis, the proposed amendments to the oversight regime aim to increase resilience and ensure that it remains fit for purpose. As highlighted in the then Home Secretary’s review, the IPA does not provide an easy mechanism to manage change. This has caused issues regarding the resilience and flexibility of the IPC and the wider IPA oversight regime, such as during the Covid-19 pandemic. The Bill therefore seeks to place the ability to appoint deputy investigatory powers commissioners and temporary judicial commissioners on to a statutory footing, to provide resilience where there is a shortage of judicial commissioners.

The Bill will also formalise some of the IPC’s non-statutory oversight functions—for example, their oversight of compliance by the Ministry of Defence of the use and conduct of surveillance and covert human intelligence sources outside the UK. The measures also provide greater legislative clarity in respect of the error-reporting obligations imposed on public authorities. The IPC has been consulted on all these measures and has endorsed the approach to ensuring that the oversight regime remains fit for purpose.

Part 3 makes changes to Part 3 of the IPA, which relates to powers for public authorities listed in Schedule 4 to the IPA to acquire communications data. CD is the data around the communication rather than the content of that communication. Section 11 of the IPA made it an offence for a relevant person within a relevant public authority to “knowingly or recklessly” obtain CD from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority. This will provide greater clarity to public authorities that they are not committing a Section 11 offence when acquiring CD from a telecommunications operator under those routes.

The Bill will additionally make targeted amendments to ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data in order to meet their statutory duties and obligations when administering public services or systems. Part 3 also makes a clarificatory amendment to the definition of CD in Section 261 of the IPA, to make it clear that subscriber data or data use to identify an entity will be CD.

Part 3 also makes changes to allow bodies with regulatory functions to acquire communications data. The use of regulatory powers under the IPA is limited to organisations such as Ofcom and the Information Commissioner’s Office for their regulation of telecoms operators. The Bill seeks to amend the IPA to expand the definition of regulatory powers to include public authorities with wider, lawfully established and recognised regulatory or supervisory responsibilities. The effect of this change will be such that authorities will be able to acquire CD using their own statutory powers and not rely on IPA powers. However, where the CD is being acquired with a view to using it for a criminal prosecution, authorities must use their IPA powers to acquire that CD.

Targeted changes will also be made to support the use of internet connection records by the NCA and intelligence agencies. The Bill will add a further condition which allows the service in use and time period to be specified within the application without the requirement that they are unequivocally known. This will enhance the ability of the NCA and the intelligence services to identify serious criminals, including paedophiles and people traffickers, helping to protect victims and counter threats to the UK’s national security.

Part 4 will ensure the efficacy of the existing notices regimes in the face of technological changes and the complex commercial structures associated with the modern digital economy. These measures have been carefully calibrated to address these issues in a proportionate way. Furthermore, the notices regimes have existed since the 1980s, and these reforms are just the latest iteration of that regime. This is not about introducing any new powers. The Bill will create a notification requirement which will allow the Secretary of State to place specific companies under an obligation to inform the Secretary of State of proposed changes to their telecommunications services or systems that could have an impact on lawful access. I wish to be clear that this is not a blanket obligation on the tech sector. It will be placed on companies on a case-by-case basis and with full consideration of the necessity and proportionality justifications of doing so each time.

Furthermore, the notification requirement does not give the Secretary of State any powers to intervene in the rollout of a product or a service or to veto such a rollout. It is intended to ensure that there is time for appropriate consideration of the operational impact and potentially for discussion with the company in question about possible mitigations. This notification requirement has replicated the existing notices standards wherever possible and is itself already part of the wider notices regime, where the Government are able to require companies under notice to inform us of relevant changes which affect their ability to provide assistance under any warrant, authorisation or notice.

The Bill also amends the effect of a notice during the review period. A notice must go through the full double-lock process before it may be issued to a company. On receipt of that notice, a company may request a review of that notice. Currently, the notice has no legal effect during the review period. The Bill amends this to require the company to maintain the status quo during the review period. This will mean that the company does not have to take any steps to comply with elements of the notice, other than to maintain its existing services at the point it is given the notice. The result will be that the company cannot take any action that will negatively affect the level of lawful access for our operational partners during the review period. This is without prejudice to the final outcome of the review and ensures that this outcome cannot be pre-judged.

The Bill also makes a clarificatory amendment to the definition of a telecommunications operator. This makes clear that large companies with complex corporate structures which together provide or control telecommunications services and systems fall within the remit of the IPA. It also clarifies that a notice may be given to one entity in relation to the capability of another entity. It does not seek to bring new companies into the scope of the IPA. Furthermore, the Bill creates a new safeguard for the renewal of notices. This will require a notice to be put through the full double-lock process after two years, if it has not been varied, renewed or revoked in that time.

Finally, Part 5 includes several minor changes to the IPA to ensure sufficient clarity and resilience within the regime. This includes increasing the resiliency of the triple lock, which is the additional safeguard for targeted interception and equipment interference warrants relating to members of relevant legislatures, such as this Parliament. Clauses in Part 5 will allow for the Prime Minister—in the event that they are unavailable—to delegate their responsibility for providing the triple lock to named Secretaries of State. This change is purely about ensuring resilience in the authorisation process and does nothing to alter the existing power or introduce any new power.

I conclude by highlighting the opportunity that the Bill affords us and the impact it will have on the safety and security of the UK and its citizens. Without making changes now, the ability of our agencies to tackle evolving threats—including terrorism, state threats, and serious crime—will be increasingly constrained. In the face of greater global instability and technological advancements, now is not the time for inaction. I welcome the further scrutiny that noble Lords will provide. From looking at the list of speakers, I am in no doubt that they will start with a typically insightful debate today. I beg to move.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I thank all noble Lords who have spoken. There have been many expert and valuable contributions to today’s debate. I particularly thank the noble Lords, Lord Coaker, Lord Ponsonby and Lord Fox, for their broad and very constructive support for the Bill. Obviously, I very much thank—again—the noble Lord, Lord Anderson, for his work. I also thank the noble Lords, Lord Murphy and Lord Evans, and particularly the noble Lord, Lord Carlile, who I thought was very eloquent, for their contributions. I thank the noble Baroness, Lady Bennett, for provoking the noble Baroness, Lady Manningham-Buller—a thing I am always very reluctant to do.

The support was more qualified from the right reverend Prelate the Bishop of St Albans, but I hope to assuage his concerns in my remarks and will certainly endeavour to deal with some of the concerns of the noble Lord, Lord Strasburger, who asked whether we were trying to avoid detailed scrutiny. The answer is: absolutely not. The Bill was ready, having followed the detailed and expert scrutiny of the noble Lord, Lord Anderson—as noted by the noble Lord, Lord Carlile—and, of course, we could not pre-empt what might be in the King’s Speech. In the case of this Bill, parliamentary time currently allows. We have engaged extremely extensively and, frankly, the country needs it. That is a very compelling set of circumstances behind introducing the Bill now.

I feel I ought to take issue with the fact that the noble Lord, Lord Strasburger, said that the country, or all countries, “need a Snowden” occasionally. As I understand it, it has been alleged that people died because of the activities of Snowden, so I am not sure that that is a generally fair point.

I will deal with the questions raised in as much detail as I can in the time available and will start with bulk personal datasets and, in particular, privacy. I thought the noble Lord, Lord Carlile, gave an excellent speech on this subject, but obviously there are concerns so let me do my best to assuage them. The Bill creates a new regime for the retention and examination of bulk personal datasets where there is a low or no reasonable expectation of privacy. The nature of these datasets means that individuals to whom the data relates would have low or no reasonable expectation of privacy in relation to the datasets so, for example, an individual may have consented to the data being made public or the data has already been manifestly made public by the individual. That includes categories of datasets such as public and official records, news articles, content derived from online video-sharing platforms, and publicly available information about public bodies.

For example, a dataset that is likely to meet the test of having no or only a low expectation of privacy is the Companies House register, a government register of company information that is open to the public to search online and download. I have noted the recommendation of Big Brother Watch and I read it in some detail. I think it is based on a misunderstanding but perhaps it is worth going back into the reason why we are making these changes now. The way the existing regime was designed did not foresee the exponential increase in the use of, complexity of and changing nature of data. The scale and different kinds of data that are now available is unrecognisable in comparison to the picture in 2016. It did not foresee the extent to which cloud and commercially available tools would make analysis of datasets possible, the extent to which publicly available data would increase in value for the intelligence agencies compared to sensitive data which used to be obtained through traditional covert powers, and the extent to which intelligence agencies would need vast quantities of publicly available data to train machine learning models.

The intelligence agencies have been inhibited from maximising opportunities when compared with the private sector and academia, as well as our adversaries, as a result of the gold-plating of some of the Part 7 regime. It is important to note that the datasets would not necessarily be authorised under the new regime in Part 7A solely by virtue of their being publicly or commercially available, and that is particularly important when considering datasets which have been hacked and/or leaked.

On the subject of safeguards, there are of course safeguards in place to prevent misuse of the powers in the Bill. The safeguards that will apply to bulk personal datasets with low or no expectation of privacy will be calibrated to reflect the intrusion that is likely to arise from their retention and examination, ensuring that the rights of the individuals to whom the data relates is adequately protected while also enabling the intelligence services to make more effective use of these datasets. This will include requiring prior judicial authorisation on whether a category of datasets or an individual dataset can be considered to meet the test for authorisation under the new Part 7A regime; that is, that they meet the test for low or no expectation of privacy.

In answer to the noble Lord, Lord Fox, the Bill creates an obligation on the head of an intelligence service to stop any activity that relies on any data discovered in a BPD where the low or no reasonable expectation of privacy assessment no longer applies. The safeguards are being recalibrated to ensure that the regime better reflects the threats and opportunities of the modern world, but they remain robust, with the important protection of judicial approval at their heart.

Internet connection records were referred to by the noble Lords, Lord Coaker and Lord Strasburger, among others. They asked why there are no specified time limits for the period that internet connection records can be sought under the new condition. The driver for this change is to enable the intelligence services and the National Crime Agency alone—I will come back to the National Crime Agency—to carry out target detection to identify previously unknown high-harm offenders. The current requirement for unequivocal knowledge of the time a service is accessed, which service is accessed, or the identity of a person, before an internet connection record can be sought is preventing this from happening. So, it is important we do not create similar conditions under this proposal which will continue to restrict this critical investigative work.

These investigations will be targeted and case-specific, so it is not possible to include a time limit which could work across the range of investigations being undertaken. However, I can reassure noble Lords that requests will be time-bound based on the specifics of the case and they will be driven by intelligence, not used as speculative fishing exercises. Furthermore, the new condition is also limited in terms of the purposes it can be utilised for. It can, and I stress this, be used only for national security and serious crime purposes. It is important to note that there are several other safeguards in place, including a requirement for the request to be both necessary and proportionate. A request that sought records over a very long period of time is highly likely to be neither necessary nor proportionate, and all ICR requests are subject to independent ex post facto oversight. All ICR requests are valid for only one month and an application must be renewed at the end of that period.

The noble Lord, Lord Coaker, asked why this is being extended to the NCA. I recognise that the noble Lord, Lord Anderson, initially proposed that the new condition should extend only to the intelligence services, although I understand that he now sees value in it being extended to the NCA because the NCA plays a vital role in protecting children from sexual exploitation and abuse, so it is essential that it has all the tools at its disposal to counter that particular threat.

The noble Lord, Lord Fox, asked about roaming data, and in particular subjects of interest using a foreign SIM card. On that example, in the circumstances where a subject of interest was using a SIM card obtained in a third country and was therefore using international roaming while in the UK, under the proposed amendments an exception for this data will be made, allowing UK telecoms operators to retain it under a retention notice which has been double locked. This will then allow operational partners with the appropriate authorisation to access the retained data when necessary for the purpose of prevention and detection of crime and, again, protecting national security.

On the subject of the notices reforms and the tech companies, which I think most noble Lords referred to, some tech companies have expressed concerns in public fora in advance of the Bill’s publication that these measures may place onerous or burdensome obligations on an operator, could undermine security or could allow the Secretary of State to prevent technical or relevant changes. I assure all noble Lords that these concerns are misplaced. The Bill does not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures by companies, contrary to what some tech companies have incorrectly speculated. Rather, we are making a series of adjustments to ensure that the notices regime continues to be effective in the face of modern technologies and the structures of companies in the modern digital economy.

None of the measures in the Bill seeks to reduce the competitiveness of UK tech firms, or indeed to discourage innovation. Careful consideration has been given with regard to these measures, striking a balance to ensure that the law enables us to mitigate the risks posed by changing technology, while still promoting technological innovation and the legitimate interest in increased privacy of the majority of our citizens.

These measures do not create any new acquisition powers but will maintain the efficacy of long-standing powers. We therefore do not anticipate that they will put disproportionate burdens on businesses. Rather, they formalise processes that are already in place.

The Government support technological innovation and advances and have always been clear that we support strong end-to-end encryption, as long as it does not come at a cost to public safety. Together with our international partners, we believe that tech companies have a moral duty to ensure that they are not blindfolding themselves and law enforcement to abhorrent crimes such as child abuse and terrorism on their platforms. These amendments will not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures.

On a question asked of me by the noble Lord, Lord Fox, with regard to notices and the pre-clearance requirement, these amendments do not introduce a requirement for pre-clearance for the Secretary of State regarding the rollout of new technologies and security measures by companies. Fundamentally, the changes to the notice regime are about ensuring that the decisions on public safety are made by Ministers and are subject to judicial oversight as Parliament intended and as the public would expect, to keep them safe.

On the triple lock, noble Lords—in particular the noble Lords, Lord Coaker and Lord Murphy—asked for clarification as to whether the Prime Minister could delegate an authorisation requiring the triple lock to anyone they wanted to. I can reassure noble Lords that that is not the case. The Bill proposes that the Prime Minister will designate in advance a group of Secretaries of State who could authorise the warrant on his or her behalf. The alternative approver would need to be a Secretary of State and not the same Secretary of State who authorised the warrant at the earlier stage of the triple lock. I hope that provides the necessary reassurance on the restrictions that will be in place under this clause. Restricting the decision on suitable deputies is for the Prime Minister to decide, but it is clear that there needs to be sufficient resilience in the system to ensure that there are enough alternative approvers with the necessary experience.

The noble Lord, Lord Coaker, also asked me about ISC oversight and parliamentary oversight. He will be aware that the Intelligence and Security Committee examines the policies, expenditure, administration and operations of the UK intelligence community, and sets its own agenda and work programme. Obviously, it will maintain that oversight function for the measures in the Bill, but I can tell the noble Lord that the Security Minister will spend some time with him on the subject of the Bill next week, which I hope will assuage any concerns.

I need to go into the subject of safeguards in more detail in light of the speeches given by the noble Lord, Lord Strasburger, the noble Baroness, Lady Bennett, and the right reverend Prelate the Bishop of St Albans. I assure noble Lords that the measures contained in the Bill, and in the IPA, are underpinned by a robust and world-leading safeguards regime. They are not failing.

Numerous safeguards exist to prevent the misuse of investigatory powers, ensuring that they are used in accordance with the law and in the public interest. The Bill contains measures that will introduce new safeguards and improve the resilience of the Investigatory Powers Commissioner. We are improving oversight and increasing safeguards to ensure that powers in the IPA are not misused.

Strong safeguards are already in place to ensure that investigatory powers are used in a necessary and proportionate way. That includes independent oversight by the Investigatory Powers Commissioner’s Office and a right of redress through the Investigatory Powers Tribunal.

The powers can be used only for the statutory purposes set out in the Act, including in connection with the most serious crimes and national security. We are also taking the opportunity to strengthen safeguards in other parts of the regime—for example, by creating a new statutory oversight regime for the intelligence agencies’ access to datasets held by third parties rather than retained by the agencies themselves.

On the subject of retention, the noble Lord, Lord Strasburger, talked about data being held indefinitely. However, retention of data is subject to stringent safeguards under the IPA. It can be retained only provided it is necessary and proportionate, and it is not authorised indefinitely. This is regularly reviewed, and records of holdings are subject to inspection by the Investigatory Powers Commissioner’s Office.

The noble Lord, Lord Strasburger, also referenced the recent TechEn judgment. The investigations carried out by the Investigatory Powers Commissioner and his team in response to TechEn are evidence that the oversight, transparency and safeguarding arrangements provided for in the IPA are working as they should. In the Liberty judgment of 2019, the High Court found that

“The safeguards contained within that Act are capable of preventing abuse”.


While the TechEn case outlined widespread corporate failings between the Home Office and MI5, these issues are historic and the Home Office has taken steps internally to increase collaboration with MI5 and ensure that there is appropriate resourcing in place within the relevant Home Office teams responsible for investigatory powers.

I also wish to be clear that there has been no finding by the tribunal that MI5 misused the data in question nor any suggestion of this at any time during this process. As the then Home Secretary, Sajid Javid, noted in 2019,

“none of the risks identified relate in any way to the conduct and integrity of the staff of MI5”.—[Official Report, Commons, 9/5/19; col. 30WS.].

Finally, I reference the endorsement that the tribunal has provided on the robustness of the oversight regime and safeguards contained within the IPA, including the adequacy of the measures available to the Investigatory Powers Commissioner. TechEn does not, therefore, suggest that the system is fundamentally flawed but shows that it works as intended when non-compliance occurs.

Many noble Lords have made important points about balance in this debate, particularly regarding privacy. I particularly note the noble Baroness, Lady Manningham-Buller, whose comments were spot on. It is fair to express concern about the impact that the Bill will have. Privacy is at the heart of the IPA, and this will remain the case under this Bill. The IPA contains robust, transparent and world-leading safeguards centred around considerations of intrusion into privacy. This includes a requirement for investigatory powers to be used in a necessary and proportionate way, with independent oversight by the Investigatory Powers Commissioner and redress through the Investigatory Powers Tribunal. The Bill builds upon these already world-leading safeguards, further strengthening the oversight regime, as I have just outlined. I also note that in 2018, the then UN special rapporteur on the right to privacy noted that the introduction of the IPA allowed the UK to claim a global leadership role in the protection of civil liberties. I note that this was not referenced by the noble Lord, Lord Strasburger, but I am sure that he would like to read that notification.

The noble Lord, Lord Carlile, made some very good points about codification of the various laws in this space. I defer to his extensive knowledge. I will also ensure that his thoughtful remarks are noted in the appropriate parts of government. Obviously there is very little that I can comment on regarding this now, however.

I have endeavoured to address the contributions made by noble Lords today. I apologise if I have missed any questions that were asked of me. I will scour the record and write if that is the case. I express my commitment to further engagement with noble Lords. I look forward to further discussions as the Bill continues its passage, as we seek to ensure it achieves the crucial objective of making our country and our citizens safer. For now, I commend this Bill to the House.

Lord Sharpe of Epsom

- Hansard -

Copy Link

- - Excerpts

That the Bill be committed to a Committee of the Whole House, and that it be an instruction to the Committee of the Whole House that they consider the Bill in the following order:

Clauses 1 to 13, The Schedule, Clauses 14 to 31, Title.

The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I am grateful for the contributions to this debate, which have been very interesting. I thank all noble Lords for the points raised. I shall do my very best to address all of them and apologise in advance for going into significant detail. I also thank everyone in the Committee for their broad support for the Bill.

I will start with the low/no privacy factors on bulk personal datasets, which I will henceforth call BPDs, and the various amendments relating to the test set out in Clause 2, to be applied when an intelligence service is considering whether a particular dataset is one that can be retained, or retained and examined, under new Section 226A in the new Part 7A. This test requires that regard must be had to all the circumstances, and that particular regard must be had to the factors set out in new subsection (3). The list of factors is not exhaustive and other factors may be considered, where relevant.

Schedule 10 to the Data Protection Act is related to Section 86 of that Act, which is concerned with sensitive processing of personal data by the intelligence services. Schedule 10 sets out a list of conditions which must be met for such processing to be lawful for the purposes of the Data Protection Act. There is a risk that applying these words here, in a different context and for a different purpose, may be seen to create a link, albeit fallacious, between the type of datasets that will be retained and examined under new Part 7A and sensitive processing under the Data Protection Act. For that reason, their inclusion here risks doing more harm than good, as the noble and learned Lord, Lord Hope of Craighead, noted.

In any case, the safeguards in new Part 7A are already sufficient to ensure due regard for privacy. Every dataset proposed to be retained, or retained and examined, must be individually authorised. In addition to the test at new Section 226A, as new Section 226B makes clear, an individual authorisation may be granted only if it is both necessary and proportionate.

The factors have been chosen because they are most relevant to the context in which the test will be applied and have been drawn from existing case law. They provide a guide to the decision-maker in reaching a conclusion as to the nature of the dataset. Furthermore, a form of prior judicial approval will apply to all authorisations so that there is independent oversight of the conclusions reached.

Amendment 1, tabled by the noble Lord, Lord Coaker, seeks to replace factor (b) with language drawn from Schedule 10 to the Data Protection Act 2018. Factor (b) is concerned with the extent to which an individual has made public the data in the dataset, or has consented to the data being made public. The Government do not consider the amendment necessary. I am sure the noble Lord’s aim is to improve the safeguards in the Bill, and he has drawn inspiration from existing precedent to do so in an effort to bring consistency across statute. However, the amendment fails to achieve that aim, and risks creating an unclear and unnecessary link between this Bill and the Data Protection Act, which I have already explained. I will return to the Data Protection Act in due course.

Amendment 2, tabled by the noble Lord, Lord Fox, probes the inclusion of factors (d) and (e), relating to publicly available datasets that are already widely known about or are already used in the public domain—for example, in data science or academia. As I mentioned, the test in new Section 226A is one in which

“regard must be had to all the circumstances”.

The removal of factors from new subsection (3) would not, therefore, fundamentally change the test; it would mean simply that the decision-maker would not be bound to have particular regard to the absent factors. This amendment would, in fact, result in less transparency in the considerations the intelligence services apply when assessing expectation of privacy in relation to Part 7A authorisations.

The Government consider it important that particular regard is had to these factors. I know that noble Lords particularly enjoy the example of the “Titanic” manifest. It is a useful example of where such factors would be relevant, as it is a dataset that is widely known about and widely used, and contains real data about real people who would, unfortunately, no longer have an expectation of privacy. I also point to the helpful example in the independent review by the noble Lord, Lord Anderson: the Enron corpus. This is a large dataset of emails that came into the public domain following the investigation into the collapse of the Enron Corporation. Although initially sensitive, the dataset has been available in various forms for almost 20 years and is widely used in data science. It is right that such datasets are in scope of the new regime.

The noble Lord, Lord Fox, asked specifically about the extent to which these factors depart from existing privacy laws. The law concerning the reasonable expectation of privacy is likely to develop over time, and new Section 226A is intended to be sufficiently flexible to accommodate future changes. Rather than departing from the law, new Section 226A is intended to ensure that the intelligence services can continue to apply the law as it develops.

On Amendment 3, I thank the noble Lord, Lord Anderson, for tabling this helpful probing amendment. I am afraid the Government do not think it is necessary in order to achieve what we understand the intended effect of the amendment to be. The amendment does, however, provide an opportunity to better explain the difference between what the Bill calls “individual authorisations” and “category authorisations”. An individual authorisation will authorise the retention, or retention and examination, of a dataset under the new Part 7A being inserted into the Investigatory Powers Act—which I will henceforth refer to as the IPA—by this Bill.

All datasets that are to be retained under Part 7A must have an individual authorisation. Individual authorisations are subject to prior approval by a judicial commissioner unless the dataset described falls within an existing category. A category authorisation will not authorise the retention, or retention and examination, of a dataset. Instead, it is a mechanism through which a judicial commissioner’s permission may be sought in order to depart from the normal rule on prior approval, but only in respect of datasets that meet a particular description.

Lord Sharpe of Epsom (Con)

- Hansard -

Copy Link

- - Excerpts

Thank you; point taken.

Section 226D provides a mechanism to achieve what I understand the intent of the amendment to be. It is clear that remedial action must be taken if it is discovered that Section 226A does not apply or no longer applies to part of a dataset authorised under Part 7A. Anything in the process of being done must be stopped as soon as possible, and that part of the authorisation is treated as cancelled. The effect of that part of the authorisation being treated as cancelled is that the data to which it relates must be deleted unless there is some other lawful basis for its retention. It may well be that it is appropriate for the intelligence service to continue to retain the data. That is why subsection (3), in effect, puts that part of the dataset back into the decision-making machinery in Section 220 of Part 7 of the IPA—so that such a decision can be made. We provide a fuller explanation of that in the draft code of practice for Part 7A, at paragraphs 4.26 and 5.39.

In conclusion on this amendment, if the noble Lord is suggesting that any actionable intelligence that has been identified while the agency was operating on the basis of that retention and examination being lawful under Part 7A should not be acted on, I am afraid I must playfully suggest that it is he who ought to forget his amendment.

I turn now to the various amendments on reporting on BPDs, including several that seek to amend the provisions set out in Clause 2, under Section 226DA, which require the heads of the intelligence services to provide an annual report on Part 7A to the Secretary of State. The first amendment proposed by the noble Lord, Lord Fox, Amendment 11, seeks to mandate that certain statistical information in a given year—specifically, the numbers of authorisations sought and granted—be provided to the relevant Secretary of State. This amendment is not necessary or appropriate. First, those Secretaries of State who are politically accountable for the intelligence services will have in place arrangements to that end and may demand of the relevant intelligence service any additional information he or she feels necessary. This may go beyond the level of detail the noble Lord has proposed be included in the annual report and may be more frequent. This is not a matter for the Bill, because the exact information the Secretary of State requires may evolve over time. Secondly, if this sort of specific reporting requirement is found to be necessary or desirable, it is more appropriate for inclusion in a code of practice, rather than being in the legislation. Indeed, the draft code of practice for Part 7A sets out some relevant details under paragraph 7.4.

I turn now to Amendments 10 and 12, proposed by the noble Lord, Lord West, and I take this opportunity to reassure him and the noble Lord, Lord Murphy. On behalf of the Security Minister, we thank them for their valuable work on the ISC and for the constructive engagement with the Bill Committee to date. I am pleased to see the noble Lord, Lord West, in his place today, and I am glad that he is on a more or less even keel.

The amendments the noble Lord has tabled would require the intelligence services to provide the same annual report that they provide to their Secretary of State, on the operation of Part 7A, to the ISC and the Investigatory Powers Commissioner. I do not believe that this additional requirement would provide the enhanced oversight of the regime that the amendments purport to provide. The annual reporting requirement is a formal statutory mechanism by means of which the Secretaries of State will receive information from the intelligence services about their use of Part 7A on an annual basis. This is a mechanism intended to ensure effective political oversight by the Secretary of State.

The ISC is a committee of Parliament. Oversight by the ISC is neither of the same nature as, nor a replacement for, the oversight of the Secretary of State. The ISC, as a committee of Parliament, already has a long-standing and well-established role in the oversight of the intelligence services to which these provisions will apply, and that role will continue here.

Sending the annual report to the Investigatory Powers Commissioner will not increase the level of independent oversight provided, for the following reasons. First, the Investigatory Powers Commissioner will be required to keep this new regime under review, as he does with the current Part 7 regime, and he will continue to report annually on his findings. Secondly, the information these amendments seek to include in the annual report is already information that the draft code of practice will require the intelligence services to keep, as is clear from paragraphs 7.1. and 7.2. The commissioner, and anyone acting on his behalf, has access to all locations, documentation and information systems as necessary to carry out a full and thorough inspection regime. The intelligence services are legally obliged to provide all necessary assistance to the commissioner, or anyone acting on his behalf, including by providing documents and information.

The noble Lords, Lord Fox, Lord Murphy and Lord West, asked about the continued engagement with the ISC. On both the policy proposals informing the Bill and the Bill itself, through a combination of ministerial, operational and official engagement, we have maintained continual engagement, which includes recent sessions with the Security Minister and the agency heads. As I said earlier, we are grateful to the committee for its engagement and scrutiny of the Bill. We will continue to involve it throughout the Bill’s passage, and I am more than happy to take the noble Lords’ comments back to the Home Office and make sure they are widely understood.

Amendment 13 would see the intelligence agencies notify the Investigatory Powers Commissioner every time an individual authorisation is granted in reliance on a category authorisation. I have already set out the distinct processes for individual and category authorisations under new Part 7A. As I set out earlier, categories will be authorised only with the prior approval of a judicial commissioner. IPCO inspectors will then be able to review the individual authorisation granted in reliance on a category authorisation during their regular inspections of the intelligence services throughout that time. Category authorisations will expire at 12 months and will then need to be renewed and that decision reapproved by a judicial commissioner.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

I thank all noble Lords who have spoken in this group. I will first speak to Amendment 20, tabled by the noble Lord, Lord Fox, which would amend Clause 11. I want first to make it clear that Clause 11 does not enable any new activity under the Investigatory Powers Act but places into primary legislation the existing position set out at paragraph 15.11 of the Communications Data Code of Practice.

Paragraph 15.11 clearly sets out that it is not an offence to obtain communications data where it is made publicly or commercially available by the telecommunications operator or postal operator or otherwise, where that body freely consents to its disclosure. In such circumstances, the consent of the operator provides the lawful authority for the obtaining of the data on which public authorities can rely. Making this position explicit within primary legislation will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in Section 11. As such, there will be no doubt that acquiring communications data in this way means that an offence will not be committed in such circumstances.

The purpose of new subsection (3A)(e) is not permitting so-called surveillance, as the noble Lord’s amendment asserts. Rather, it is about clarifying the basis for lawful access to material which has already been published and should not require additional authority for its disclosure by a telecommunications operator, with the consent of that operator, to a public authority. I can assure noble Lords that telecommunications and postal operators will still need to satisfy themselves that any communications data disclosure is in accordance with the Data Protection Act, and any subsequent processing by public authorities must also be compliant.

The inclusion of this paragraph in the definition of “lawful authority” in the IPA will provide reassurance to public authorities on the basis for which they have lawful authority to acquire communications data where this authority falls outside the IPA itself. Inserting a definition of lawful authority does not remove the offence of knowing or recklessly obtaining communications data without lawful authority; it is still possible to commit this offence if the disclosure by the telecommunications operator is not lawful or if the public authority knowingly or recklessly acquires the communications data without lawful authority. The inclusion of this definition of lawful authority will encourage public authorities to ensure that they have lawful authority before they acquire communications data. I therefore respectfully ask the noble Lord to withdraw his amendment.

I turn to Clause 13 and the proposal from the noble Lord, Lord West, to remove this provision and the associated schedule from the Bill. The purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited in performing the roles expected of them by Parliament. It restores their important pre-existing statutory powers to acquire communications data in support of those functions. When the IPA was passed in 2016, it made specific provision, at Section 61(7)(f) and (j), for acquisition of communications data for the purposes of taxation and oversight of financial services, markets and financial stability.

As a result of the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, a number of changes were then made to the IPA. Crucially, not all the changes made at that time were a direct response to the judgment itself, but instead the opportunity was taken to streamline the statute book. This included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers. At that point, much of the relevant data fell outside the definition of communications data and therefore outside the provisions of the IPA. However, as businesses increasingly move their services online, so many have become, in part at least, telecommunications operators under the definition in the IPA. Therefore, more of the data they collect, and which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers, now falls within the IPA’s definition of communications data, and regulatory and supervisory bodies are, inadvertently, unable to acquire it.

The Financial Conduct Authority, His Majesty’s Revenue and Customs and Border Force are all examples of public authorities in Schedule 4 to the IPA and already have the power to acquire communications data using a Part 3 request. However, many of the matters that these bodies regulate or supervise fall short of serious crime, as defined in the Investigatory Powers Act at both Section 263(1) and Section 86(2A), which means that they are unable to acquire a Part 3 authorisation to get the data they need to perform the statutory functions expected of them.

The UK is not alone on this issue; European colleagues have identified similar issues for their equivalent bodies with regulatory and supervisory functions. The functions these bodies perform on behalf of the UK are simply too important to let this situation continue. They go to the heart of our safety in preventing terrorist funding, seeking to ensure financial stability, and the oversight of banking and financial markets, among other matters. For example, the Financial Conduct Authority has responsibility for supervising some 50,000 regulated firms to ensure they have systems and controls in place concerning the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Border Force has the responsibility of quickly identifying from the huge volumes of packages crossing our borders each day, those that may contain illegal items such as drugs, firearms and other illicit goods that present a risk to the UK. It is vitally important that these bodies are not inhibited in carrying out their core functions because of the way the world has changed since 2016.

The changes to the IPA brought about by Clause 13 strike an appropriate balance between necessity and proportionality, making clear as it does that the acquisition by these regulatory bodies should only be in support of their civil functions and not used in support of criminal prosecutions. Additional safeguards are provided for within codes of practice governing how this should work in practice. To be clear, this applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions; it is not creating a way to circumvent the safeguards of the IPA. It instead ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, once again, I thank noble Lords for their amendments and the points they have raised in this debate. I will do my very best to answer the questions that have been asked. Again, I am afraid I am going to do so in some detail.

The noble Lord, Lord Fox, has proposed removing Clause 16 from the Bill in its entirety. Clause 16 concerns the extraterritorial enforcement of retention notices. Under subsections (9) to (11) of Section 255 of the IPA, any technical capability notice—TCN—is already enforceable by civil proceedings against a person in the UK. Only TCNs that provide for interception and targeted communications data acquisition capabilities are enforceable against a person overseas. Section 95 of the IPA also provides that a data retention notice—DRN—is enforceable by civil proceedings against a person in the UK. DRNs already have extraterritorial applicability within the IPA, meaning that they can already be given to a person outside the UK. However, unlike TCNs, the current legislation does not permit the enforcement of a DRN against a person outside the UK.

Clause 16 therefore seeks to amend Sections 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs to strengthen policy options and the legal levers available when addressing emerging technology, bringing them in line with TCNs. As technology advances, data is increasingly held overseas. The clause will ensure that, if required, there is a further legal lever to protect and maintain investigatory powers capabilities overseas. This will ensure that law enforcement and the intelligence agencies have access to the communications-related data that they need to tackle serious crime and protect national security. It will also ensure consistency across the regime.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I thank all noble Lords who have spoken in this debate, which was fascinating. I shall start by addressing the amendments and points raised on the circumstances in which the alternative approvals process would be used—that is, for urgent warrants when the Prime Minister is not available. First, it is worth reminding noble Lords that we have set out a non-exhaustive list of such circumstances in the draft excerpt of the relevant code of practice published last week. I shall come back to that in a moment.

I start with Amendments 44 and 51A, tabled by the noble Lord, Lord Anderson of Ipswich, and spoken to by the noble and learned Lord, Lord Hope of Craighead, which seek to widen the situations in which the alternative approvals process could be used to include situations where the Prime Minister is “unable” to consider a warrant—not only when they are “unavailable”. As the noble and learned Lord indicated, the amendments would extend the circumstances where the alternative approvals process could be utilised to expressly include instances where the Prime Minister has a conflict of interest in considering a warrant application.

I remind noble Lords that the Prime Minister, like all Ministers, is expected to maintain conduct in line with the Nolan principles in public life: selflessness, integrity, objectivity, accountability, openness, honesty, and leadership. When a Prime Minister has a conflict of interest in approving a warrant, due to any personal or professional connection to the subject of the warrant, they are expected to continue to act in the public interest. Therefore, in these situations, the Government consider that the alternative approvals process is not required.

When drafting the Bill, the Government considered at some length whether to make further provision for conflict of interest, along the lines of the noble Lord’s amendment, and concluded that they should not. The primary reason is that, in order for a conflict of interest provision to function, a Secretary of State or unelected official involved in the warrantry process would have to be granted the ability, in certain situations, to take from the Prime Minister a personal power given to them alone by Parliament. Unlike the provisions in Clause 21, which permit the Prime Minister to delegate their power to approve these warrants if they are unavailable, this would require a subjective decision to be made on whether the Prime Minister could, in theory, be judged able to approve the warrant. A conflict of interest provision would also have significant implications for Cabinet hierarchy and the constitution. This is because a Secretary of State or an unelected official would have to determine that the Prime Minister had a conflict in approving the warrant and was therefore “unable” to be made aware of the warrant request. It is for these reasons that the Government decided that a conflict of interest provision should not be included in the Bill.

I have referred to the draft code of practice, and the noble and learned Lord, Lord Hope of Craighead, referred to my letter. I can confirm that many of the words in that letter appear to have reappeared in the code. Paragraphs 5, 5.1 and 5.2 state that:

“Prime Ministerial unavailability should be understood to mean situations in which the Prime Minister is genuinely unavailable to consider the application. For example (non-exhaustive) … The Prime Minister is overseas in a location where they are unable to receive the warrant application due to the security requirements and classification of the documents … The Prime Minister is medically incapacitated and therefore unable to consider the warrant”.


I am very happy to share the code of practice further with all noble Lords, if they would like to see a copy.

I have noted that this conflict of interest provision is specifically not included in the similar Amendments 43 and 51, tabled by the noble Lord, Lord West, which seek to limit the circumstances in which the alternative approvals process can be used due to

“incapacity (ill-health) or lack of access to secure communications”.

As the code of practice sets out, these are two of the key scenarios for which the measure is required, but an amendment of this nature would not cater for unforeseeable events and would leave an unacceptable level of vulnerability in the system. Given that the aim is to increase the resilience of the process, these amendments feel opposite in intent. The moment that a circumstance arises in which the Prime Minister is unable, for a reason other than the two given, to authorise an urgent warrant application, the system would provide a blocker to the intelligence agencies being able to conduct their vital work, which is of course keeping parliamentarians and the public at large safe and secure. I therefore ask noble Lords not to press their amendments. However, I note the views expressed today and am very happy to continue discussions and to meet the noble and learned Lord, Lord Hope, and the noble Lord, Lord Anderson, again to discuss this further.

I turn to Amendments 48 and 53, also tabled by the noble Lord, Lord West. These would introduce a review by the Prime Minister of warrants authorised via the alternative approvals process for interception and equipment interference. Clauses 21 and 22 are set up in such a way that the Prime Minister’s power is afforded to the Secretary of State for the purposes of triple-locked warrantry in specific circumstances; in effect, they are acting as the Prime Minister for the purposes of the Act, not as a deputy. As such, including a requirement for the Prime Minister to review the decision after the fact would not provide additional meaningful oversight beyond that which is provided by the alternative approver on their behalf. The decisions made by the initial Secretary of State and the alternative approver would still be subject to review by the judicial commissioner, so would have already been subject to significant scrutiny. The Government therefore cannot support these amendments.

I turn to the issue of to whom the Prime Minister can delegate this process. Amendments 47 and 49, tabled by the noble Lord, Lord Coaker, and Amendments 46 and 52, tabled by the noble Lord, Lord West, all seek to limit the Secretaries of State whom the Prime Minister can designate as alternative approvers. Directing the actions of the current and any future Prime Minister by limiting the Secretaries of State to only those mentioned in statute is short-sighted, in that it does not consider potential changes to the machinery of government, as the noble Lord, Lord West, noted.

Furthermore, I invite noble Lords to consider the scenario where, for example, the Home Secretary has provided the initial approval for the application before it is considered as part of the alternative approvals process. The Home Secretary should not then consider the application on behalf of the Prime Minister; this is because it would remove a stage of scrutiny in the triple lock process. Additionally, given the potential for there to be concurrent overseas travel of the Prime Minister and at least one other relevant Secretary of State, limiting the process in this way could fail to provide the necessary resilience. While there should not be an unlimited number of designates, it is important that there are enough alternative approvers to be prepared for these scenarios.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

I am happy to acknowledge that the noble Lord is right: their powers have expanded, as have their influence and celebrity over the years. I do not have an answer now, but I will come back to the noble Lord on that.

The objective of these clauses is to provide greater resilience in the process. It is critical that we do not undermine this from the off. I therefore hope noble Lords feel reassured by the explanations given, and the information set out in the draft code of practice, which is the appropriate place to set out the detail of this alternative process.

Lord Sharpe of Epsom (Con)

- Hansard -

Copy Link

- - Excerpts

I thank both noble Lords for their thanks. I have forgotten where I was, but I had pretty much finished.

Lord Sharpe of Epsom (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, I will speak to government Amendments 56, 59 and 60. As I set out in my letter to all noble Lords on 4 December, these small amendments will ensure that the legislation works effectively.

Government Amendment 56 amends Schedule 3 to the Investigatory Powers Act 2016 to provide exceptions for disclosures of intercepted materials to inquiries or inquests in Northern Ireland and Scotland into a person’s death. This will create parity with existing provisions for coroners in England and Wales by putting relevant coroners in Northern Ireland and sheriffs investigating deaths in Scotland on the same footing as their counterparts in England and Wales. Where necessary in the interests of justice, intercepted materials can be considered in connection with their inquiry or inquest.

Government Amendments 59 and 60 will maintain the extent of the IPA 2016, as set out in Section 272 of that Act. They amend this existing power to ensure that the measures in the 2016 Act, as amended by this Bill, can be extended to the Isle of Man or the British Overseas Territories, thus ensuring consistency across the legislation. If the Government sought to extend any provision to the Isle of Man or any of the British Overseas Territories, this would require an Order in Council and the Government would, of course, consult the relevant Administrations well in advance. I ask noble Lords to support these amendments.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I thank the Committee very much indeed for the points raised in this short debate, which eloquently explained the fine balance that needs to be struck in this area. As this is the last group, I take this opportunity to thank all the men and women in all the security services, who do so much to keep us safe.

Lord Sharpe of Epsom (Con)

- Hansard -

Copy Link

- - Excerpts

It is nice to hear that the Committee reflects that sentiment.

I appreciate the sentiment behind the amendments in the name of the noble Lord, Lord Coaker, but the Government cannot accept them. He is right that public trust and confidence in public authorities’ use of investigatory powers is of course essential. The Investigatory Powers Commissioner, along with his judicial commissioners, fulfils that very important function, as does the Investigatory Powers Tribunal. The IPC provides independent, robust and transparent oversight of public authorities’ use of investigatory powers. The safeguards in the Act are world-leading in that regard. The IPT, meanwhile, provides for a redress mechanism for anyone who wishes to complain about the use of investigatory powers, even if they have no evidence of potential wrongdoing.

As the noble Lord is aware, the Investigatory Powers Commissioner is already required to produce an annual report, which is published and laid in Parliament. One of the purposes of this public report is to provide transparency around how the powers are used, any errors that have been reported on public authorities’ compliance with the legislation, and where he considers that improvements need to be made. Amendment 57 would not really provide meaningful or additional oversight over and above what is already in place, and would in many areas be duplicative.

On Amendment 58, the noble Lord, Lord Coaker, is seeking to introduce a similar requirement to that in the original Act, in that case requiring a report on the operation of the Act to be produced five years after it entered into force. That report was published by the Home Secretary in February this year and formed the basis for the Bill, along with the report from the noble Lord, Lord Anderson. As set out in the Home Secretary’s report—and noted by the noble Lord, Lord Anderson—it is the Government’s view that future legislative reform is likely to need to keep pace with advancements in technology and changes in global threats.

It is not necessarily helpful to put a time limit on when these updates should be made. The Bill makes urgent and targeted amendments to the IPA, and it is important that there is adequate time to implement those changes and assess over an appropriate period whether they are sufficient. As I said, the Government are well aware that future legislative reform is likely and, if I may channel my inner Ronan Keating, “Life is a rollercoaster”. I hope that my explanations have reassured the noble Lord, Lord Coaker, on the existing process in place and invite him to not press his amendment.

The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I have listened with interest to the points made in this debate. As noble Lords will be aware, we have considered carefully the amendments that have been debated. I place on record my thanks to the noble Lords, Lord West, Lord Coaker and Lord Fox, for their constructive engagement in the run-up to today’s debate on these issues and various others that will be debated later today.

I turn first to the topic of oversight of the new Part 7A regime containing bulk personal datasets, BPDs, where there is low or no expectation of privacy. Alongside the proportionate set of safeguards set out in Part 7A, the Bill currently provides for executive political oversight and accountability by requiring the heads of the intelligence services to provide an annual report to the Secretary of State about Part 7A datasets. The intention of the report is to ensure that there is a statutory mechanism for political oversight, given that the Secretary of State will not have a role in Part 7A authorisations. That is set out in new Section 226DA in Clause 2 of the Bill.

The Investigatory Powers Commissioner will continue to provide full, independent and robust oversight of the investigatory powers regime, including this new part. Nevertheless, the Government have listened to the points made by noble Lords and colleagues in the other place, and we understand their concerns about increasing parliamentary oversight. Government Amendment 4 therefore recognises the important role of the ISC in providing parliamentary oversight of the intelligence services. It places a statutory obligation on the Secretary of State to provide the ISC with an annual report containing information about category authorisations granted under the Act during the year. The amendment will ensure that the ISC is proactively provided with information about the operation of Part 7A on an annual basis. That will support the ISC in continuing to fulfil its scrutiny role and will enhance the valuable parliamentary oversight the committee provides.

It is appropriate for the ISC to be privy to certain information relating to Part 7A in the exercise of its functions, and that a statutory obligation be placed on the Secretary of State to provide it. This obligation is intended to be consistent with the provisions set out in the Justice and Security Act, and due regard will be had to the memorandum of understanding between the Prime Minister and the ISC when meeting it. It is likely that Amendments 2 and 3, tabled by the noble Lord, Lord West of Spithead, which would require that the report provided to the Secretary of State be also shared with the ISC, would not be in step with that. The information required by the Secretary of State to fulfil their responsibilities in respect of the intelligence services will not necessarily be the same as that which would assist the ISC in performing its functions. The report will almost certainly contain information about live operations, which is outside the scope of the ISC’s remit, as well as other information that it may not be appropriate to share with the ISC and which the Secretary of State could properly withhold from the ISC were the ISC to request it.

For that reason, we think it more appropriate that a report be written to meet the ISC’s functions that the Secretary of State will send to the ISC. This will provide the additional parliamentary oversight the committee is seeking and would be akin to the existing arrangements in place for operational purposes.

Lord Sharpe of Epsom (Con)

- Hansard -

Copy Link

- - Excerpts

I cannot say whether or not that someone will be the Prime Minister at the moment.

As I said, the Government are clear that the MoU review is the correct forum to discuss relevant potential changes to the agreement between the Prime Minister and the ISC. But the Government do not believe a report of this kind is appropriate or necessary and do not support the amendment. The noble Lord, Lord Coaker, has already answered the question from the noble Lord, Lord Murphy, and all I can say from the Dispatch Box is that I will try again.

I turn to the second of the amendments from the noble Lord, Lord Coaker, Amendment 47, which would require the Government to publish a report assessing the potential impact of this legislation on the EU’s data adequacy decision. The Government are committed to maintaining their data adequacy decisions from the EU, which play a pivotal role in enabling trade and fighting crime. The Home Office worked closely with the Department for Science, Innovation and Technology when developing the proposals within this Bill to ensure that they would not adversely impact on the UK’s EU data adequacy decisions. As the European Commission has made clear, a third country is not required to have the same rules as the EU to be considered adequate. We maintain regular engagement with the European Commission on the Bill to ensure that our reforms are understood. Ultimately, the EU adequacy assessment of the UK is for the EU to decide, so the Government cannot support this amendment.

I turn to the amendments retabled by the noble Lord, Lord Fox, on urgency provisions for individual authorisations under Part 7A and third party dataset warrants under Part 7B. The Government remain opposed to these iterations of the amendments for the following reasons. Urgency provisions are found throughout the IPA and the Government’s approach is to mirror those provisions in the regimes in new Part 7A and new Part 7B. Making the proposed amendment solely for these parts would reduce consistency—as the noble Lord, Lord Fox, predicted—and ultimately risk operational confusion where there is no good reason to do so.

It will always be in the interests of the relevant intelligence service—as the noble Baroness, Lady Manningham- Buller, said; I add my comments to those of the noble Lord, Lord Coaker, about a speedy recovery—to notify a judicial commissioner of the granting of an urgent authorisation or the issuing of an urgent warrant as soon as is reasonably practicable. These urgent instruments are valid only for five working days. A judicial commissioner must review and decide whether to approve the decision to issue or grant the instrument within three working days. If the judicial commissioner refuses to approve the decision within that time, then the instrument will cease to have effect. It would be counter- intuitive for an intelligence service to make untimely notifications, as this increases the risk of the urgent authorisation or warrant timing out because the judicial commissioner is left without sufficient time to make a decision.

In an operational scenario where the urgency provisions are required, such as a threat to life or risk of serious harm, or an urgent intelligence-gathering opportunity, it may not be practical or possible for the intelligence services to ensure completion of paperwork within a 24-hour period, as the noble Baroness, Lady Manningham- Buller, explained rather more eloquently than I have done.

The intelligence services work closely with the Investigatory Powers Commissioner’s Office to ensure that the processes for reviewing decisions are timely and work for judicial commissioners. For those reasons, I ask that the noble Lord, Lord Fox, does not press his amendments.

This group also includes the two modest but worthwhile government amendments, Amendments 8 and 9. These make it clear beyond doubt that the new third party BPD regime will fall under the oversight of the Investigatory Powers Commissioner. The robust oversight that IPCO brings will ensure compliance, ensuring that robust safeguards are in place when information is examined by the intelligence services on third parties’ systems. I hope that noble Lords will welcome these amendments and support them.

Lord Sharpe of Epsom (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, I will speak to the government amendments in this group, Amendments 10 to 14.

The Investigatory Powers Act contains world-leading oversight arrangements and safeguards that apply to the use of investigatory powers. The Bill strengthens these to ensure that the oversight regime is resilient and that the Investigatory Powers Commissioner is able to carry out his functions effectively. These government amendments are designed to maintain this approach, and to tighten the drafting in certain areas to ensure that the scope of the measures in Part 3, in respect of communications data, cannot be interpreted more broadly than is intended.

I will start with government Amendment 12, which will ensure that there is clarity for telecommunications operators regarding their obligations to report personal data breaches relating to warrants issued under the IPA. The proposed new clause will also make provision for such breaches to be reported to the Information Commissioner and the Investigatory Powers Commissioner. This amendment will also ensure that the Investigatory Powers Commissioner has the ability to notify an individual affected by the personal data breach, if it is deemed to be in the public interest to do so and if the Information Commissioner considers the breach to be serious. Such a notification will inform an individual of any rights that they may have to apply to a court or tribunal in relation to the breach. This important amendment will bring much-needed clarity in respect of how personal data breaches committed by tele- communications operators are regulated, and ensure that there is a clear statutory basis for the Information Commissioner and the Investigatory Powers Commissioner to be notified of certain personal data breaches.

I move on to government Amendments 10 and 11. Amendment 11 adds Scottish Ministers to the list of parties, at Clause 9(5), who are to be notified by the Investigatory Powers Commissioner of the appointment of a temporary judicial commissioner. This must be as soon as practicable after any temporary judicial commissioner has been appointed. This will ensure that Scottish Ministers are kept abreast of crucial developments in the investigatory powers oversight regime. A similar requirement already exists in the Bill, which requires the IPC to notify certain persons, including the Secretary of State and the Lord President of the Court of Session, of an appointment of a temporary judicial commissioner.

Government Amendment 10 to Clause 8 allows the Investigatory Powers Commissioner to delegate to deputy Investigatory Powers Commissioners the power to approve decisions following the review of a notice. This brings this function in line with the commissioner’s other functions in the Act with regards to delegation and, as with those powers, allows for delegation in only when the commissioner is unavailable or unable.

I turn now to government Amendments 13 and 14, both of which concern communications data, which I will refer to as CD. Government Amendment 13 clarifies the extent of Clause 11 to ensure that its scope is not wider than intended. Section 11 of the IPA creates the offence of acquiring CD from a telecommunications operator without lawful authority. Clause 11 seeks to carve out from the scope of Section 11 the sharing of CD between public authorities, where one of those authorities was a telecommunications operator.

This amendment to Clause 11 ensures that the public authority carve-out from the Section 11 IPA offence of acquiring CD without lawful authority does not go wider than intended. The new definition is based on the definition of public authority in the Procurement Act 2023. The previous definition was based on the definition of public authority in the Human Rights Act 1998. This latter definition could, in some circumstances, have created doubt over whether it included certain private sector telecommunications operators.

This amendment removes that doubt and clarifies that the public authority carve-out will apply only to telecommunications operators wholly or mainly funded by public funds—in other words, they are public authorities themselves. The IPA was designed to ensure that the acquisition of CD from private sector tele- communications operators for the statutory purposes set out in the Act was subject to independent oversight to safeguard against abuse. This amendment maintains this important safeguard in relation to private sector telecommunications operators.

I turn to government Amendment 14. It is critical that the legislation is absolutely clear on what constitutes CD and the lawful basis for its acquisition. Without this clarity, we risk placing CD that is crucial to investigators out of their reach. Government Amendment 14 therefore seeks to clarify that subscriber data used to identify an entity will be classed as CD.

This amendment is necessary as the existing Act creates a carve-out in the definition of CD to ensure that the content of a communication cannot be acquired under a Part 3 acquisition request. This reflects Parliament’s view during the initial passage of the IPA 2016 that the content of a communication is inherently more sensitive than the underpinning metadata: the “who”, “where”, “when”, “how” and “with whom” of a communication. Clause 12 amends the definition of CD in Section 261 of the Act to exclude certain types of data from the carve-out of content from the definition of CD. The effect of this is to include those data types within the definition of CD.

Government Amendment 14 restricts the effect of Clause 12 to ensure that it is not overly broad and cannot be applied to bring unintended, inappropriate types of data within the definition of CD. For example, the amendment will put beyond doubt that the content of recorded calls to contact centres or voicemails is not in scope of the amended CD definition and will not be accessible with an authorisation under Part 3 of the Act. The amendment to Section 261 does not affect the oversight function of the Investigatory Powers Commissioner’s Office, which continues to inspect and highlight any errors and provide prior independent authorisation for the acquisition of CD in most cases.

I hope I have convinced noble Lords of the necessity of these government amendments; I ask that they support them. I also hope that these amendments provide reassurance to noble Lords, ahead of the debate on this group, of the Government’s commitment to ensuring that the clauses in Part 3 are drafted as tightly as possible and with a proportionately narrow scope.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I thank noble Lords for this short debate and the scrutiny on these important issues. First, I will address Amendments 15 and 16 tabled by the noble Lord, Lord West of Spithead, which seek to remove Clause 13 and the Schedule from the Bill. We have covered some of the same ground as we did in Committee, and I am afraid that much of my response will make similar points to those I made then. However, I can appreciate why he has raised the points he made about these provisions, and I hope that I can still provide him with assurance on why these measures are needed and proportionate.

As the Government have been clear, the purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited from performing the roles expected of them by Parliament. It restores their pre-existing statutory powers to acquire CD in support of those functions. When the IPA was passed in 2016—under the expert stewardship of the noble Lord’s fellow ISC member in the other place, the right honourable Member for South Holland and The Deepings—it made specific provision, at Section 61(7)(f) and (j) respectively, for the acquisition of CD for the purposes of taxation and oversight of financial services, markets and financial stability. The noble Lord and his fellow committee members have queried whether we are “unmaking” these measures in the 2016 Act through Clause 13 of the Bill. I would therefore like to put beyond doubt what has happened since then to lead us to this point of needing to refine rather than unmake these provisions.

Following the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, the Government took the opportunity to streamline the statute book, including but not limited to some changes in response to that judgment. This streamlining included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers, and Section 12 of the IPA had not yet been commenced, removing many of those powers. The relevant data was outside of the provisions of the IPA at this time and therefore not considered to come within the definition of CD.

Since then, businesses have operated their services more and more online. This has meant that many have become, in part at least, telecommunications operators as defined by the IPA. As a consequence, growing amounts of the data that they collect—which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers—now fall within the IPA’s definition of CD. The effect of this is that public authorities are increasingly unable to acquire the CD that they need to perform their statutory civil or regulatory functions.

In summary, the IPA has been changed since it was commenced in 2016 to remove tax-related and financial stability-related powers to acquire CD and to introduce the serious crime threshold. Technology and society have moved on, with the result that more relevant data amounts to CD. Section 12 of the IPA has been commenced to remove general information powers. The combination of these changes has meant that public authorities are experiencing increased difficulty in carrying out their statutory functions. For example, the Financial Conduct Authority, His Majesty’s Revenue & Customs and the Treasury are all examples of public authorities that already have the power to acquire CD using a Part 3 request but that may be unable to do so in the exercise of some of their functions as a result of the issue I have just set out.

These bodies perform a range of vital statutory functions using CD, including tackling breaches of sanctions regimes, enforcing the minimum wage and providing oversight of banking and financial markets. Schedule 4 to the IPA provides a list of public authorities that can acquire CD under Part 3 of the Act. The new definition of public authorities inserted by this clause will apply in the context of the sharing of CD between public authorities. This will include government departments and their arm’s-length bodies, and executive agencies administering public services. While data sharing between government entities is covered under other legislation including the Data Protection Act and GDPR, or under separate data-sharing agreements, its sharing for legitimate purposes should not be discouraged or prevented by the IPA.

Clause 13 is needed to ensure that such bodies can continue to fulfil these existing statutory duties in the context of a world that takes place increasingly online. It strikes an appropriate balance between necessity and proportionality. In particular, I re-emphasise that it makes clear that the acquisition by these regulatory bodies should be only in support of their civil and regulatory functions, and not used in support of criminal prosecutions. Furthermore, the Government have retained the serious crime threshold that applies when acquiring CD for the purposes of a criminal prosecution.

The codes of practice will also provide additional safeguards and clarity on how this should work in practice. The Government published these in draft ahead of Committee to illustrate this. Any changes to the existing codes will be subject to statutory consultation before being made and will require approval from Parliament under the affirmative procedure. I am therefore confident that the changes will be subject to a high level of scrutiny. To be clear, this applies to a limited cadre of public authorities with the necessary statutory powers conferred on them by Parliament and only specifically when in support of regulatory and supervisory functions—it is not creating a way to circumvent the safeguards in the IPA. It ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential and has the most serious potential consequences in terms of criminal prosecutions.

I am happy to provide the reassurance—or I hope I am—that the noble Lord, Lord Anderson, sought. I am grateful to him for his comments regarding government Amendment 14, for engaging with officials to work through the concerns they raised and for his generous comments about the officials.

Our view is that the amended Clause 12 will be narrower in scope than the original drafting, which carried a risk of permitting access beyond the “who” and “where” of an entity. I assure noble Lords that the codes of practice will set out the further safeguards and details on the practical effect of Clause 12 so that operational partners are clear on the lawful basis of CD acquisition. It is appropriate that the technical detail is set out in this way rather than in primary legislation. The codes of practice will be subject to a full public consultation and will be laid in Parliament under cover of an SI, via the affirmative procedure. I reassure the noble Lord that we will consult with partners and the regulators of the IPA to ensure that the high standards of the CD acquisition regime remain world leading. I am happy to continue this conversation, and for my officials to continue with the extensive engagement already undertaken with the users of the CD powers, to see whether any further refinement is needed.

Finally, I confirm that the intention behind the amendment is to include the type of subscriber data that is necessary to register for, or maintain access to, an online account or telecommunication service. Examples of such data would include name, address and email address. It is not intended to include all types of data that an individual might give a telecommunication service that is not necessary for the purpose of maintaining or initiating access to that service.

I turn to Amendments 17, 19 and 20 on internet connection records, also tabled by the noble Lord, Lord West. Much of the argument I have heard relies on a perception that the new condition D is inherently more intrusive than the existing conditions B and C. I will set out why this is not the case.

The safeguards for the new condition D replicate the well-established and extensive safeguards already in place for CD authorisations. The authorisation process for CD varies according to the purpose for which the data is being sought and the type of CD to be acquired. This regime works effectively and has been considered by the Court of Appeal and found to be lawful.

The purpose of new condition D is to enable ICRs to be used for target detection, which is currently not possible under existing Part 3 authorisations. The level of appropriate oversight and safeguards is linked to the sensitivity of the data to be disclosed and the impact that disclosure may have on the subject of interest.

As I have said, the Government do not believe that condition D is inherently more intrusive than conditions B or C. Conditions B and C authorise “target development” work, and as such enable the applicant to request data on a known individual’s internet connections. As an example, this means that the NCA could request records of the connections a known subject of interest has made in a given time period, provided that request was judged to be both necessary and proportionate by the Office for Communications Data Authorisations. In comparison, condition A enables the requesting agency to request who or what device has made a specific connection to an internet service.

Similarly, condition D would enable an agency to request details about who has used one or more specified internet services in a specified timeframe, provided it was necessary and proportionate—for example, accessing a website that solely provides child sexual abuse imagery. The actual data returned with condition D will most likely constitute a list of IP addresses or customer names and addresses. No information concerning any wider browsing that those individuals may have conducted will be provided. Information about that wider activity would be available only under a further condition B or C authorisation. Condition D is therefore no more intrusive than conditions B and C in terms of what data is actually disclosed. As such, we see no benefit or logic to imposing a different authorisation route for condition D when the existing safeguards have proven sufficient in terms of ICRs applications under conditions A, B and C.

I use this opportunity to remind all noble Lords of the importance of this new condition D and how it will support investigations into some of the most serious crimes, as well as supporting the critical work against both state and cyber threats. ICRs could be used to detect foreign state cyber activity. For examples, ICRs could be used to illuminate connections between overseas state actors and likely compromised UK infra- structure. We understand that these actors have an intent to target UK-based individuals and organisations, including government and critical national infrastructure, from within UK infrastructure, which we typically would not see. The ICR data returned from TOs would be highly indicative of the extent of malicious infrastructure and could assist with victim exposure. Furthermore, improved access to ICR data would enable the National Cyber Security Centre to detect such activity more effectively and in turn inform incident management and victims of compromises. Using data to flag suspicious behaviour in this way can lead to action to protect potential UK victims of foreign espionage and attacks.

I now turn specifically to the ability of the intelligence agencies and the NCA to internally authorise condition D applications. The intelligence agencies and the NCA must obtain approval from the Investigatory Powers Commissioner for ICR applications for the purpose of preventing or detecting serious crime, other than in urgent circumstances. In urgent circumstances, such as threat to life or serious harm to an individual, the intelligence agencies and the NCA are able to obtain CD authorisations from internal designated senior officers in the same way that police forces are. In practice, the volumes of non-urgent requests are such that the IPC delegates responsibility for the authorisation of ICR and other CD requests to the OCDA.

In terms of oversight, the IPC could, if he wished to, consider specific types of CD authorisations himself. The IPC also has the power to directly inspect any part of the CD regime. If he wishes to focus attention on condition D applications, he has the necessary powers to do so. The approach we have adopted for condition D authorisations is therefore consistent with the wider CD regime and gives the IPC flexibility in how he exercises his powers and resources.

As is also consistent with the wider CD regime, condition D applications relating to national security will be authorised by a designated senior officer within the intelligence agencies. The CD codes of practice state that the designated senior officer must be independent of the operation and not in the line management chain of the applicant. This independence is declared within each application, and each designated senior officer completes training prior to taking up this role. Furthermore, each agency has one or more single point of contact officer, accredited by the Home Office and the College of Policing, who facilitates lawful acquisition of CD.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I thank the noble Lords, Lord Ponsonby and Lord Fox, for their remarks in this debate. I reassure the noble Lord, Lord Fox, that any cheek-blowing he witnessed was more a reflection of the previous marathon speech than a reflection on his amendments.

Amendment 21, moved by the noble Lord, Lord Fox, would require that the enforcement of data retention notices—DRNs—would apply only to UK recipients of those notices. DRNs and technical capability notices—TCNs—can be given to a person overseas, but only TCNs are currently enforceable overseas. Clause 16 seeks to amend Sections 95 and 97 of the IPA to allow the extraterritorial enforcement of DRNs in order to strengthen operational agility when addressing emerging technology, bringing them in line with TCNs. It is vital to have this further legal lever, if needed, to maintain the capabilities that the intelligence agencies need to access the communications data they need to, in the interests of national security and to tackle serious crime.

The Government therefore oppose Amendment 21 as it goes fundamentally against what the Government are seeking to achieve through Clause 16 and would not provide any additional clarity to telecommunications operators. As DRNs are already enforceable against UK recipients, there is no need to re-emphasise that in the Bill.

I turn to the amendments to Clause 17 concerning the notice review period. This clause is vital to ensure that operators do not make changes that would negatively impact existing lawful access while a notice is being comprehensively reviewed. Maintaining lawful access is critical to safeguard public safety, enabling law enforcement and the intelligence community to continue protecting citizens during the review period.

Let me be clear: operators will not be required to make changes during the review period to specifically comply with the notice. Rather, under Clause 17 they will be required to maintain the status quo so that law enforcement and intelligence agencies do not lose access to any data that they would have been able to access previously. The review process is an important safeguard, and that right of appeal will remain available to companies.

On Amendment 27, tabled by the noble Lord, Lord Fox, the Government have noted the strength of feeling from parliamentarians and industry regarding the current uncertainty over the timeframe for conducting a review of a notice. We have therefore tabled Amendments 26, 32 and 33 to Clause 17 to address that uncertainty and provide further clarity and assurances regarding the notice review process.

The existing powers within Sections 90 and 257 of the IPA do not give the Secretary of State the power to specify in regulations the time period within which a review of a notice must be completed. The Government are therefore introducing a new regulation-making power to enable the Secretary of State to specify in regulations the length of time the Secretary of State can take to reach a decision on the review of a notice upon receipt of the report by the judicial commissioner and the Technical Advisory Board, and the overall length of time that a review can take.

The amendments will also make provision for a judicial commissioner to issue directions to the Secretary of State and the person seeking the review, as they see fit, to ensure the effective management of the review process. That will give the judicial commissioner the power to issue directions to both parties, specifying the time period for providing their evidence or making representations, and the power to disregard any submissions outside those timelines. These amendments will provide operators the certainty they require regarding how long a review of a notice can last, and therefore how long the status quo must be maintained under Clause 17. They will also provide further clarity on the process and management of that review.

Specifying timelines will require an amendment to the existing regulations concerning the review of notices. The Government commit to holding a full public consultation before the amendment of those regulations and the laying of new regulations relating to Clause 20, which provides for the introduction of the notification notices. Representations received in response will be considered and used to inform both sets of regulations, which we have clarified in the Bill are subject to the affirmative procedure.

Amendment 35, tabled by the noble Lord, Lord Fox, seeks to specify in statute who the Secretary of State must consult before laying regulations relating to Clause 20 and the introduction of notification notices, and the factors that the Secretary of State must have regard to when making those regulations. I hope the commitment that I have just made to hold a full public consultation provides the necessary reassurance to the noble Lord that all relevant persons will be consulted before making the regulations, and that he will agree that is it unnecessarily prescriptive, and potentially restrictive, to put such details in the Bill.

Amendments 22, 25, 28 and 31, also tabled by the noble Lord, Lord Fox, seek to limit the extraterritoriality of Clause 17 and ensure that operators can make changes to their services and systems for users in other jurisdictions during a review. To be clear, the Bill as currently drafted means that companies can make changes to their services during a review. They could choose to roll out new technologies and services while the review is ongoing, including in other jurisdictions, so long as lawful access is built into them as required to maintain the status quo. Furthermore, the status quo will apply only to whichever of their systems and services are covered by the notice in question. Naturally, anything outside the scope of the notice is unaffected by the requirement. I also emphasise that the control of telecommunications systems used to provide telecommunications services in the UK does not stop at borders, and it is highly likely that any such arbitrary geographical limitations would in fact be unworkable in practice.

Amendments 23, 24 and 29 seek to raise the threshold with regard to relevant changes that an operator must not make during a review period to a change that would “substantially limit” their ability to maintain lawful access. This would not make the position any clearer as “substantially” is a subjective test. Moreover, it would constrain Clause 17 in a way that would fundamentally prevent it from achieving its objectives: to ensure that the same level of lawful access available before the notice was issued is maintained during a review period.

Lawful access provides critical data to law enforcement and intelligence agencies. Constraining access to data that was previously available, in a limited capacity or substantially, may seriously undermine investigations and the ability to protect our citizens. It is therefore vital that the status quo is maintained during the review period. It would also be difficult to define “substantially limit” without referring to a “negative effect on” a capability.

Amendments 36 to 38 to Clause 20, also spoken to by the noble Lord, Lord Fox, seek to raise the threshold and provide more proportionality. As I have emphasised on every occasion we have debated the Bill, necessity and proportionality constitute a critical safeguard that underpins the IPA. Authorisations are approved by an independent body and all warrants and notices must be approved by a judicial commissioner. There is considerable oversight of authorisations, meaning that the threshold is already high. Necessity and proportionality justifications are considered for every request for a notice, warrant or authorisation and, by extension, whether it is reasonable to issue that request to the operator. Once operators are in receipt of such a request, they are required to provide assistance. The proposed amendments are therefore not required.

Finally, government Amendment 34 is a consequential amendment necessitated by the introduction of Clause 19, which amends the functions of a judicial commissioner to include whether to approve the renewal of certain notices.

I am grateful to all noble Lords who have spoken in this debate—

Lord Sharpe of Epsom (Con)

- Hansard -

Copy Link

- - Excerpts

If it would help, I am happy to write to the noble Lord with some sensible and practical scenarios because I do not think it is appropriate to make them up at the Dispatch Box, if that is acceptable.

I was just about to thank the noble Lord for the time he has taken to talk me through his concerns ahead of Report and at various other stages of the Bill on various other issues. However, I hope that I have provided reassurances through my comments at the Dispatch Box and the government amendments that we have tabled. I therefore invite the House to support these amendments and invite the noble Lord to withdraw Amendment 21 and not move the others he has tabled.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I offer my thanks to the noble Lords, Lord Anderson of Ipswich, Lord Fox, and Lord West of Spithead, and the noble and learned Lord, Lord Hope of Craighead, for their amendments and for the points that they have raised during this debate. I also thank the noble Lord, Lord Evans, for his perspective, and the noble Lord, Lord Carlile, for supporting the Government, which obviously I hope becomes a habit.

I have discussed the triple lock at length with noble Lords and many others in Parliament and across government. We are all in agreement that this is a matter of the utmost importance, and it is imperative that we ensure that the triple lock operates correctly. That means that the triple-lock process, when needed urgently, has the resilience to continue in the most exceptional circumstances, when the Prime Minister is genuinely unavailable, while ensuring that the alternative approvals process is tightly and appropriately defined.

On Amendment 40, I thank the noble Lord, Lord Anderson, for the valuable engagement he has taken part in with my ministerial colleagues, Home Office officials and me regarding this amendment. I take this opportunity to explain why the Government do not support this amendment. The expressed intention of the noble Lord’s amendment is twofold: first to tighten the requirement in the current clauses, which use the word “unavailable”; and, secondly, to introduce a potential provision for dealing with a conflict of interest, as one of the circumstances in which the alternative approvals process could be used.

There is certainly merit in limiting the circumstances in which the alternative approvals process may be used. However, the noble Lord’s amendment introduces the requirement for a judgment to be made on the Prime Minister’s ability to consider a warrant application, for any number of reasons, including conflict of interest. This raises a number of challenges.

The first challenge is that “unable” draws into the legislation the principle of ministerial conflict of interest. This poses a constitutional tension and a challenge to Cabinet hierarchy. The inclusion of “unable” would allow for someone other than the Prime Minister to decide whether the Prime Minister is subject to a conflict of interest in a particular scenario, which goes against clear constitutional principles regarding the Prime Minister’s powers. This would be a subjective decision on the Prime Minister’s ability, rather than an objective decision on his availability.

As such, rather than strengthening the current drafting, the amendment as proposed could be considered to constitute a watering down of the triple lock, in that it was always designed to be exercised by the Prime Minister. Someone else making a decision about whether the Prime Minister is able to make a decision, given they can be said to be available and therefore technically able to consider an application, risks the intention of the triple lock. As drafted, the original clauses require a binary decision to be made about whether the Prime Minister is available or not, whereas, in deciding whether the Prime Minister may have a conflict of interest, a judgment must be made which is not binary and therefore has much less legal clarity.

The noble Lord, Lord Anderson, asked me if it is right that the Government believe that it is proper for the Prime Minister to consider a warrant application relating to the Prime Minister’s own communications. The best answer I can give is that the Bill is intended not to tackle issues relating to Prime Ministerial conflicts of interest, but rather to improve the resilience of the warrantry process. Conflict of interest provisions and considerations relating to propriety and ethics are therefore not properly for consideration under this Bill. The Prime Minister is expected, as are all Ministers, to uphold the Nolan principles in public life. For these reasons, the Government cannot support this amendment.

The Government have, however, recognised the concerns expressed by Members of both Houses, and the seeming consensus that a more specific, higher bar should be set with relation to the circumstances in which the alternative approvals process may be used. This high bar is of particular importance because of the seriousness of using these capabilities against Members of relevant legislatures. We accept that we are not above the law and it is appropriate for it to be possible for us to be subject to properly authorised investigatory powers. However, it is right that the significance that this issue was given in the original drafting of the Investigatory Powers Act is respected, and the communications of our fellow representatives are properly safeguarded.

I therefore thank the noble Lord, Lord West of Spithead, for his amendments, and for the close engagement on this Bill which I, the Security Minister and my officials have had with the members and secretariat of the Intelligence and Security Committee. Following engagement with Members of both Houses on these amendments, it is clear that there is good consensus for these measures, and the Government will not be opposing them today. While they will reduce the flexibility of the current drafting somewhat, the Government agree that these amendments strike an important and delicate balance between providing the flexibility and resilience that the triple-lock process requires, while providing the legal clarity and specificity to allow for its effective use. The amendments will also provide further confidence to members of relevant legislatures, including those of this House, that the protection and safeguarding of their communications is of paramount importance.

I should note that the Government do not quite agree with the precise drafting of these amendments, and we expect to make some clarifications and improvements in the other place, particularly to the references to routine duties under Sections 19 and 102 of the Investigatory Powers Act 2016, but I am happy that we seem to have reached broad agreement today.

Lord Sharpe of Epsom (Con)

- Hansard -

Copy Link

- - Excerpts

Yes. The noble Lord, Lord Fox, says, “Don’t get too excited”, and he is right.

I now turn to the government amendment in this group, Amendment 46. This proposed new clause amends the Investigatory Powers Act’s bulk equipment interference regime to ensure that sensitive journalistic material gathered through bulk equipment interference is subject to increased safeguards. Currently, Section 195 of the IPA requires that the Investigatory Powers Commissioner be informed when a communication containing confidential journalistic material or sources of journalistic material, following its examination, is retained for any purpose other than its destruction.

This amendment introduces the need for independent prior approval before any confidential journalistic material or sources of journalistic material are selected, examined, and retained by the intelligence agencies. It also introduces an urgency process within the new requirement to ensure that requests for clearance to use certain criteria to select data for examination can be approved out of hours.

The Government recognise the importance of journalistic freedom and are therefore proactively increasing the safeguards already afforded to journalistic material within the IPA. In doing so, we are also bringing the IPA’s bulk equipment interference regime into alignment with bulk interception, which is being amended in the same way through the Investigatory Powers Act 2016 (Remedial) Order 2023; that is being considered in the other place today.

In wrapping up, I once again thank noble Lords for the constructive engagement we have had on the Bill, singling out in particular the noble Lords, Lord Anderson, Lord West, Lord Coaker and Lord Fox. With that, I hope that noble Lords will support the Government’s amendment.

Lord Sharpe of Epsom

- View Speech - Hansard -

Copy Link

- - Excerpts

That the Bill be now read a third time

The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, throughout the preparation and passage of the Bill, we have been working closely with each of the devolved Administrations. Most of the provisions are UK-wide and are reserved, as national security is a reserved matter. A small number of measures in Part 2 of the Bill, on oversight, engage the legislative consent process in the Scottish Parliament. Currently, the Scottish Parliament has not granted a legislative consent Motion, although I can confirm to noble Lords that the Scottish Government have lodged one. We are engaging constructively with officials, and I reassure noble Lords that the Government will continue with this engagement as the Bill is introduced into the House of Commons. I beg to move that this Bill be read a third time.

Lord Sharpe of Epsom

- Hansard -

Copy Link

- - Excerpts

That the Bill do now pass.

Lord Sharpe of Epsom (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, I extend my gratitude to all noble Lords who have contributed to the Bill, both on the Floor of the House and outside. We all agree that this piece of legislation is both important and necessary. The targeted amendments that it will make to the Investigatory Powers Act 2016 will ensure that the UK’s intelligence services and law enforcement will continue to have the tools at their disposal to keep this country safe, while ensuring that these are used in a proportionate way which places privacy at its heart. As the Bill passed through this House, the valuable debate has shaped it into what it is now. I am pleased that the House was able to reach agreement on several areas of potential divergence and that we send the Bill to the other place in exceptional shape and with cross-party support.

I first correct the record on one small point I made in my speech on the second group of amendments in last Tuesday’s debate on Report. His Majesty’s Treasury is not an example of a public authority that already has the power to acquire communications data using a Part 3 request. Examples of public authorities which do have these powers include His Majesty’s Revenue & Customs and the Financial Conduct Authority, both of which perform a range of vital statutory functions using communications data.

Once more, I extend thanks particularly to the noble Lord, Lord Anderson of Ipswich, who has been crucial in shaping the Bill through his independent review of the Investigatory Powers Act and his contributions during the Bill’s passage. My thanks go also to the noble Lord, Lord West of Spithead, and his colleagues on the Intelligence and Security Committee. The input from him and his fellow committee members has been valuable and intended to improve the Bill. He has been ably and knowledgeably supported by the erstwhile chair of the committee, the noble Lord, Lord Murphy of Torfaen.

Similarly, I have valued the collaborative and serious way in which the Opposition Front Benches have engaged on matters of such importance, so I offer my thanks to the noble Lords, Lord Coaker, Lord Ponsonby and Lord Fox, for their desire to scrutinise the Bill carefully and constructively.

I am much obliged to the support of other noble Lords who have contributed with such eloquence and expertise as the Bill has passed through this House. In particular, the noble Baroness, Lady Manningham-Buller, and the noble Lords, Lord Evans of Weardale and Lord Hogan-Howe, have all provided an invaluable perspective from their professional backgrounds. The noble Lord, Lord Carlile of Berriew, and the noble and learned Lord, Lord Hope of Craighead, both made a number of important and insightful interventions to help shape the debates and work towards practical solutions, for which I am grateful. My thanks go also to my noble friend Lord Gascoigne and his team in the Whips’ Office for their support as the Bill passed through this House.

I ask noble Lords to join me as I thank the policy officials and lawyers in the Home Office teams led by Lucy, Phoebe, Lucy, Hugh, Rob, Daphne and Becca, whose significant efforts have made this Bill happen. It is their hard work that has brought the Bill to this point. My thanks go also to the Bill team—Tom, Megan, Sophie, Emer and James—as well as Dan in my private office. I am also very grateful to Pete and Lucy, the expert drafters in the Office of the Parliamentary Counsel, for preparing the Bill and amendments during its passage.

Finally, I thank the intelligence agencies and law enforcement for their expert contribution to the Bill and for the work they do to keep this country safe day after day. The Bill will ensure that they continue to have the tools they need to carry out this task. We will all be the safer for it. We remain hugely grateful for their work.

As we send the Bill to the other place, it needs very little amending, save for some tidying up here and there. It is the first job of government to keep this country safe. The Bill helps us do just that.