(1 year ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Investigatory Powers (Amendment) Act 2024 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
That the Bill be now read a second time.
My Lords, the number one priority of any Government is to keep our citizens and our country safe. The Investigatory Powers (Amendment) Bill seeks to make a set of targeted amendments to the Investigatory Powers Act 2016, which I shall refer to throughout as the IPA.
The measures in this Bill will support the security and intelligence services to keep pace with a range of evolving threats against a backdrop of accelerating technological advancements. Such advancements provide new opportunities for terrorists, hostile state actors, child abusers and criminal gangs. They also mean that data is generated in more places, in more formats and by more different entities than before. The security and intelligence services need to identify nuggets of threat in increasing quantities of data.
Importantly, the Bill will also ensure that we maintain and strengthen the world-leading safeguards that underpin the use of the powers in the IPA. The measures in the Bill are narrow and relatively modest in scope, which reflects the strength of the existing legislation, but they are none the less critical to the task of protecting national security and countering other serious threats.
It may be helpful to briefly remind the House of the parent legislation that this Bill seeks to amend. The IPA provides a clear legal framework for the security and intelligence services, law enforcement and other public authorities to obtain and utilise communications, and data about communications. These powers and the resulting capabilities are essential in supporting these public authorities in carrying out their statutory functions, including detecting and preventing terrorism, state threats and serious crime.
But since 2016 the nature of the threats we face has evolved, and we need to ensure that the UK’s investigatory powers framework remains fit for purpose. The use of these powers is underpinned by the IPA’s robust and world-leading safeguards—including the double lock for most of the powers, whereby a judicial commissioner must approve the decision by the Secretary of State to issue a warrant under the IPA. All use of the powers must be assessed as necessary and proportionate, with strong independent oversight by the Investigatory Powers Commissioner. The right to seek redress is available to anyone via the Investigatory Powers Tribunal.
I emphasise that this Bill is about delivering focused and targeted changes to the existing regime and not about creating new powers beyond those to which Parliament has previously given its agreement during passage of the IPA.
This Bill follows the publication of a statutory report on the implementation of the IPA in February this year by the previous Home Secretary, and a subsequent independent review by the noble Lord, Lord Anderson of Ipswich, which was published in June this year. These reports set out the operational case for change and have informed the contents of the Bill. I thank the noble Lord, Lord Anderson, for his considered review of the IPA; he was instrumental in its initial design as the author of A Question of Trust during his tenure as the Independent Reviewer of Terrorism Legislation.
Building on the areas of focus identified in the Home Office review, the noble Lord’s report focused on: the effectiveness of the bulk personal dataset regime; criteria for obtaining internet connection records; the suitability of certain definitions within the Act; and the resilience and agility of warrantry processes and the oversight regime. His review helpfully highlighted several areas in which the IPA could be improved, and we are pleased to say that this Bill aligns nigh on entirely with his recommendations.
Your Lordships may note that there is one area of the Bill that the review by the noble Lord, Lord Anderson, did not touch on: the changes to the notices regimes. This was subject to a separate public consultation, and the Government are grateful to those who responded for helping to shape this element of the Bill.
I will turn now to the main elements of the Bill. Part 1 deals with bulk personal datasets, more commonly known as BPDs, and makes changes to the way in which the intelligence services may use them. Building on the findings of the review by the noble Lord, Lord Anderson, the Bill provides a narrow group of provisions to: create a set of new safeguards for the retention and examination of BPDs where there is low or no reasonable expectation of privacy; allow for the extension of the duration of a BPD warrant under Part 7 of the Act from 6 to 12 months; and make clear that agency heads can delegate certain existing functions in relation to BPD warrants. Under the current regime, all BPDs—including those that are publicly or commercially available—must be subject to the double-lock warrantry process and strict examination safeguards.
While these safeguards are in many cases entirely appropriate, that is not always so, particularly where a dataset is publicly available and widely used. This has a detrimental effect on the agility of the agencies, particularly where these datasets could be used to develop new capabilities. It also inhibits their ability to work flexibly with allies and partners in academia or the private sector.
Creating a new regime for datasets that have low or no expectation of privacy will increase operational agility while ensuring that proportionate safeguards are in place, including prior judicial approval. This change will be an important step in preventing our agencies falling behind our adversaries.
The Bill also seeks to insert a new statutory oversight regime for examination by the intelligence services of third-party BPDs. Under the new measures, an intelligence service may examine a dataset on a third-party’s systems without taking control of the set itself. However, if the dataset is not publicly or commercially available to other users, the new warrantry process and requirements will apply. The regime will be subject to safeguards such as the double lock already in other parts of the IPA.
Part 2 will make changes to the role and remit of the Investigatory Powers Commissioner and their supporting functions. The Bill will enhance the world-leading oversight regime in the Act, including the role of the IPC. The changes will ensure that the regime is resilient and that the IPC can effectively carry out their functions. This will maintain and enhance the robust, transparent safeguards in the regime.
In addition to putting oversight of third-party BPDs on a statutory basis, the proposed amendments to the oversight regime aim to increase resilience and ensure that it remains fit for purpose. As highlighted in the then Home Secretary’s review, the IPA does not provide an easy mechanism to manage change. This has caused issues regarding the resilience and flexibility of the IPC and the wider IPA oversight regime, such as during the Covid-19 pandemic. The Bill therefore seeks to place the ability to appoint deputy investigatory powers commissioners and temporary judicial commissioners on to a statutory footing, to provide resilience where there is a shortage of judicial commissioners.
The Bill will also formalise some of the IPC’s non-statutory oversight functions—for example, their oversight of compliance by the Ministry of Defence of the use and conduct of surveillance and covert human intelligence sources outside the UK. The measures also provide greater legislative clarity in respect of the error-reporting obligations imposed on public authorities. The IPC has been consulted on all these measures and has endorsed the approach to ensuring that the oversight regime remains fit for purpose.
Part 3 makes changes to Part 3 of the IPA, which relates to powers for public authorities listed in Schedule 4 to the IPA to acquire communications data. CD is the data around the communication rather than the content of that communication. Section 11 of the IPA made it an offence for a relevant person within a relevant public authority to “knowingly or recklessly” obtain CD from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority. This will provide greater clarity to public authorities that they are not committing a Section 11 offence when acquiring CD from a telecommunications operator under those routes.
The Bill will additionally make targeted amendments to ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data in order to meet their statutory duties and obligations when administering public services or systems. Part 3 also makes a clarificatory amendment to the definition of CD in Section 261 of the IPA, to make it clear that subscriber data or data use to identify an entity will be CD.
Part 3 also makes changes to allow bodies with regulatory functions to acquire communications data. The use of regulatory powers under the IPA is limited to organisations such as Ofcom and the Information Commissioner’s Office for their regulation of telecoms operators. The Bill seeks to amend the IPA to expand the definition of regulatory powers to include public authorities with wider, lawfully established and recognised regulatory or supervisory responsibilities. The effect of this change will be such that authorities will be able to acquire CD using their own statutory powers and not rely on IPA powers. However, where the CD is being acquired with a view to using it for a criminal prosecution, authorities must use their IPA powers to acquire that CD.
Targeted changes will also be made to support the use of internet connection records by the NCA and intelligence agencies. The Bill will add a further condition which allows the service in use and time period to be specified within the application without the requirement that they are unequivocally known. This will enhance the ability of the NCA and the intelligence services to identify serious criminals, including paedophiles and people traffickers, helping to protect victims and counter threats to the UK’s national security.
Part 4 will ensure the efficacy of the existing notices regimes in the face of technological changes and the complex commercial structures associated with the modern digital economy. These measures have been carefully calibrated to address these issues in a proportionate way. Furthermore, the notices regimes have existed since the 1980s, and these reforms are just the latest iteration of that regime. This is not about introducing any new powers. The Bill will create a notification requirement which will allow the Secretary of State to place specific companies under an obligation to inform the Secretary of State of proposed changes to their telecommunications services or systems that could have an impact on lawful access. I wish to be clear that this is not a blanket obligation on the tech sector. It will be placed on companies on a case-by-case basis and with full consideration of the necessity and proportionality justifications of doing so each time.
Furthermore, the notification requirement does not give the Secretary of State any powers to intervene in the rollout of a product or a service or to veto such a rollout. It is intended to ensure that there is time for appropriate consideration of the operational impact and potentially for discussion with the company in question about possible mitigations. This notification requirement has replicated the existing notices standards wherever possible and is itself already part of the wider notices regime, where the Government are able to require companies under notice to inform us of relevant changes which affect their ability to provide assistance under any warrant, authorisation or notice.
The Bill also amends the effect of a notice during the review period. A notice must go through the full double-lock process before it may be issued to a company. On receipt of that notice, a company may request a review of that notice. Currently, the notice has no legal effect during the review period. The Bill amends this to require the company to maintain the status quo during the review period. This will mean that the company does not have to take any steps to comply with elements of the notice, other than to maintain its existing services at the point it is given the notice. The result will be that the company cannot take any action that will negatively affect the level of lawful access for our operational partners during the review period. This is without prejudice to the final outcome of the review and ensures that this outcome cannot be pre-judged.
The Bill also makes a clarificatory amendment to the definition of a telecommunications operator. This makes clear that large companies with complex corporate structures which together provide or control telecommunications services and systems fall within the remit of the IPA. It also clarifies that a notice may be given to one entity in relation to the capability of another entity. It does not seek to bring new companies into the scope of the IPA. Furthermore, the Bill creates a new safeguard for the renewal of notices. This will require a notice to be put through the full double-lock process after two years, if it has not been varied, renewed or revoked in that time.
Finally, Part 5 includes several minor changes to the IPA to ensure sufficient clarity and resilience within the regime. This includes increasing the resiliency of the triple lock, which is the additional safeguard for targeted interception and equipment interference warrants relating to members of relevant legislatures, such as this Parliament. Clauses in Part 5 will allow for the Prime Minister—in the event that they are unavailable—to delegate their responsibility for providing the triple lock to named Secretaries of State. This change is purely about ensuring resilience in the authorisation process and does nothing to alter the existing power or introduce any new power.
I conclude by highlighting the opportunity that the Bill affords us and the impact it will have on the safety and security of the UK and its citizens. Without making changes now, the ability of our agencies to tackle evolving threats—including terrorism, state threats, and serious crime—will be increasingly constrained. In the face of greater global instability and technological advancements, now is not the time for inaction. I welcome the further scrutiny that noble Lords will provide. From looking at the list of speakers, I am in no doubt that they will start with a typically insightful debate today. I beg to move.
My Lords, I thank all noble Lords who have spoken. There have been many expert and valuable contributions to today’s debate. I particularly thank the noble Lords, Lord Coaker, Lord Ponsonby and Lord Fox, for their broad and very constructive support for the Bill. Obviously, I very much thank—again—the noble Lord, Lord Anderson, for his work. I also thank the noble Lords, Lord Murphy and Lord Evans, and particularly the noble Lord, Lord Carlile, who I thought was very eloquent, for their contributions. I thank the noble Baroness, Lady Bennett, for provoking the noble Baroness, Lady Manningham-Buller—a thing I am always very reluctant to do.
The support was more qualified from the right reverend Prelate the Bishop of St Albans, but I hope to assuage his concerns in my remarks and will certainly endeavour to deal with some of the concerns of the noble Lord, Lord Strasburger, who asked whether we were trying to avoid detailed scrutiny. The answer is: absolutely not. The Bill was ready, having followed the detailed and expert scrutiny of the noble Lord, Lord Anderson—as noted by the noble Lord, Lord Carlile—and, of course, we could not pre-empt what might be in the King’s Speech. In the case of this Bill, parliamentary time currently allows. We have engaged extremely extensively and, frankly, the country needs it. That is a very compelling set of circumstances behind introducing the Bill now.
I feel I ought to take issue with the fact that the noble Lord, Lord Strasburger, said that the country, or all countries, “need a Snowden” occasionally. As I understand it, it has been alleged that people died because of the activities of Snowden, so I am not sure that that is a generally fair point.
I will deal with the questions raised in as much detail as I can in the time available and will start with bulk personal datasets and, in particular, privacy. I thought the noble Lord, Lord Carlile, gave an excellent speech on this subject, but obviously there are concerns so let me do my best to assuage them. The Bill creates a new regime for the retention and examination of bulk personal datasets where there is a low or no reasonable expectation of privacy. The nature of these datasets means that individuals to whom the data relates would have low or no reasonable expectation of privacy in relation to the datasets so, for example, an individual may have consented to the data being made public or the data has already been manifestly made public by the individual. That includes categories of datasets such as public and official records, news articles, content derived from online video-sharing platforms, and publicly available information about public bodies.
For example, a dataset that is likely to meet the test of having no or only a low expectation of privacy is the Companies House register, a government register of company information that is open to the public to search online and download. I have noted the recommendation of Big Brother Watch and I read it in some detail. I think it is based on a misunderstanding but perhaps it is worth going back into the reason why we are making these changes now. The way the existing regime was designed did not foresee the exponential increase in the use of, complexity of and changing nature of data. The scale and different kinds of data that are now available is unrecognisable in comparison to the picture in 2016. It did not foresee the extent to which cloud and commercially available tools would make analysis of datasets possible, the extent to which publicly available data would increase in value for the intelligence agencies compared to sensitive data which used to be obtained through traditional covert powers, and the extent to which intelligence agencies would need vast quantities of publicly available data to train machine learning models.
The intelligence agencies have been inhibited from maximising opportunities when compared with the private sector and academia, as well as our adversaries, as a result of the gold-plating of some of the Part 7 regime. It is important to note that the datasets would not necessarily be authorised under the new regime in Part 7A solely by virtue of their being publicly or commercially available, and that is particularly important when considering datasets which have been hacked and/or leaked.
On the subject of safeguards, there are of course safeguards in place to prevent misuse of the powers in the Bill. The safeguards that will apply to bulk personal datasets with low or no expectation of privacy will be calibrated to reflect the intrusion that is likely to arise from their retention and examination, ensuring that the rights of the individuals to whom the data relates is adequately protected while also enabling the intelligence services to make more effective use of these datasets. This will include requiring prior judicial authorisation on whether a category of datasets or an individual dataset can be considered to meet the test for authorisation under the new Part 7A regime; that is, that they meet the test for low or no expectation of privacy.
In answer to the noble Lord, Lord Fox, the Bill creates an obligation on the head of an intelligence service to stop any activity that relies on any data discovered in a BPD where the low or no reasonable expectation of privacy assessment no longer applies. The safeguards are being recalibrated to ensure that the regime better reflects the threats and opportunities of the modern world, but they remain robust, with the important protection of judicial approval at their heart.
Internet connection records were referred to by the noble Lords, Lord Coaker and Lord Strasburger, among others. They asked why there are no specified time limits for the period that internet connection records can be sought under the new condition. The driver for this change is to enable the intelligence services and the National Crime Agency alone—I will come back to the National Crime Agency—to carry out target detection to identify previously unknown high-harm offenders. The current requirement for unequivocal knowledge of the time a service is accessed, which service is accessed, or the identity of a person, before an internet connection record can be sought is preventing this from happening. So, it is important we do not create similar conditions under this proposal which will continue to restrict this critical investigative work.
These investigations will be targeted and case-specific, so it is not possible to include a time limit which could work across the range of investigations being undertaken. However, I can reassure noble Lords that requests will be time-bound based on the specifics of the case and they will be driven by intelligence, not used as speculative fishing exercises. Furthermore, the new condition is also limited in terms of the purposes it can be utilised for. It can, and I stress this, be used only for national security and serious crime purposes. It is important to note that there are several other safeguards in place, including a requirement for the request to be both necessary and proportionate. A request that sought records over a very long period of time is highly likely to be neither necessary nor proportionate, and all ICR requests are subject to independent ex post facto oversight. All ICR requests are valid for only one month and an application must be renewed at the end of that period.
The noble Lord, Lord Coaker, asked why this is being extended to the NCA. I recognise that the noble Lord, Lord Anderson, initially proposed that the new condition should extend only to the intelligence services, although I understand that he now sees value in it being extended to the NCA because the NCA plays a vital role in protecting children from sexual exploitation and abuse, so it is essential that it has all the tools at its disposal to counter that particular threat.
The noble Lord, Lord Fox, asked about roaming data, and in particular subjects of interest using a foreign SIM card. On that example, in the circumstances where a subject of interest was using a SIM card obtained in a third country and was therefore using international roaming while in the UK, under the proposed amendments an exception for this data will be made, allowing UK telecoms operators to retain it under a retention notice which has been double locked. This will then allow operational partners with the appropriate authorisation to access the retained data when necessary for the purpose of prevention and detection of crime and, again, protecting national security.
On the subject of the notices reforms and the tech companies, which I think most noble Lords referred to, some tech companies have expressed concerns in public fora in advance of the Bill’s publication that these measures may place onerous or burdensome obligations on an operator, could undermine security or could allow the Secretary of State to prevent technical or relevant changes. I assure all noble Lords that these concerns are misplaced. The Bill does not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures by companies, contrary to what some tech companies have incorrectly speculated. Rather, we are making a series of adjustments to ensure that the notices regime continues to be effective in the face of modern technologies and the structures of companies in the modern digital economy.
None of the measures in the Bill seeks to reduce the competitiveness of UK tech firms, or indeed to discourage innovation. Careful consideration has been given with regard to these measures, striking a balance to ensure that the law enables us to mitigate the risks posed by changing technology, while still promoting technological innovation and the legitimate interest in increased privacy of the majority of our citizens.
These measures do not create any new acquisition powers but will maintain the efficacy of long-standing powers. We therefore do not anticipate that they will put disproportionate burdens on businesses. Rather, they formalise processes that are already in place.
The Government support technological innovation and advances and have always been clear that we support strong end-to-end encryption, as long as it does not come at a cost to public safety. Together with our international partners, we believe that tech companies have a moral duty to ensure that they are not blindfolding themselves and law enforcement to abhorrent crimes such as child abuse and terrorism on their platforms. These amendments will not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures.
On a question asked of me by the noble Lord, Lord Fox, with regard to notices and the pre-clearance requirement, these amendments do not introduce a requirement for pre-clearance for the Secretary of State regarding the rollout of new technologies and security measures by companies. Fundamentally, the changes to the notice regime are about ensuring that the decisions on public safety are made by Ministers and are subject to judicial oversight as Parliament intended and as the public would expect, to keep them safe.
On the triple lock, noble Lords—in particular the noble Lords, Lord Coaker and Lord Murphy—asked for clarification as to whether the Prime Minister could delegate an authorisation requiring the triple lock to anyone they wanted to. I can reassure noble Lords that that is not the case. The Bill proposes that the Prime Minister will designate in advance a group of Secretaries of State who could authorise the warrant on his or her behalf. The alternative approver would need to be a Secretary of State and not the same Secretary of State who authorised the warrant at the earlier stage of the triple lock. I hope that provides the necessary reassurance on the restrictions that will be in place under this clause. Restricting the decision on suitable deputies is for the Prime Minister to decide, but it is clear that there needs to be sufficient resilience in the system to ensure that there are enough alternative approvers with the necessary experience.
The noble Lord, Lord Coaker, also asked me about ISC oversight and parliamentary oversight. He will be aware that the Intelligence and Security Committee examines the policies, expenditure, administration and operations of the UK intelligence community, and sets its own agenda and work programme. Obviously, it will maintain that oversight function for the measures in the Bill, but I can tell the noble Lord that the Security Minister will spend some time with him on the subject of the Bill next week, which I hope will assuage any concerns.
I need to go into the subject of safeguards in more detail in light of the speeches given by the noble Lord, Lord Strasburger, the noble Baroness, Lady Bennett, and the right reverend Prelate the Bishop of St Albans. I assure noble Lords that the measures contained in the Bill, and in the IPA, are underpinned by a robust and world-leading safeguards regime. They are not failing.
Numerous safeguards exist to prevent the misuse of investigatory powers, ensuring that they are used in accordance with the law and in the public interest. The Bill contains measures that will introduce new safeguards and improve the resilience of the Investigatory Powers Commissioner. We are improving oversight and increasing safeguards to ensure that powers in the IPA are not misused.
Strong safeguards are already in place to ensure that investigatory powers are used in a necessary and proportionate way. That includes independent oversight by the Investigatory Powers Commissioner’s Office and a right of redress through the Investigatory Powers Tribunal.
The powers can be used only for the statutory purposes set out in the Act, including in connection with the most serious crimes and national security. We are also taking the opportunity to strengthen safeguards in other parts of the regime—for example, by creating a new statutory oversight regime for the intelligence agencies’ access to datasets held by third parties rather than retained by the agencies themselves.
On the subject of retention, the noble Lord, Lord Strasburger, talked about data being held indefinitely. However, retention of data is subject to stringent safeguards under the IPA. It can be retained only provided it is necessary and proportionate, and it is not authorised indefinitely. This is regularly reviewed, and records of holdings are subject to inspection by the Investigatory Powers Commissioner’s Office.
The noble Lord, Lord Strasburger, also referenced the recent TechEn judgment. The investigations carried out by the Investigatory Powers Commissioner and his team in response to TechEn are evidence that the oversight, transparency and safeguarding arrangements provided for in the IPA are working as they should. In the Liberty judgment of 2019, the High Court found that
“The safeguards contained within that Act are capable of preventing abuse”.
While the TechEn case outlined widespread corporate failings between the Home Office and MI5, these issues are historic and the Home Office has taken steps internally to increase collaboration with MI5 and ensure that there is appropriate resourcing in place within the relevant Home Office teams responsible for investigatory powers.
I also wish to be clear that there has been no finding by the tribunal that MI5 misused the data in question nor any suggestion of this at any time during this process. As the then Home Secretary, Sajid Javid, noted in 2019,
“none of the risks identified relate in any way to the conduct and integrity of the staff of MI5”.—[Official Report, Commons, 9/5/19; col. 30WS.].
Finally, I reference the endorsement that the tribunal has provided on the robustness of the oversight regime and safeguards contained within the IPA, including the adequacy of the measures available to the Investigatory Powers Commissioner. TechEn does not, therefore, suggest that the system is fundamentally flawed but shows that it works as intended when non-compliance occurs.
Many noble Lords have made important points about balance in this debate, particularly regarding privacy. I particularly note the noble Baroness, Lady Manningham-Buller, whose comments were spot on. It is fair to express concern about the impact that the Bill will have. Privacy is at the heart of the IPA, and this will remain the case under this Bill. The IPA contains robust, transparent and world-leading safeguards centred around considerations of intrusion into privacy. This includes a requirement for investigatory powers to be used in a necessary and proportionate way, with independent oversight by the Investigatory Powers Commissioner and redress through the Investigatory Powers Tribunal. The Bill builds upon these already world-leading safeguards, further strengthening the oversight regime, as I have just outlined. I also note that in 2018, the then UN special rapporteur on the right to privacy noted that the introduction of the IPA allowed the UK to claim a global leadership role in the protection of civil liberties. I note that this was not referenced by the noble Lord, Lord Strasburger, but I am sure that he would like to read that notification.
The noble Lord, Lord Carlile, made some very good points about codification of the various laws in this space. I defer to his extensive knowledge. I will also ensure that his thoughtful remarks are noted in the appropriate parts of government. Obviously there is very little that I can comment on regarding this now, however.
I have endeavoured to address the contributions made by noble Lords today. I apologise if I have missed any questions that were asked of me. I will scour the record and write if that is the case. I express my commitment to further engagement with noble Lords. I look forward to further discussions as the Bill continues its passage, as we seek to ensure it achieves the crucial objective of making our country and our citizens safer. For now, I commend this Bill to the House.
That the Bill be committed to a Committee of the Whole House, and that it be an instruction to the Committee of the Whole House that they consider the Bill in the following order:
Clauses 1 to 13, The Schedule, Clauses 14 to 31, Title.
(11 months, 2 weeks ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Investigatory Powers (Amendment) Act 2024 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I am grateful for the contributions to this debate, which have been very interesting. I thank all noble Lords for the points raised. I shall do my very best to address all of them and apologise in advance for going into significant detail. I also thank everyone in the Committee for their broad support for the Bill.
I will start with the low/no privacy factors on bulk personal datasets, which I will henceforth call BPDs, and the various amendments relating to the test set out in Clause 2, to be applied when an intelligence service is considering whether a particular dataset is one that can be retained, or retained and examined, under new Section 226A in the new Part 7A. This test requires that regard must be had to all the circumstances, and that particular regard must be had to the factors set out in new subsection (3). The list of factors is not exhaustive and other factors may be considered, where relevant.
Schedule 10 to the Data Protection Act is related to Section 86 of that Act, which is concerned with sensitive processing of personal data by the intelligence services. Schedule 10 sets out a list of conditions which must be met for such processing to be lawful for the purposes of the Data Protection Act. There is a risk that applying these words here, in a different context and for a different purpose, may be seen to create a link, albeit fallacious, between the type of datasets that will be retained and examined under new Part 7A and sensitive processing under the Data Protection Act. For that reason, their inclusion here risks doing more harm than good, as the noble and learned Lord, Lord Hope of Craighead, noted.
In any case, the safeguards in new Part 7A are already sufficient to ensure due regard for privacy. Every dataset proposed to be retained, or retained and examined, must be individually authorised. In addition to the test at new Section 226A, as new Section 226B makes clear, an individual authorisation may be granted only if it is both necessary and proportionate.
The factors have been chosen because they are most relevant to the context in which the test will be applied and have been drawn from existing case law. They provide a guide to the decision-maker in reaching a conclusion as to the nature of the dataset. Furthermore, a form of prior judicial approval will apply to all authorisations so that there is independent oversight of the conclusions reached.
Amendment 1, tabled by the noble Lord, Lord Coaker, seeks to replace factor (b) with language drawn from Schedule 10 to the Data Protection Act 2018. Factor (b) is concerned with the extent to which an individual has made public the data in the dataset, or has consented to the data being made public. The Government do not consider the amendment necessary. I am sure the noble Lord’s aim is to improve the safeguards in the Bill, and he has drawn inspiration from existing precedent to do so in an effort to bring consistency across statute. However, the amendment fails to achieve that aim, and risks creating an unclear and unnecessary link between this Bill and the Data Protection Act, which I have already explained. I will return to the Data Protection Act in due course.
Amendment 2, tabled by the noble Lord, Lord Fox, probes the inclusion of factors (d) and (e), relating to publicly available datasets that are already widely known about or are already used in the public domain—for example, in data science or academia. As I mentioned, the test in new Section 226A is one in which
“regard must be had to all the circumstances”.
The removal of factors from new subsection (3) would not, therefore, fundamentally change the test; it would mean simply that the decision-maker would not be bound to have particular regard to the absent factors. This amendment would, in fact, result in less transparency in the considerations the intelligence services apply when assessing expectation of privacy in relation to Part 7A authorisations.
The Government consider it important that particular regard is had to these factors. I know that noble Lords particularly enjoy the example of the “Titanic” manifest. It is a useful example of where such factors would be relevant, as it is a dataset that is widely known about and widely used, and contains real data about real people who would, unfortunately, no longer have an expectation of privacy. I also point to the helpful example in the independent review by the noble Lord, Lord Anderson: the Enron corpus. This is a large dataset of emails that came into the public domain following the investigation into the collapse of the Enron Corporation. Although initially sensitive, the dataset has been available in various forms for almost 20 years and is widely used in data science. It is right that such datasets are in scope of the new regime.
The noble Lord, Lord Fox, asked specifically about the extent to which these factors depart from existing privacy laws. The law concerning the reasonable expectation of privacy is likely to develop over time, and new Section 226A is intended to be sufficiently flexible to accommodate future changes. Rather than departing from the law, new Section 226A is intended to ensure that the intelligence services can continue to apply the law as it develops.
On Amendment 3, I thank the noble Lord, Lord Anderson, for tabling this helpful probing amendment. I am afraid the Government do not think it is necessary in order to achieve what we understand the intended effect of the amendment to be. The amendment does, however, provide an opportunity to better explain the difference between what the Bill calls “individual authorisations” and “category authorisations”. An individual authorisation will authorise the retention, or retention and examination, of a dataset under the new Part 7A being inserted into the Investigatory Powers Act—which I will henceforth refer to as the IPA—by this Bill.
All datasets that are to be retained under Part 7A must have an individual authorisation. Individual authorisations are subject to prior approval by a judicial commissioner unless the dataset described falls within an existing category. A category authorisation will not authorise the retention, or retention and examination, of a dataset. Instead, it is a mechanism through which a judicial commissioner’s permission may be sought in order to depart from the normal rule on prior approval, but only in respect of datasets that meet a particular description.
If the Minister and indeed the noble Baroness had listened to what I said, they would know that I do not think it is forgettable; I just wanted the Minister to confirm that point.
Thank you; point taken.
Section 226D provides a mechanism to achieve what I understand the intent of the amendment to be. It is clear that remedial action must be taken if it is discovered that Section 226A does not apply or no longer applies to part of a dataset authorised under Part 7A. Anything in the process of being done must be stopped as soon as possible, and that part of the authorisation is treated as cancelled. The effect of that part of the authorisation being treated as cancelled is that the data to which it relates must be deleted unless there is some other lawful basis for its retention. It may well be that it is appropriate for the intelligence service to continue to retain the data. That is why subsection (3), in effect, puts that part of the dataset back into the decision-making machinery in Section 220 of Part 7 of the IPA—so that such a decision can be made. We provide a fuller explanation of that in the draft code of practice for Part 7A, at paragraphs 4.26 and 5.39.
In conclusion on this amendment, if the noble Lord is suggesting that any actionable intelligence that has been identified while the agency was operating on the basis of that retention and examination being lawful under Part 7A should not be acted on, I am afraid I must playfully suggest that it is he who ought to forget his amendment.
I turn now to the various amendments on reporting on BPDs, including several that seek to amend the provisions set out in Clause 2, under Section 226DA, which require the heads of the intelligence services to provide an annual report on Part 7A to the Secretary of State. The first amendment proposed by the noble Lord, Lord Fox, Amendment 11, seeks to mandate that certain statistical information in a given year—specifically, the numbers of authorisations sought and granted—be provided to the relevant Secretary of State. This amendment is not necessary or appropriate. First, those Secretaries of State who are politically accountable for the intelligence services will have in place arrangements to that end and may demand of the relevant intelligence service any additional information he or she feels necessary. This may go beyond the level of detail the noble Lord has proposed be included in the annual report and may be more frequent. This is not a matter for the Bill, because the exact information the Secretary of State requires may evolve over time. Secondly, if this sort of specific reporting requirement is found to be necessary or desirable, it is more appropriate for inclusion in a code of practice, rather than being in the legislation. Indeed, the draft code of practice for Part 7A sets out some relevant details under paragraph 7.4.
I turn now to Amendments 10 and 12, proposed by the noble Lord, Lord West, and I take this opportunity to reassure him and the noble Lord, Lord Murphy. On behalf of the Security Minister, we thank them for their valuable work on the ISC and for the constructive engagement with the Bill Committee to date. I am pleased to see the noble Lord, Lord West, in his place today, and I am glad that he is on a more or less even keel.
The amendments the noble Lord has tabled would require the intelligence services to provide the same annual report that they provide to their Secretary of State, on the operation of Part 7A, to the ISC and the Investigatory Powers Commissioner. I do not believe that this additional requirement would provide the enhanced oversight of the regime that the amendments purport to provide. The annual reporting requirement is a formal statutory mechanism by means of which the Secretaries of State will receive information from the intelligence services about their use of Part 7A on an annual basis. This is a mechanism intended to ensure effective political oversight by the Secretary of State.
The ISC is a committee of Parliament. Oversight by the ISC is neither of the same nature as, nor a replacement for, the oversight of the Secretary of State. The ISC, as a committee of Parliament, already has a long-standing and well-established role in the oversight of the intelligence services to which these provisions will apply, and that role will continue here.
Sending the annual report to the Investigatory Powers Commissioner will not increase the level of independent oversight provided, for the following reasons. First, the Investigatory Powers Commissioner will be required to keep this new regime under review, as he does with the current Part 7 regime, and he will continue to report annually on his findings. Secondly, the information these amendments seek to include in the annual report is already information that the draft code of practice will require the intelligence services to keep, as is clear from paragraphs 7.1. and 7.2. The commissioner, and anyone acting on his behalf, has access to all locations, documentation and information systems as necessary to carry out a full and thorough inspection regime. The intelligence services are legally obliged to provide all necessary assistance to the commissioner, or anyone acting on his behalf, including by providing documents and information.
The noble Lords, Lord Fox, Lord Murphy and Lord West, asked about the continued engagement with the ISC. On both the policy proposals informing the Bill and the Bill itself, through a combination of ministerial, operational and official engagement, we have maintained continual engagement, which includes recent sessions with the Security Minister and the agency heads. As I said earlier, we are grateful to the committee for its engagement and scrutiny of the Bill. We will continue to involve it throughout the Bill’s passage, and I am more than happy to take the noble Lords’ comments back to the Home Office and make sure they are widely understood.
Amendment 13 would see the intelligence agencies notify the Investigatory Powers Commissioner every time an individual authorisation is granted in reliance on a category authorisation. I have already set out the distinct processes for individual and category authorisations under new Part 7A. As I set out earlier, categories will be authorised only with the prior approval of a judicial commissioner. IPCO inspectors will then be able to review the individual authorisation granted in reliance on a category authorisation during their regular inspections of the intelligence services throughout that time. Category authorisations will expire at 12 months and will then need to be renewed and that decision reapproved by a judicial commissioner.
My Lords, I thank the three previous speakers in the short debate on this group. There are no opposition amendments in it, so I shall set out some more general questions that arise out of the amendments spoken to.
Why have the Government brought forward the widening powers to obtain communications data when the original Bill did the opposite? Can the Government provide an exhaustive list of the bodies that will be able to use these communications data collection powers? Why are they not in the Bill or the Explanatory Notes? Giving bodies such powers during any criminal investigation appears out of step with the rest of the Bill, which covers investigatory powers for national security or serious crime reasons. Why is this power so broad as to cover any criminal investigation? Given that the double lock exists for most of the powers in the Bill, why have the Government given wide-ranging powers for intelligence authorities and the NCA to self-authorise accessing internet connection records while undertaking subject discovery work? How does this compare to the powers for conditions A, B and C, which cover access to ICRs, for more restrictive purposes? Finally, what will the role of the IPC and the ISC be in monitoring how the new powers are used?
I was particularly interested in what the noble Lord, Lord Anderson, said when he was commenting on the two other speakers in this short group. I, too, will listen with great interest to what the Minister has to say on this, but this is all done in the spirit of exploration, as my noble friend Lord Coaker said. I look forward to the Minister's comments.
I thank all noble Lords who have spoken in this group. I will first speak to Amendment 20, tabled by the noble Lord, Lord Fox, which would amend Clause 11. I want first to make it clear that Clause 11 does not enable any new activity under the Investigatory Powers Act but places into primary legislation the existing position set out at paragraph 15.11 of the Communications Data Code of Practice.
Paragraph 15.11 clearly sets out that it is not an offence to obtain communications data where it is made publicly or commercially available by the telecommunications operator or postal operator or otherwise, where that body freely consents to its disclosure. In such circumstances, the consent of the operator provides the lawful authority for the obtaining of the data on which public authorities can rely. Making this position explicit within primary legislation will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in Section 11. As such, there will be no doubt that acquiring communications data in this way means that an offence will not be committed in such circumstances.
The purpose of new subsection (3A)(e) is not permitting so-called surveillance, as the noble Lord’s amendment asserts. Rather, it is about clarifying the basis for lawful access to material which has already been published and should not require additional authority for its disclosure by a telecommunications operator, with the consent of that operator, to a public authority. I can assure noble Lords that telecommunications and postal operators will still need to satisfy themselves that any communications data disclosure is in accordance with the Data Protection Act, and any subsequent processing by public authorities must also be compliant.
The inclusion of this paragraph in the definition of “lawful authority” in the IPA will provide reassurance to public authorities on the basis for which they have lawful authority to acquire communications data where this authority falls outside the IPA itself. Inserting a definition of lawful authority does not remove the offence of knowing or recklessly obtaining communications data without lawful authority; it is still possible to commit this offence if the disclosure by the telecommunications operator is not lawful or if the public authority knowingly or recklessly acquires the communications data without lawful authority. The inclusion of this definition of lawful authority will encourage public authorities to ensure that they have lawful authority before they acquire communications data. I therefore respectfully ask the noble Lord to withdraw his amendment.
I turn to Clause 13 and the proposal from the noble Lord, Lord West, to remove this provision and the associated schedule from the Bill. The purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited in performing the roles expected of them by Parliament. It restores their important pre-existing statutory powers to acquire communications data in support of those functions. When the IPA was passed in 2016, it made specific provision, at Section 61(7)(f) and (j), for acquisition of communications data for the purposes of taxation and oversight of financial services, markets and financial stability.
As a result of the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, a number of changes were then made to the IPA. Crucially, not all the changes made at that time were a direct response to the judgment itself, but instead the opportunity was taken to streamline the statute book. This included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers. At that point, much of the relevant data fell outside the definition of communications data and therefore outside the provisions of the IPA. However, as businesses increasingly move their services online, so many have become, in part at least, telecommunications operators under the definition in the IPA. Therefore, more of the data they collect, and which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers, now falls within the IPA’s definition of communications data, and regulatory and supervisory bodies are, inadvertently, unable to acquire it.
The Financial Conduct Authority, His Majesty’s Revenue and Customs and Border Force are all examples of public authorities in Schedule 4 to the IPA and already have the power to acquire communications data using a Part 3 request. However, many of the matters that these bodies regulate or supervise fall short of serious crime, as defined in the Investigatory Powers Act at both Section 263(1) and Section 86(2A), which means that they are unable to acquire a Part 3 authorisation to get the data they need to perform the statutory functions expected of them.
The UK is not alone on this issue; European colleagues have identified similar issues for their equivalent bodies with regulatory and supervisory functions. The functions these bodies perform on behalf of the UK are simply too important to let this situation continue. They go to the heart of our safety in preventing terrorist funding, seeking to ensure financial stability, and the oversight of banking and financial markets, among other matters. For example, the Financial Conduct Authority has responsibility for supervising some 50,000 regulated firms to ensure they have systems and controls in place concerning the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Border Force has the responsibility of quickly identifying from the huge volumes of packages crossing our borders each day, those that may contain illegal items such as drugs, firearms and other illicit goods that present a risk to the UK. It is vitally important that these bodies are not inhibited in carrying out their core functions because of the way the world has changed since 2016.
The changes to the IPA brought about by Clause 13 strike an appropriate balance between necessity and proportionality, making clear as it does that the acquisition by these regulatory bodies should only be in support of their civil functions and not used in support of criminal prosecutions. Additional safeguards are provided for within codes of practice governing how this should work in practice. To be clear, this applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions; it is not creating a way to circumvent the safeguards of the IPA. It instead ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential.
My Lords, I will briefly speak to the five amendments in this group in the name of my noble friend Lord Coaker. Amendments 35 and 37 would introduce a double-lock process to notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for the three existing types of notices that can be issued to telecommunications operators. Amendment 36 would add a further factor that the Secretary of State must consider when deciding to give a notice under this section, bringing this type of notice into line with the three existing types of notices that can be issued to telecommunications operators. Amendments 38 and 39, along with the others in my noble friend’s name, would introduce a potential double-lock process to the variation of notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for variation of the three existing types of notices that can be issued to telecommunications operators.
In introducing this group, the noble Lord, Lord Fox, set out very comprehensively the concerns of the various tech companies. I have read the same briefings that he has. He was right to see this as an opportunity for the Minister to address those concerns.
I have a few questions arising out of these amendments. First, why have the Government not included a double-lock structure of approval to this new type of notice, given that the three other types of notices that telecom companies can be issued have the same structure, along with many of the provisions in this Bill and the IPA? Further, why does it not have the same review structure as the other notices? What will companies be able to do to challenge this decision? New Section 258A states that companies must respond within “a reasonable time”. What would the Government consider a reasonable time to be in this regard? What assessment has been made of what other companies are doing to ensure they are aware of changes that would potentially impact national security? Finally, can the Government be more specific about the types of changes that would be considered relevant for this new notification of the proposed changes?
My Lords, once again, I thank noble Lords for their amendments and the points they have raised in this debate. I will do my very best to answer the questions that have been asked. Again, I am afraid I am going to do so in some detail.
The noble Lord, Lord Fox, has proposed removing Clause 16 from the Bill in its entirety. Clause 16 concerns the extraterritorial enforcement of retention notices. Under subsections (9) to (11) of Section 255 of the IPA, any technical capability notice—TCN—is already enforceable by civil proceedings against a person in the UK. Only TCNs that provide for interception and targeted communications data acquisition capabilities are enforceable against a person overseas. Section 95 of the IPA also provides that a data retention notice—DRN—is enforceable by civil proceedings against a person in the UK. DRNs already have extraterritorial applicability within the IPA, meaning that they can already be given to a person outside the UK. However, unlike TCNs, the current legislation does not permit the enforcement of a DRN against a person outside the UK.
Clause 16 therefore seeks to amend Sections 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs to strengthen policy options and the legal levers available when addressing emerging technology, bringing them in line with TCNs. As technology advances, data is increasingly held overseas. The clause will ensure that, if required, there is a further legal lever to protect and maintain investigatory powers capabilities overseas. This will ensure that law enforcement and the intelligence agencies have access to the communications-related data that they need to tackle serious crime and protect national security. It will also ensure consistency across the regime.
(11 months, 2 weeks ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Investigatory Powers (Amendment) Act 2024 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I support the points the noble Baroness, Lady Manningham-Buller, made about Amendment 50 regarding the revelation of whether someone who is in a legislature has been tapped. I do not think that is possible. I think it has all sorts of practical difficulties which she rightly outlined, and that situation is something that I could not in any way support.
I want to come back to the issue of “unable” or “unavailable” with regard to the Prime Minister. I think that it is right that it should be “unable”, because of the gravity of the business of tapping the phone of a Member of Parliament or a devolved legislature. I suspect that such a possibility is hugely remote; it might not happen for years and years. However, when it does happen, it is exceptionally serious, because you are not only depriving that Member of Parliament of liberty—you are in many ways saying that the person who has been elected by his or her constituents as a Member of Parliament or of the Senedd, or whatever it may be, is now in some doubt as a public representative. That is hugely serious, so the triple lock is important, but the word “unable” is more serious a word than “unavailable”, and I support changing the word in the Bill.
I also very much agree with the noble Lords, Lord West and Lord Coaker, about the nature of the Secretaries of State who should be the substitute for the Prime Minister if the Prime Minister was unable to perform his or her duty with regard to tapping the phone of a parliamentarian. I tapped phones for three or four years almost every day, except at weekends—occasionally at the weekend, but mainly on weekdays—and I took it very seriously. I knew that I was depriving someone of their liberty and privacy; generally speaking, they deserved to be deprived of their liberty because of the horrible things that they might do. Sometimes, although very rarely, I would not sign them, because I was not convinced of the argument put to me.
Someone who has the experience over the years of dealing with warrants has an idea of the nature of the act of signing the warrant and how important it is. It is not simply about reading it and putting your name at the bottom—you have to think about it very seriously. Your experience develops as time goes by. In fact, when I was unable or, more likely, unavailable to sign warrants as Northern Ireland Secretary—if I was on the beach somewhere in the Vendée, as I occasionally was—somebody else would sign the warrants that I would normally have signed. It was generally the noble Lord, Lord Blunkett, who was then the Home Secretary—and when he went on holiday somewhere, I signed his. The point about that was that, technically, almost every member of the Cabinet—because by then nearly every member was a Secretary of State—could have signed. But I knew, when the noble Lord, Lord Blunkett, signed mine, that he knew what he was doing—and vice versa, I hope. Therefore, there should be some way in which we designate Secretaries of State who are used to signing warrants to be a substitute for the Prime Minister.
The other issue, on which I shall conclude, is that the debate so far is evidence of why it is so important that the Intelligence and Security Committee puts its views to this House, through the noble Lord, Lord West, and that the committee should look carefully at these matters.
My Lords, I thank all noble Lords who have spoken in this debate, which was fascinating. I shall start by addressing the amendments and points raised on the circumstances in which the alternative approvals process would be used—that is, for urgent warrants when the Prime Minister is not available. First, it is worth reminding noble Lords that we have set out a non-exhaustive list of such circumstances in the draft excerpt of the relevant code of practice published last week. I shall come back to that in a moment.
I start with Amendments 44 and 51A, tabled by the noble Lord, Lord Anderson of Ipswich, and spoken to by the noble and learned Lord, Lord Hope of Craighead, which seek to widen the situations in which the alternative approvals process could be used to include situations where the Prime Minister is “unable” to consider a warrant—not only when they are “unavailable”. As the noble and learned Lord indicated, the amendments would extend the circumstances where the alternative approvals process could be utilised to expressly include instances where the Prime Minister has a conflict of interest in considering a warrant application.
I remind noble Lords that the Prime Minister, like all Ministers, is expected to maintain conduct in line with the Nolan principles in public life: selflessness, integrity, objectivity, accountability, openness, honesty, and leadership. When a Prime Minister has a conflict of interest in approving a warrant, due to any personal or professional connection to the subject of the warrant, they are expected to continue to act in the public interest. Therefore, in these situations, the Government consider that the alternative approvals process is not required.
When drafting the Bill, the Government considered at some length whether to make further provision for conflict of interest, along the lines of the noble Lord’s amendment, and concluded that they should not. The primary reason is that, in order for a conflict of interest provision to function, a Secretary of State or unelected official involved in the warrantry process would have to be granted the ability, in certain situations, to take from the Prime Minister a personal power given to them alone by Parliament. Unlike the provisions in Clause 21, which permit the Prime Minister to delegate their power to approve these warrants if they are unavailable, this would require a subjective decision to be made on whether the Prime Minister could, in theory, be judged able to approve the warrant. A conflict of interest provision would also have significant implications for Cabinet hierarchy and the constitution. This is because a Secretary of State or an unelected official would have to determine that the Prime Minister had a conflict in approving the warrant and was therefore “unable” to be made aware of the warrant request. It is for these reasons that the Government decided that a conflict of interest provision should not be included in the Bill.
I have referred to the draft code of practice, and the noble and learned Lord, Lord Hope of Craighead, referred to my letter. I can confirm that many of the words in that letter appear to have reappeared in the code. Paragraphs 5, 5.1 and 5.2 state that:
“Prime Ministerial unavailability should be understood to mean situations in which the Prime Minister is genuinely unavailable to consider the application. For example (non-exhaustive) … The Prime Minister is overseas in a location where they are unable to receive the warrant application due to the security requirements and classification of the documents … The Prime Minister is medically incapacitated and therefore unable to consider the warrant”.
I am very happy to share the code of practice further with all noble Lords, if they would like to see a copy.
I have noted that this conflict of interest provision is specifically not included in the similar Amendments 43 and 51, tabled by the noble Lord, Lord West, which seek to limit the circumstances in which the alternative approvals process can be used due to
“incapacity (ill-health) or lack of access to secure communications”.
As the code of practice sets out, these are two of the key scenarios for which the measure is required, but an amendment of this nature would not cater for unforeseeable events and would leave an unacceptable level of vulnerability in the system. Given that the aim is to increase the resilience of the process, these amendments feel opposite in intent. The moment that a circumstance arises in which the Prime Minister is unable, for a reason other than the two given, to authorise an urgent warrant application, the system would provide a blocker to the intelligence agencies being able to conduct their vital work, which is of course keeping parliamentarians and the public at large safe and secure. I therefore ask noble Lords not to press their amendments. However, I note the views expressed today and am very happy to continue discussions and to meet the noble and learned Lord, Lord Hope, and the noble Lord, Lord Anderson, again to discuss this further.
I turn to Amendments 48 and 53, also tabled by the noble Lord, Lord West. These would introduce a review by the Prime Minister of warrants authorised via the alternative approvals process for interception and equipment interference. Clauses 21 and 22 are set up in such a way that the Prime Minister’s power is afforded to the Secretary of State for the purposes of triple-locked warrantry in specific circumstances; in effect, they are acting as the Prime Minister for the purposes of the Act, not as a deputy. As such, including a requirement for the Prime Minister to review the decision after the fact would not provide additional meaningful oversight beyond that which is provided by the alternative approver on their behalf. The decisions made by the initial Secretary of State and the alternative approver would still be subject to review by the judicial commissioner, so would have already been subject to significant scrutiny. The Government therefore cannot support these amendments.
I turn to the issue of to whom the Prime Minister can delegate this process. Amendments 47 and 49, tabled by the noble Lord, Lord Coaker, and Amendments 46 and 52, tabled by the noble Lord, Lord West, all seek to limit the Secretaries of State whom the Prime Minister can designate as alternative approvers. Directing the actions of the current and any future Prime Minister by limiting the Secretaries of State to only those mentioned in statute is short-sighted, in that it does not consider potential changes to the machinery of government, as the noble Lord, Lord West, noted.
Furthermore, I invite noble Lords to consider the scenario where, for example, the Home Secretary has provided the initial approval for the application before it is considered as part of the alternative approvals process. The Home Secretary should not then consider the application on behalf of the Prime Minister; this is because it would remove a stage of scrutiny in the triple lock process. Additionally, given the potential for there to be concurrent overseas travel of the Prime Minister and at least one other relevant Secretary of State, limiting the process in this way could fail to provide the necessary resilience. While there should not be an unlimited number of designates, it is important that there are enough alternative approvers to be prepared for these scenarios.
I am anticipating the Minister sitting down shortly. I remind the Minister that I asked a specific question on directly elected regional mayors, their rise, and the role that they play in democracy, which is so different to when the IPA was originally conceived. The Minister may not have an answer now, but a written answer would be very helpful.
I am happy to acknowledge that the noble Lord is right: their powers have expanded, as have their influence and celebrity over the years. I do not have an answer now, but I will come back to the noble Lord on that.
The objective of these clauses is to provide greater resilience in the process. It is critical that we do not undermine this from the off. I therefore hope noble Lords feel reassured by the explanations given, and the information set out in the draft code of practice, which is the appropriate place to set out the detail of this alternative process.
May I say to the noble Lord that the answer he gave to me with respect to the Mail on Sunday story was a really good answer? I am seeking transparency, which we will come on to in the next set of amendments, where Ministers can provide it without compromising operational security, as the noble Baroness, Lady Manningham-Buller, rightly pointed out. The Minister went as far as he could to say that the story needs to be looked at, it raises particular issues and I can pursue those outside of the Chamber. That was an extremely helpful comment and shows what I am trying to get at with respect to transparency—rather than just dismissing it and saying we cannot talk about it. I am very grateful for the response and thought it was very helpful.
My Lords, I absolutely support what my noble friend has said. I was about to leap up and say that this should not be discussed in this forum because some of it is so sensitive. The Minister handled it extremely well, but we are getting quite close to the margins.
I thank both noble Lords for their thanks. I have forgotten where I was, but I had pretty much finished.
My Lords, I will speak to government Amendments 56, 59 and 60. As I set out in my letter to all noble Lords on 4 December, these small amendments will ensure that the legislation works effectively.
Government Amendment 56 amends Schedule 3 to the Investigatory Powers Act 2016 to provide exceptions for disclosures of intercepted materials to inquiries or inquests in Northern Ireland and Scotland into a person’s death. This will create parity with existing provisions for coroners in England and Wales by putting relevant coroners in Northern Ireland and sheriffs investigating deaths in Scotland on the same footing as their counterparts in England and Wales. Where necessary in the interests of justice, intercepted materials can be considered in connection with their inquiry or inquest.
Government Amendments 59 and 60 will maintain the extent of the IPA 2016, as set out in Section 272 of that Act. They amend this existing power to ensure that the measures in the 2016 Act, as amended by this Bill, can be extended to the Isle of Man or the British Overseas Territories, thus ensuring consistency across the legislation. If the Government sought to extend any provision to the Isle of Man or any of the British Overseas Territories, this would require an Order in Council and the Government would, of course, consult the relevant Administrations well in advance. I ask noble Lords to support these amendments.
My Lords, I will speak to my Amendments 57 and 58. They are obviously probing amendments but may generate a little discussion because they are none the less important.
Let me begin by saying that I accept absolutely what the noble Baroness, Lady Manningham-Buller, said about the important of ensuring the secrecy of much of what our security services and others do. That is an important statement of principle, and it was reinforced by my noble friend Lord Murphy when he recounted, as far as he could, some of the responsibility he had in his posts, particularly as Secretary of State for Northern Ireland. It is important to establish that I accept that principle.
My Lords, I shall be brief. Just on the subject of suspicion, which I think I raised it, I was thinking—perhaps I did not articulate it well—that it was at the political-class level. It is not hard to construct a suspicious scenario where a Westminster-based Executive are hacking an Edinburgh-based politician—I am sure that suspicion would apply there. However, the noble Baroness is right about the public.
The amendment in the name of the noble Lord, Lord Coaker, is important, not because this sort of thing needs to go into primary legislation, but because his point around emphasising public understanding and support which has come out is really important. He picked out the fact that a number of officeholders have worked hard at generating a positive profile for the services, and for that they should be thanked and congratulated. I would add GCHQ, the public profile of which probably did not even exist a decade or so ago. I have several very sad friends who can hardly wait with excitement for the annual GCHQ quiz to arrive. Things like that essentially draw attention to the nature of the work that such organisations do. I laugh at those friends but then I cannot solve it and they can, so perhaps they are the winners there. Those sorts of things do not shed light and throw open the doors on the things the noble Baroness and others fear should not be public, but they create an ambience around those services which is important.
Nobody has mentioned the amendments in the name of the noble Lord, Lord Sharpe, which I guess is exactly what he wanted, and I have nothing to add to them either.
My Lords, I thank the Committee very much indeed for the points raised in this short debate, which eloquently explained the fine balance that needs to be struck in this area. As this is the last group, I take this opportunity to thank all the men and women in all the security services, who do so much to keep us safe.
It is nice to hear that the Committee reflects that sentiment.
I appreciate the sentiment behind the amendments in the name of the noble Lord, Lord Coaker, but the Government cannot accept them. He is right that public trust and confidence in public authorities’ use of investigatory powers is of course essential. The Investigatory Powers Commissioner, along with his judicial commissioners, fulfils that very important function, as does the Investigatory Powers Tribunal. The IPC provides independent, robust and transparent oversight of public authorities’ use of investigatory powers. The safeguards in the Act are world-leading in that regard. The IPT, meanwhile, provides for a redress mechanism for anyone who wishes to complain about the use of investigatory powers, even if they have no evidence of potential wrongdoing.
As the noble Lord is aware, the Investigatory Powers Commissioner is already required to produce an annual report, which is published and laid in Parliament. One of the purposes of this public report is to provide transparency around how the powers are used, any errors that have been reported on public authorities’ compliance with the legislation, and where he considers that improvements need to be made. Amendment 57 would not really provide meaningful or additional oversight over and above what is already in place, and would in many areas be duplicative.
On Amendment 58, the noble Lord, Lord Coaker, is seeking to introduce a similar requirement to that in the original Act, in that case requiring a report on the operation of the Act to be produced five years after it entered into force. That report was published by the Home Secretary in February this year and formed the basis for the Bill, along with the report from the noble Lord, Lord Anderson. As set out in the Home Secretary’s report—and noted by the noble Lord, Lord Anderson—it is the Government’s view that future legislative reform is likely to need to keep pace with advancements in technology and changes in global threats.
It is not necessarily helpful to put a time limit on when these updates should be made. The Bill makes urgent and targeted amendments to the IPA, and it is important that there is adequate time to implement those changes and assess over an appropriate period whether they are sufficient. As I said, the Government are well aware that future legislative reform is likely and, if I may channel my inner Ronan Keating, “Life is a rollercoaster”. I hope that my explanations have reassured the noble Lord, Lord Coaker, on the existing process in place and invite him to not press his amendment.
(10 months ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Investigatory Powers (Amendment) Act 2024 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I thank the Minister for his continued engagement with us on all aspects of this important Bill. I would be grateful if he could pass that on to his officials as well. I wish the noble Baroness, Lady Manningham-Buller, well with her knee, and I hope she will soon be able to make do without the crutch.
I very much support what my noble friends Lord West and Lord Murphy said about the amendments moved by my noble friend Lord West regarding the ISC. I look forward to the Minister’s response. I will come to my amendments in a moment, but it goes to the heart of what many of us have been saying—that the Intelligence and Security Committee is extremely important. Part of the problem is that, when the Minister responds to us on these points, he often says, “Don’t worry: there’s ministerial oversight”. However, what my noble friends have talked about is that this is not the same as parliamentary oversight. There is an important distinction to be made. I hope that the Minister can respond to that.
I turn to the noble Lord, Lord Fox, and his amendments. Again, we thank the Government for the communication we have had regarding Amendments 1 and 7. As I have intimated before, we support the noble Lord, Lord Fox, on his Amendments 1 and 7. With the addition of the low/no datasets authorisation and third-party data warrants to the bulk personal datasets warrants regime, and the extension of powers that this represents, it seems appropriate that additional safeguards are put in place to ensure the judicial commissioner is informed as quickly as possible of the use of these urgent warrants. Importantly, that does not change how long the judicial commissioner has to consider the warrant, and to revoke access if necessary; it is just on the importance of notification as quickly as possible. If urgent powers, as the noble Baroness, Lady Manningham-Buller, has pointed to, need to be used, nobody is suggesting that they are not used; the suggestion is that the notification to the judicial commissioner should be made as soon as possible and, with respect to the amendment of the noble Lord, Lord Fox, within 24 hours.
I turn to my Amendment 47. This amendment aims to try to get the Minister to put some of this on the record, rather than to seek to divide the House on it. Amendment 47 seeks to ensure that the Government report on the potential impact of the Bill on the requirement to maintain data adequacy decisions from the EU. The adequacy agreement is dependent on the overall landscape of UK data protections. Although the UK protections are currently considered adequate, deviations from this under this legislation could put our current status at risk. Losing this designation would have serious consequences for digitally intensive sectors, such as telecommunications and financial services as well as tech services. In his response, could the Minister provide some reassurances on this particular aspect of the legislation and say whether any specific analysis has been done on the impacts of the Bill on the data adequacy agreement?
I turn to my Amendment 5, which, just for clarity, is a probing amendment but is extremely important. The Minister will know that I have raised this point again and again on various pieces of legislation over the last year or two. To be fair, the Minister has said that he will raise it with the appropriate people, and I am sure that he has done that—I am not questioning that at all. As the noble Lord, Lord Murphy, said, and the Intelligence and Security Committee said in its report of 5 December 2023—hence my Amendment 5 to probe this—no meeting between the Prime Minister of our country and the Intelligence and Security Committee has taken place since December 2014. I am pleased that we have the noble Lord, Lord Cameron, here—not present in the Chamber now, but here within your Lordships’ House—because he was the last Prime Minister that met with the committee. I find it absolutely astonishing that that is the case.
We are informed by the committee that many invitations have been made to various Prime Ministers to attend the Intelligence and Security Committee. I do not want to go on about this—well, I will to an extent—but it is incredibly important. I cannot believe—people say that it cannot be right, and I show them the report—that it has been 10 years since a Prime Minister has gone to the body, which has been set up by Parliament to ensure there is liaison between Parliament and the intelligence and security services. Obviously, matters can be discussed in that committee. Some of those cannot be discussed in the open, but that is one way in which it is held to account.
Can the Minister explain what on earth is going on? Why is it so difficult for the Prime Minister to meet the committee? I am not intending to push this amendment to a vote, as I say, and I am sure the Minister will try to explain again, but it is simply unacceptable that the Prime Minister of this country has not met the ISC for 10 years. For the first 20 years of its existence, and my noble friend Lord West will correct me if I am wrong, I think it was an annual occurrence that the Prime Minister met the ISC—my noble friend Lord Murphy is nodding—yet that has not happened since 2014. That is unacceptable, and my Amendment 5 seeks to ask the Minister what on earth we are going to do to try to get the Prime Minister to attend. I would not have thought that was too much to ask.
My Lords, I have listened with interest to the points made in this debate. As noble Lords will be aware, we have considered carefully the amendments that have been debated. I place on record my thanks to the noble Lords, Lord West, Lord Coaker and Lord Fox, for their constructive engagement in the run-up to today’s debate on these issues and various others that will be debated later today.
I turn first to the topic of oversight of the new Part 7A regime containing bulk personal datasets, BPDs, where there is low or no expectation of privacy. Alongside the proportionate set of safeguards set out in Part 7A, the Bill currently provides for executive political oversight and accountability by requiring the heads of the intelligence services to provide an annual report to the Secretary of State about Part 7A datasets. The intention of the report is to ensure that there is a statutory mechanism for political oversight, given that the Secretary of State will not have a role in Part 7A authorisations. That is set out in new Section 226DA in Clause 2 of the Bill.
The Investigatory Powers Commissioner will continue to provide full, independent and robust oversight of the investigatory powers regime, including this new part. Nevertheless, the Government have listened to the points made by noble Lords and colleagues in the other place, and we understand their concerns about increasing parliamentary oversight. Government Amendment 4 therefore recognises the important role of the ISC in providing parliamentary oversight of the intelligence services. It places a statutory obligation on the Secretary of State to provide the ISC with an annual report containing information about category authorisations granted under the Act during the year. The amendment will ensure that the ISC is proactively provided with information about the operation of Part 7A on an annual basis. That will support the ISC in continuing to fulfil its scrutiny role and will enhance the valuable parliamentary oversight the committee provides.
It is appropriate for the ISC to be privy to certain information relating to Part 7A in the exercise of its functions, and that a statutory obligation be placed on the Secretary of State to provide it. This obligation is intended to be consistent with the provisions set out in the Justice and Security Act, and due regard will be had to the memorandum of understanding between the Prime Minister and the ISC when meeting it. It is likely that Amendments 2 and 3, tabled by the noble Lord, Lord West of Spithead, which would require that the report provided to the Secretary of State be also shared with the ISC, would not be in step with that. The information required by the Secretary of State to fulfil their responsibilities in respect of the intelligence services will not necessarily be the same as that which would assist the ISC in performing its functions. The report will almost certainly contain information about live operations, which is outside the scope of the ISC’s remit, as well as other information that it may not be appropriate to share with the ISC and which the Secretary of State could properly withhold from the ISC were the ISC to request it.
For that reason, we think it more appropriate that a report be written to meet the ISC’s functions that the Secretary of State will send to the ISC. This will provide the additional parliamentary oversight the committee is seeking and would be akin to the existing arrangements in place for operational purposes.
I thank the Minister for giving way, because this is an extremely important point. He mentioned with respect to my Amendment 5 that somebody will formally reach out. Does that mean that the Prime Minister will formally reach out to the ISC and meet with it, so that we get a resolution to this non-meeting?
I cannot say whether or not that someone will be the Prime Minister at the moment.
As I said, the Government are clear that the MoU review is the correct forum to discuss relevant potential changes to the agreement between the Prime Minister and the ISC. But the Government do not believe a report of this kind is appropriate or necessary and do not support the amendment. The noble Lord, Lord Coaker, has already answered the question from the noble Lord, Lord Murphy, and all I can say from the Dispatch Box is that I will try again.
I turn to the second of the amendments from the noble Lord, Lord Coaker, Amendment 47, which would require the Government to publish a report assessing the potential impact of this legislation on the EU’s data adequacy decision. The Government are committed to maintaining their data adequacy decisions from the EU, which play a pivotal role in enabling trade and fighting crime. The Home Office worked closely with the Department for Science, Innovation and Technology when developing the proposals within this Bill to ensure that they would not adversely impact on the UK’s EU data adequacy decisions. As the European Commission has made clear, a third country is not required to have the same rules as the EU to be considered adequate. We maintain regular engagement with the European Commission on the Bill to ensure that our reforms are understood. Ultimately, the EU adequacy assessment of the UK is for the EU to decide, so the Government cannot support this amendment.
I turn to the amendments retabled by the noble Lord, Lord Fox, on urgency provisions for individual authorisations under Part 7A and third party dataset warrants under Part 7B. The Government remain opposed to these iterations of the amendments for the following reasons. Urgency provisions are found throughout the IPA and the Government’s approach is to mirror those provisions in the regimes in new Part 7A and new Part 7B. Making the proposed amendment solely for these parts would reduce consistency—as the noble Lord, Lord Fox, predicted—and ultimately risk operational confusion where there is no good reason to do so.
It will always be in the interests of the relevant intelligence service—as the noble Baroness, Lady Manningham- Buller, said; I add my comments to those of the noble Lord, Lord Coaker, about a speedy recovery—to notify a judicial commissioner of the granting of an urgent authorisation or the issuing of an urgent warrant as soon as is reasonably practicable. These urgent instruments are valid only for five working days. A judicial commissioner must review and decide whether to approve the decision to issue or grant the instrument within three working days. If the judicial commissioner refuses to approve the decision within that time, then the instrument will cease to have effect. It would be counter- intuitive for an intelligence service to make untimely notifications, as this increases the risk of the urgent authorisation or warrant timing out because the judicial commissioner is left without sufficient time to make a decision.
In an operational scenario where the urgency provisions are required, such as a threat to life or risk of serious harm, or an urgent intelligence-gathering opportunity, it may not be practical or possible for the intelligence services to ensure completion of paperwork within a 24-hour period, as the noble Baroness, Lady Manningham- Buller, explained rather more eloquently than I have done.
The intelligence services work closely with the Investigatory Powers Commissioner’s Office to ensure that the processes for reviewing decisions are timely and work for judicial commissioners. For those reasons, I ask that the noble Lord, Lord Fox, does not press his amendments.
This group also includes the two modest but worthwhile government amendments, Amendments 8 and 9. These make it clear beyond doubt that the new third party BPD regime will fall under the oversight of the Investigatory Powers Commissioner. The robust oversight that IPCO brings will ensure compliance, ensuring that robust safeguards are in place when information is examined by the intelligence services on third parties’ systems. I hope that noble Lords will welcome these amendments and support them.
My Lords, as a former member of the Intelligence and Security Committee, perhaps I may say how much I endorse what has been said by the noble Lords, Lord West and Lord Murphy, and welcome many elements in the—
My Lords, I will speak to the government amendments in this group, Amendments 10 to 14.
The Investigatory Powers Act contains world-leading oversight arrangements and safeguards that apply to the use of investigatory powers. The Bill strengthens these to ensure that the oversight regime is resilient and that the Investigatory Powers Commissioner is able to carry out his functions effectively. These government amendments are designed to maintain this approach, and to tighten the drafting in certain areas to ensure that the scope of the measures in Part 3, in respect of communications data, cannot be interpreted more broadly than is intended.
I will start with government Amendment 12, which will ensure that there is clarity for telecommunications operators regarding their obligations to report personal data breaches relating to warrants issued under the IPA. The proposed new clause will also make provision for such breaches to be reported to the Information Commissioner and the Investigatory Powers Commissioner. This amendment will also ensure that the Investigatory Powers Commissioner has the ability to notify an individual affected by the personal data breach, if it is deemed to be in the public interest to do so and if the Information Commissioner considers the breach to be serious. Such a notification will inform an individual of any rights that they may have to apply to a court or tribunal in relation to the breach. This important amendment will bring much-needed clarity in respect of how personal data breaches committed by tele- communications operators are regulated, and ensure that there is a clear statutory basis for the Information Commissioner and the Investigatory Powers Commissioner to be notified of certain personal data breaches.
I move on to government Amendments 10 and 11. Amendment 11 adds Scottish Ministers to the list of parties, at Clause 9(5), who are to be notified by the Investigatory Powers Commissioner of the appointment of a temporary judicial commissioner. This must be as soon as practicable after any temporary judicial commissioner has been appointed. This will ensure that Scottish Ministers are kept abreast of crucial developments in the investigatory powers oversight regime. A similar requirement already exists in the Bill, which requires the IPC to notify certain persons, including the Secretary of State and the Lord President of the Court of Session, of an appointment of a temporary judicial commissioner.
Government Amendment 10 to Clause 8 allows the Investigatory Powers Commissioner to delegate to deputy Investigatory Powers Commissioners the power to approve decisions following the review of a notice. This brings this function in line with the commissioner’s other functions in the Act with regards to delegation and, as with those powers, allows for delegation in only when the commissioner is unavailable or unable.
I turn now to government Amendments 13 and 14, both of which concern communications data, which I will refer to as CD. Government Amendment 13 clarifies the extent of Clause 11 to ensure that its scope is not wider than intended. Section 11 of the IPA creates the offence of acquiring CD from a telecommunications operator without lawful authority. Clause 11 seeks to carve out from the scope of Section 11 the sharing of CD between public authorities, where one of those authorities was a telecommunications operator.
This amendment to Clause 11 ensures that the public authority carve-out from the Section 11 IPA offence of acquiring CD without lawful authority does not go wider than intended. The new definition is based on the definition of public authority in the Procurement Act 2023. The previous definition was based on the definition of public authority in the Human Rights Act 1998. This latter definition could, in some circumstances, have created doubt over whether it included certain private sector telecommunications operators.
This amendment removes that doubt and clarifies that the public authority carve-out will apply only to telecommunications operators wholly or mainly funded by public funds—in other words, they are public authorities themselves. The IPA was designed to ensure that the acquisition of CD from private sector tele- communications operators for the statutory purposes set out in the Act was subject to independent oversight to safeguard against abuse. This amendment maintains this important safeguard in relation to private sector telecommunications operators.
I turn to government Amendment 14. It is critical that the legislation is absolutely clear on what constitutes CD and the lawful basis for its acquisition. Without this clarity, we risk placing CD that is crucial to investigators out of their reach. Government Amendment 14 therefore seeks to clarify that subscriber data used to identify an entity will be classed as CD.
This amendment is necessary as the existing Act creates a carve-out in the definition of CD to ensure that the content of a communication cannot be acquired under a Part 3 acquisition request. This reflects Parliament’s view during the initial passage of the IPA 2016 that the content of a communication is inherently more sensitive than the underpinning metadata: the “who”, “where”, “when”, “how” and “with whom” of a communication. Clause 12 amends the definition of CD in Section 261 of the Act to exclude certain types of data from the carve-out of content from the definition of CD. The effect of this is to include those data types within the definition of CD.
Government Amendment 14 restricts the effect of Clause 12 to ensure that it is not overly broad and cannot be applied to bring unintended, inappropriate types of data within the definition of CD. For example, the amendment will put beyond doubt that the content of recorded calls to contact centres or voicemails is not in scope of the amended CD definition and will not be accessible with an authorisation under Part 3 of the Act. The amendment to Section 261 does not affect the oversight function of the Investigatory Powers Commissioner’s Office, which continues to inspect and highlight any errors and provide prior independent authorisation for the acquisition of CD in most cases.
I hope I have convinced noble Lords of the necessity of these government amendments; I ask that they support them. I also hope that these amendments provide reassurance to noble Lords, ahead of the debate on this group, of the Government’s commitment to ensuring that the clauses in Part 3 are drafted as tightly as possible and with a proportionately narrow scope.
My Lords, we support the introduction of the Government’s amendments. I echo what the noble Lord, Lord Fox, said about the amendment in the name of the noble Lord, Lord Anderson, and I look forward to the Government’s response on that point.
I would also be interested to hear what the Government have to say about my noble friend Lord West’s amendments. He has taken a keen interest in this part of the Bill, and I hope the Government will be able to answer the questions, in particular on data disclosure powers, as I think they can give a more detailed response to the expansion of disclosure powers to regulatory bodies than was given in the original legislation. It is also very likely to be further analysed and looked at as the Bill moves down to the other end of the Corridor. Nevertheless, we support the amendments as they are currently.
My Lords, I thank noble Lords for this short debate and the scrutiny on these important issues. First, I will address Amendments 15 and 16 tabled by the noble Lord, Lord West of Spithead, which seek to remove Clause 13 and the Schedule from the Bill. We have covered some of the same ground as we did in Committee, and I am afraid that much of my response will make similar points to those I made then. However, I can appreciate why he has raised the points he made about these provisions, and I hope that I can still provide him with assurance on why these measures are needed and proportionate.
As the Government have been clear, the purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited from performing the roles expected of them by Parliament. It restores their pre-existing statutory powers to acquire CD in support of those functions. When the IPA was passed in 2016—under the expert stewardship of the noble Lord’s fellow ISC member in the other place, the right honourable Member for South Holland and The Deepings—it made specific provision, at Section 61(7)(f) and (j) respectively, for the acquisition of CD for the purposes of taxation and oversight of financial services, markets and financial stability. The noble Lord and his fellow committee members have queried whether we are “unmaking” these measures in the 2016 Act through Clause 13 of the Bill. I would therefore like to put beyond doubt what has happened since then to lead us to this point of needing to refine rather than unmake these provisions.
Following the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, the Government took the opportunity to streamline the statute book, including but not limited to some changes in response to that judgment. This streamlining included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers, and Section 12 of the IPA had not yet been commenced, removing many of those powers. The relevant data was outside of the provisions of the IPA at this time and therefore not considered to come within the definition of CD.
Since then, businesses have operated their services more and more online. This has meant that many have become, in part at least, telecommunications operators as defined by the IPA. As a consequence, growing amounts of the data that they collect—which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers—now fall within the IPA’s definition of CD. The effect of this is that public authorities are increasingly unable to acquire the CD that they need to perform their statutory civil or regulatory functions.
In summary, the IPA has been changed since it was commenced in 2016 to remove tax-related and financial stability-related powers to acquire CD and to introduce the serious crime threshold. Technology and society have moved on, with the result that more relevant data amounts to CD. Section 12 of the IPA has been commenced to remove general information powers. The combination of these changes has meant that public authorities are experiencing increased difficulty in carrying out their statutory functions. For example, the Financial Conduct Authority, His Majesty’s Revenue & Customs and the Treasury are all examples of public authorities that already have the power to acquire CD using a Part 3 request but that may be unable to do so in the exercise of some of their functions as a result of the issue I have just set out.
These bodies perform a range of vital statutory functions using CD, including tackling breaches of sanctions regimes, enforcing the minimum wage and providing oversight of banking and financial markets. Schedule 4 to the IPA provides a list of public authorities that can acquire CD under Part 3 of the Act. The new definition of public authorities inserted by this clause will apply in the context of the sharing of CD between public authorities. This will include government departments and their arm’s-length bodies, and executive agencies administering public services. While data sharing between government entities is covered under other legislation including the Data Protection Act and GDPR, or under separate data-sharing agreements, its sharing for legitimate purposes should not be discouraged or prevented by the IPA.
Clause 13 is needed to ensure that such bodies can continue to fulfil these existing statutory duties in the context of a world that takes place increasingly online. It strikes an appropriate balance between necessity and proportionality. In particular, I re-emphasise that it makes clear that the acquisition by these regulatory bodies should be only in support of their civil and regulatory functions, and not used in support of criminal prosecutions. Furthermore, the Government have retained the serious crime threshold that applies when acquiring CD for the purposes of a criminal prosecution.
The codes of practice will also provide additional safeguards and clarity on how this should work in practice. The Government published these in draft ahead of Committee to illustrate this. Any changes to the existing codes will be subject to statutory consultation before being made and will require approval from Parliament under the affirmative procedure. I am therefore confident that the changes will be subject to a high level of scrutiny. To be clear, this applies to a limited cadre of public authorities with the necessary statutory powers conferred on them by Parliament and only specifically when in support of regulatory and supervisory functions—it is not creating a way to circumvent the safeguards in the IPA. It ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential and has the most serious potential consequences in terms of criminal prosecutions.
I am happy to provide the reassurance—or I hope I am—that the noble Lord, Lord Anderson, sought. I am grateful to him for his comments regarding government Amendment 14, for engaging with officials to work through the concerns they raised and for his generous comments about the officials.
Our view is that the amended Clause 12 will be narrower in scope than the original drafting, which carried a risk of permitting access beyond the “who” and “where” of an entity. I assure noble Lords that the codes of practice will set out the further safeguards and details on the practical effect of Clause 12 so that operational partners are clear on the lawful basis of CD acquisition. It is appropriate that the technical detail is set out in this way rather than in primary legislation. The codes of practice will be subject to a full public consultation and will be laid in Parliament under cover of an SI, via the affirmative procedure. I reassure the noble Lord that we will consult with partners and the regulators of the IPA to ensure that the high standards of the CD acquisition regime remain world leading. I am happy to continue this conversation, and for my officials to continue with the extensive engagement already undertaken with the users of the CD powers, to see whether any further refinement is needed.
Finally, I confirm that the intention behind the amendment is to include the type of subscriber data that is necessary to register for, or maintain access to, an online account or telecommunication service. Examples of such data would include name, address and email address. It is not intended to include all types of data that an individual might give a telecommunication service that is not necessary for the purpose of maintaining or initiating access to that service.
I turn to Amendments 17, 19 and 20 on internet connection records, also tabled by the noble Lord, Lord West. Much of the argument I have heard relies on a perception that the new condition D is inherently more intrusive than the existing conditions B and C. I will set out why this is not the case.
The safeguards for the new condition D replicate the well-established and extensive safeguards already in place for CD authorisations. The authorisation process for CD varies according to the purpose for which the data is being sought and the type of CD to be acquired. This regime works effectively and has been considered by the Court of Appeal and found to be lawful.
The purpose of new condition D is to enable ICRs to be used for target detection, which is currently not possible under existing Part 3 authorisations. The level of appropriate oversight and safeguards is linked to the sensitivity of the data to be disclosed and the impact that disclosure may have on the subject of interest.
As I have said, the Government do not believe that condition D is inherently more intrusive than conditions B or C. Conditions B and C authorise “target development” work, and as such enable the applicant to request data on a known individual’s internet connections. As an example, this means that the NCA could request records of the connections a known subject of interest has made in a given time period, provided that request was judged to be both necessary and proportionate by the Office for Communications Data Authorisations. In comparison, condition A enables the requesting agency to request who or what device has made a specific connection to an internet service.
Similarly, condition D would enable an agency to request details about who has used one or more specified internet services in a specified timeframe, provided it was necessary and proportionate—for example, accessing a website that solely provides child sexual abuse imagery. The actual data returned with condition D will most likely constitute a list of IP addresses or customer names and addresses. No information concerning any wider browsing that those individuals may have conducted will be provided. Information about that wider activity would be available only under a further condition B or C authorisation. Condition D is therefore no more intrusive than conditions B and C in terms of what data is actually disclosed. As such, we see no benefit or logic to imposing a different authorisation route for condition D when the existing safeguards have proven sufficient in terms of ICRs applications under conditions A, B and C.
I use this opportunity to remind all noble Lords of the importance of this new condition D and how it will support investigations into some of the most serious crimes, as well as supporting the critical work against both state and cyber threats. ICRs could be used to detect foreign state cyber activity. For examples, ICRs could be used to illuminate connections between overseas state actors and likely compromised UK infra- structure. We understand that these actors have an intent to target UK-based individuals and organisations, including government and critical national infrastructure, from within UK infrastructure, which we typically would not see. The ICR data returned from TOs would be highly indicative of the extent of malicious infrastructure and could assist with victim exposure. Furthermore, improved access to ICR data would enable the National Cyber Security Centre to detect such activity more effectively and in turn inform incident management and victims of compromises. Using data to flag suspicious behaviour in this way can lead to action to protect potential UK victims of foreign espionage and attacks.
I now turn specifically to the ability of the intelligence agencies and the NCA to internally authorise condition D applications. The intelligence agencies and the NCA must obtain approval from the Investigatory Powers Commissioner for ICR applications for the purpose of preventing or detecting serious crime, other than in urgent circumstances. In urgent circumstances, such as threat to life or serious harm to an individual, the intelligence agencies and the NCA are able to obtain CD authorisations from internal designated senior officers in the same way that police forces are. In practice, the volumes of non-urgent requests are such that the IPC delegates responsibility for the authorisation of ICR and other CD requests to the OCDA.
In terms of oversight, the IPC could, if he wished to, consider specific types of CD authorisations himself. The IPC also has the power to directly inspect any part of the CD regime. If he wishes to focus attention on condition D applications, he has the necessary powers to do so. The approach we have adopted for condition D authorisations is therefore consistent with the wider CD regime and gives the IPC flexibility in how he exercises his powers and resources.
As is also consistent with the wider CD regime, condition D applications relating to national security will be authorised by a designated senior officer within the intelligence agencies. The CD codes of practice state that the designated senior officer must be independent of the operation and not in the line management chain of the applicant. This independence is declared within each application, and each designated senior officer completes training prior to taking up this role. Furthermore, each agency has one or more single point of contact officer, accredited by the Home Office and the College of Policing, who facilitates lawful acquisition of CD.
My Lords, I thank the noble Lords, Lord Ponsonby and Lord Fox, for their remarks in this debate. I reassure the noble Lord, Lord Fox, that any cheek-blowing he witnessed was more a reflection of the previous marathon speech than a reflection on his amendments.
Amendment 21, moved by the noble Lord, Lord Fox, would require that the enforcement of data retention notices—DRNs—would apply only to UK recipients of those notices. DRNs and technical capability notices—TCNs—can be given to a person overseas, but only TCNs are currently enforceable overseas. Clause 16 seeks to amend Sections 95 and 97 of the IPA to allow the extraterritorial enforcement of DRNs in order to strengthen operational agility when addressing emerging technology, bringing them in line with TCNs. It is vital to have this further legal lever, if needed, to maintain the capabilities that the intelligence agencies need to access the communications data they need to, in the interests of national security and to tackle serious crime.
The Government therefore oppose Amendment 21 as it goes fundamentally against what the Government are seeking to achieve through Clause 16 and would not provide any additional clarity to telecommunications operators. As DRNs are already enforceable against UK recipients, there is no need to re-emphasise that in the Bill.
I turn to the amendments to Clause 17 concerning the notice review period. This clause is vital to ensure that operators do not make changes that would negatively impact existing lawful access while a notice is being comprehensively reviewed. Maintaining lawful access is critical to safeguard public safety, enabling law enforcement and the intelligence community to continue protecting citizens during the review period.
Let me be clear: operators will not be required to make changes during the review period to specifically comply with the notice. Rather, under Clause 17 they will be required to maintain the status quo so that law enforcement and intelligence agencies do not lose access to any data that they would have been able to access previously. The review process is an important safeguard, and that right of appeal will remain available to companies.
On Amendment 27, tabled by the noble Lord, Lord Fox, the Government have noted the strength of feeling from parliamentarians and industry regarding the current uncertainty over the timeframe for conducting a review of a notice. We have therefore tabled Amendments 26, 32 and 33 to Clause 17 to address that uncertainty and provide further clarity and assurances regarding the notice review process.
The existing powers within Sections 90 and 257 of the IPA do not give the Secretary of State the power to specify in regulations the time period within which a review of a notice must be completed. The Government are therefore introducing a new regulation-making power to enable the Secretary of State to specify in regulations the length of time the Secretary of State can take to reach a decision on the review of a notice upon receipt of the report by the judicial commissioner and the Technical Advisory Board, and the overall length of time that a review can take.
The amendments will also make provision for a judicial commissioner to issue directions to the Secretary of State and the person seeking the review, as they see fit, to ensure the effective management of the review process. That will give the judicial commissioner the power to issue directions to both parties, specifying the time period for providing their evidence or making representations, and the power to disregard any submissions outside those timelines. These amendments will provide operators the certainty they require regarding how long a review of a notice can last, and therefore how long the status quo must be maintained under Clause 17. They will also provide further clarity on the process and management of that review.
Specifying timelines will require an amendment to the existing regulations concerning the review of notices. The Government commit to holding a full public consultation before the amendment of those regulations and the laying of new regulations relating to Clause 20, which provides for the introduction of the notification notices. Representations received in response will be considered and used to inform both sets of regulations, which we have clarified in the Bill are subject to the affirmative procedure.
Amendment 35, tabled by the noble Lord, Lord Fox, seeks to specify in statute who the Secretary of State must consult before laying regulations relating to Clause 20 and the introduction of notification notices, and the factors that the Secretary of State must have regard to when making those regulations. I hope the commitment that I have just made to hold a full public consultation provides the necessary reassurance to the noble Lord that all relevant persons will be consulted before making the regulations, and that he will agree that is it unnecessarily prescriptive, and potentially restrictive, to put such details in the Bill.
Amendments 22, 25, 28 and 31, also tabled by the noble Lord, Lord Fox, seek to limit the extraterritoriality of Clause 17 and ensure that operators can make changes to their services and systems for users in other jurisdictions during a review. To be clear, the Bill as currently drafted means that companies can make changes to their services during a review. They could choose to roll out new technologies and services while the review is ongoing, including in other jurisdictions, so long as lawful access is built into them as required to maintain the status quo. Furthermore, the status quo will apply only to whichever of their systems and services are covered by the notice in question. Naturally, anything outside the scope of the notice is unaffected by the requirement. I also emphasise that the control of telecommunications systems used to provide telecommunications services in the UK does not stop at borders, and it is highly likely that any such arbitrary geographical limitations would in fact be unworkable in practice.
Amendments 23, 24 and 29 seek to raise the threshold with regard to relevant changes that an operator must not make during a review period to a change that would “substantially limit” their ability to maintain lawful access. This would not make the position any clearer as “substantially” is a subjective test. Moreover, it would constrain Clause 17 in a way that would fundamentally prevent it from achieving its objectives: to ensure that the same level of lawful access available before the notice was issued is maintained during a review period.
Lawful access provides critical data to law enforcement and intelligence agencies. Constraining access to data that was previously available, in a limited capacity or substantially, may seriously undermine investigations and the ability to protect our citizens. It is therefore vital that the status quo is maintained during the review period. It would also be difficult to define “substantially limit” without referring to a “negative effect on” a capability.
Amendments 36 to 38 to Clause 20, also spoken to by the noble Lord, Lord Fox, seek to raise the threshold and provide more proportionality. As I have emphasised on every occasion we have debated the Bill, necessity and proportionality constitute a critical safeguard that underpins the IPA. Authorisations are approved by an independent body and all warrants and notices must be approved by a judicial commissioner. There is considerable oversight of authorisations, meaning that the threshold is already high. Necessity and proportionality justifications are considered for every request for a notice, warrant or authorisation and, by extension, whether it is reasonable to issue that request to the operator. Once operators are in receipt of such a request, they are required to provide assistance. The proposed amendments are therefore not required.
Finally, government Amendment 34 is a consequential amendment necessitated by the introduction of Clause 19, which amends the functions of a judicial commissioner to include whether to approve the renewal of certain notices.
I am grateful to all noble Lords who have spoken in this debate—
Before the Minister sits down, winding back to the point about territoriality, he spoke of national boundaries as being arbitrary. It would help me to understand what kind of activity the Government envisage reaching across those boundaries, which he refers to as arbitrary; in other words, what would the Government be seeking to do extraterritorially?
If it would help, I am happy to write to the noble Lord with some sensible and practical scenarios because I do not think it is appropriate to make them up at the Dispatch Box, if that is acceptable.
I was just about to thank the noble Lord for the time he has taken to talk me through his concerns ahead of Report and at various other stages of the Bill on various other issues. However, I hope that I have provided reassurances through my comments at the Dispatch Box and the government amendments that we have tabled. I therefore invite the House to support these amendments and invite the noble Lord to withdraw Amendment 21 and not move the others he has tabled.
My Lords, I do not have much to add to the debate. From these Benches, we fully support the amendments proposed by the noble Lord, Lord West, and the excellent way in which he presented them. They have the support of the whole ISC, which in this respect has done a great service to us all in taking forward the discussion. These amendments certainly improve the Bill.
The point that the noble Lord, Lord West, made is exceptionally important—the fact that this has to be in the Bill, and that we need it to guide us in how we take this forward. For those who read our proceedings, it is important to repeat that what we are discussing here is the interception of communications of parliamentarians, and the fact that the triple lock was introduced to give additional protection to that. The role of the Prime Minister becomes crucial in that, for obvious reasons.
I join others in thanking the noble Lord, Lord Anderson, for the way in which he has presented his arguments, and the discussions and debates that have gone on in this Chamber and outside it. He has done a great service to all of us by tabling what seems on the face of it a simple amendment—simply changing one word, from “unavailable” to “unable”—but is actually of huge significance. We have concerns about it, which we have expressed in this Chamber and elsewhere— indeed, the noble Lord, Lord West, explained them. Notwithstanding the remarks of the noble Lord, Lord Carlile, and others, we are worried about where it takes us with respect to conflicts of interest, and who decides that there is a conflict of interest for the Prime Minister in circumstances in which the Prime Minister themself does not recognise that there is a conflict of interest. I agree with the noble Lord, Lord Anderson, and others, that there may be a need for this discussion to continue—but who decides whether the Prime Minister has a conflict of interest, if the Prime Minister themself does not recognise that, is an important discussion to have. In the end, the system rests on the integrity of the Prime Minister.
The way in which the ISC has tried to bring forward some conditions to what “unavailable” means is extremely important, and we support that, as indeed we support the amendments that try to ensure that those who take decisions are those various Secretaries of State who may be designated under the Bill to take decisions, should the Prime Minister be unavailable. It is extremely important for those Secretaries of State to have experience of the use of those warrants. Again, the amendments proposed by the noble Lord, Lord West, deal with that, and we are very happy to support them.
My Lords, I offer my thanks to the noble Lords, Lord Anderson of Ipswich, Lord Fox, and Lord West of Spithead, and the noble and learned Lord, Lord Hope of Craighead, for their amendments and for the points that they have raised during this debate. I also thank the noble Lord, Lord Evans, for his perspective, and the noble Lord, Lord Carlile, for supporting the Government, which obviously I hope becomes a habit.
I have discussed the triple lock at length with noble Lords and many others in Parliament and across government. We are all in agreement that this is a matter of the utmost importance, and it is imperative that we ensure that the triple lock operates correctly. That means that the triple-lock process, when needed urgently, has the resilience to continue in the most exceptional circumstances, when the Prime Minister is genuinely unavailable, while ensuring that the alternative approvals process is tightly and appropriately defined.
On Amendment 40, I thank the noble Lord, Lord Anderson, for the valuable engagement he has taken part in with my ministerial colleagues, Home Office officials and me regarding this amendment. I take this opportunity to explain why the Government do not support this amendment. The expressed intention of the noble Lord’s amendment is twofold: first to tighten the requirement in the current clauses, which use the word “unavailable”; and, secondly, to introduce a potential provision for dealing with a conflict of interest, as one of the circumstances in which the alternative approvals process could be used.
There is certainly merit in limiting the circumstances in which the alternative approvals process may be used. However, the noble Lord’s amendment introduces the requirement for a judgment to be made on the Prime Minister’s ability to consider a warrant application, for any number of reasons, including conflict of interest. This raises a number of challenges.
The first challenge is that “unable” draws into the legislation the principle of ministerial conflict of interest. This poses a constitutional tension and a challenge to Cabinet hierarchy. The inclusion of “unable” would allow for someone other than the Prime Minister to decide whether the Prime Minister is subject to a conflict of interest in a particular scenario, which goes against clear constitutional principles regarding the Prime Minister’s powers. This would be a subjective decision on the Prime Minister’s ability, rather than an objective decision on his availability.
As such, rather than strengthening the current drafting, the amendment as proposed could be considered to constitute a watering down of the triple lock, in that it was always designed to be exercised by the Prime Minister. Someone else making a decision about whether the Prime Minister is able to make a decision, given they can be said to be available and therefore technically able to consider an application, risks the intention of the triple lock. As drafted, the original clauses require a binary decision to be made about whether the Prime Minister is available or not, whereas, in deciding whether the Prime Minister may have a conflict of interest, a judgment must be made which is not binary and therefore has much less legal clarity.
The noble Lord, Lord Anderson, asked me if it is right that the Government believe that it is proper for the Prime Minister to consider a warrant application relating to the Prime Minister’s own communications. The best answer I can give is that the Bill is intended not to tackle issues relating to Prime Ministerial conflicts of interest, but rather to improve the resilience of the warrantry process. Conflict of interest provisions and considerations relating to propriety and ethics are therefore not properly for consideration under this Bill. The Prime Minister is expected, as are all Ministers, to uphold the Nolan principles in public life. For these reasons, the Government cannot support this amendment.
The Government have, however, recognised the concerns expressed by Members of both Houses, and the seeming consensus that a more specific, higher bar should be set with relation to the circumstances in which the alternative approvals process may be used. This high bar is of particular importance because of the seriousness of using these capabilities against Members of relevant legislatures. We accept that we are not above the law and it is appropriate for it to be possible for us to be subject to properly authorised investigatory powers. However, it is right that the significance that this issue was given in the original drafting of the Investigatory Powers Act is respected, and the communications of our fellow representatives are properly safeguarded.
I therefore thank the noble Lord, Lord West of Spithead, for his amendments, and for the close engagement on this Bill which I, the Security Minister and my officials have had with the members and secretariat of the Intelligence and Security Committee. Following engagement with Members of both Houses on these amendments, it is clear that there is good consensus for these measures, and the Government will not be opposing them today. While they will reduce the flexibility of the current drafting somewhat, the Government agree that these amendments strike an important and delicate balance between providing the flexibility and resilience that the triple-lock process requires, while providing the legal clarity and specificity to allow for its effective use. The amendments will also provide further confidence to members of relevant legislatures, including those of this House, that the protection and safeguarding of their communications is of paramount importance.
I should note that the Government do not quite agree with the precise drafting of these amendments, and we expect to make some clarifications and improvements in the other place, particularly to the references to routine duties under Sections 19 and 102 of the Investigatory Powers Act 2016, but I am happy that we seem to have reached broad agreement today.
I just want to be clear, as I have never had an amendment accepted in 14 years —is the Minister saying that the Government accept my Amendments 39 and 41?
Yes. The noble Lord, Lord Fox, says, “Don’t get too excited”, and he is right.
I now turn to the government amendment in this group, Amendment 46. This proposed new clause amends the Investigatory Powers Act’s bulk equipment interference regime to ensure that sensitive journalistic material gathered through bulk equipment interference is subject to increased safeguards. Currently, Section 195 of the IPA requires that the Investigatory Powers Commissioner be informed when a communication containing confidential journalistic material or sources of journalistic material, following its examination, is retained for any purpose other than its destruction.
This amendment introduces the need for independent prior approval before any confidential journalistic material or sources of journalistic material are selected, examined, and retained by the intelligence agencies. It also introduces an urgency process within the new requirement to ensure that requests for clearance to use certain criteria to select data for examination can be approved out of hours.
The Government recognise the importance of journalistic freedom and are therefore proactively increasing the safeguards already afforded to journalistic material within the IPA. In doing so, we are also bringing the IPA’s bulk equipment interference regime into alignment with bulk interception, which is being amended in the same way through the Investigatory Powers Act 2016 (Remedial) Order 2023; that is being considered in the other place today.
In wrapping up, I once again thank noble Lords for the constructive engagement we have had on the Bill, singling out in particular the noble Lords, Lord Anderson, Lord West, Lord Coaker and Lord Fox. With that, I hope that noble Lords will support the Government’s amendment.
If Amendment 39 is agreed to, I cannot call Amendment 40 by reason of pre-emption.
(9 months, 3 weeks ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Investigatory Powers (Amendment) Act 2024 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, throughout the preparation and passage of the Bill, we have been working closely with each of the devolved Administrations. Most of the provisions are UK-wide and are reserved, as national security is a reserved matter. A small number of measures in Part 2 of the Bill, on oversight, engage the legislative consent process in the Scottish Parliament. Currently, the Scottish Parliament has not granted a legislative consent Motion, although I can confirm to noble Lords that the Scottish Government have lodged one. We are engaging constructively with officials, and I reassure noble Lords that the Government will continue with this engagement as the Bill is introduced into the House of Commons. I beg to move that this Bill be read a third time.
My Lords, I extend my gratitude to all noble Lords who have contributed to the Bill, both on the Floor of the House and outside. We all agree that this piece of legislation is both important and necessary. The targeted amendments that it will make to the Investigatory Powers Act 2016 will ensure that the UK’s intelligence services and law enforcement will continue to have the tools at their disposal to keep this country safe, while ensuring that these are used in a proportionate way which places privacy at its heart. As the Bill passed through this House, the valuable debate has shaped it into what it is now. I am pleased that the House was able to reach agreement on several areas of potential divergence and that we send the Bill to the other place in exceptional shape and with cross-party support.
I first correct the record on one small point I made in my speech on the second group of amendments in last Tuesday’s debate on Report. His Majesty’s Treasury is not an example of a public authority that already has the power to acquire communications data using a Part 3 request. Examples of public authorities which do have these powers include His Majesty’s Revenue & Customs and the Financial Conduct Authority, both of which perform a range of vital statutory functions using communications data.
Once more, I extend thanks particularly to the noble Lord, Lord Anderson of Ipswich, who has been crucial in shaping the Bill through his independent review of the Investigatory Powers Act and his contributions during the Bill’s passage. My thanks go also to the noble Lord, Lord West of Spithead, and his colleagues on the Intelligence and Security Committee. The input from him and his fellow committee members has been valuable and intended to improve the Bill. He has been ably and knowledgeably supported by the erstwhile chair of the committee, the noble Lord, Lord Murphy of Torfaen.
Similarly, I have valued the collaborative and serious way in which the Opposition Front Benches have engaged on matters of such importance, so I offer my thanks to the noble Lords, Lord Coaker, Lord Ponsonby and Lord Fox, for their desire to scrutinise the Bill carefully and constructively.
I am much obliged to the support of other noble Lords who have contributed with such eloquence and expertise as the Bill has passed through this House. In particular, the noble Baroness, Lady Manningham-Buller, and the noble Lords, Lord Evans of Weardale and Lord Hogan-Howe, have all provided an invaluable perspective from their professional backgrounds. The noble Lord, Lord Carlile of Berriew, and the noble and learned Lord, Lord Hope of Craighead, both made a number of important and insightful interventions to help shape the debates and work towards practical solutions, for which I am grateful. My thanks go also to my noble friend Lord Gascoigne and his team in the Whips’ Office for their support as the Bill passed through this House.
I ask noble Lords to join me as I thank the policy officials and lawyers in the Home Office teams led by Lucy, Phoebe, Lucy, Hugh, Rob, Daphne and Becca, whose significant efforts have made this Bill happen. It is their hard work that has brought the Bill to this point. My thanks go also to the Bill team—Tom, Megan, Sophie, Emer and James—as well as Dan in my private office. I am also very grateful to Pete and Lucy, the expert drafters in the Office of the Parliamentary Counsel, for preparing the Bill and amendments during its passage.
Finally, I thank the intelligence agencies and law enforcement for their expert contribution to the Bill and for the work they do to keep this country safe day after day. The Bill will ensure that they continue to have the tools they need to carry out this task. We will all be the safer for it. We remain hugely grateful for their work.
As we send the Bill to the other place, it needs very little amending, save for some tidying up here and there. It is the first job of government to keep this country safe. The Bill helps us do just that.
My Lords, first, I thank the Minister and his team for the liaison and the work we did together to try to meet all our concerns about the Bill. I also thank him for giving me the excitement of my life in that I had an amendment accepted—for the first time in 14 years. That is a pretty good strike rate, is it not? I was pleased about that as well.
We on the ISC are very happy that the Bill is needed. However, as the Minister knows, we are still concerned that there is insufficient acceptance of the fact that parliamentary scrutiny is required by the ISC more broadly in this and a number of other areas. I am sure this will be brought up in the other place; otherwise, I am pleased that we have moved this Bill forward at pace.
(9 months ago)
Commons ChamberThis text is a record of ministerial contributions to a debate held as part of the Investigatory Powers (Amendment) Act 2024 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
I beg to move, That the Bill be now read a Second time.
The first duty of Government is to keep our citizens safe. The United Kingdom faces an enduring threat from terrorists, hostile actors and organised criminal groups, and that threat is evolving and becoming more sophisticated. It is not enough for us to keep pace with those who would do us harm; we must endeavour to get and then stay ahead of them. The investigatory powers are the legal powers available to law enforcement, the intelligence services, MI5, the Secret Intelligence Service, GCHQ and other public authorities where appropriate to obtain communications and data about communications.
The Investigatory Powers Act 2016 provides a clear legal framework for the use of those powers, combining world-leading safeguards and oversight with giving agencies the tools they need to protect us. There is a double lock for the most sensitive IPA powers, meaning that an independent judicial commissioner must approve a decision by the Secretary of State to issue a warrant under the IPA. The use of any of these powers must be assessed as necessary and proportionate, with strong independent oversight by the Investigatory Powers Commissioner. The Investigatory Powers Tribunal provides a robust mechanism for providing redress in respect of any unlawful use of those powers.
The Home Secretary will be as aware as I am that very occasionally those in charge of our intelligence and security services do not act in the best traditions of this country in their offices, and I am thinking of cases such as Belhaj and Boudchar. Where people have been the victim of mistreatment—as a consequence of UK complicity with foreign powers, for example—should there not be a right for those people to have access to the information about that?
I listened carefully to the right hon. Gentleman’s point. I am not sure it is directly relevant to this matter, but I take on board the points that he makes. He will forgive me if I do not address them directly at this point; I want to consider them properly.
The IPA is sound legislation, but the nature of these threats has evolved since 2016, and we are confronted by greater global instability and technological advances, and they demand that we act. Terrorists, child abusers, organised criminals and malign actors from hostile states have exploited technological advances. Our job is to ensure that the UK’s investigatory powers framework remains fit for purpose. The changes that this Bill proposes were informed by the independent review of the IPA published by Lord Anderson of Ipswich in June 2023. The Bill received cross-party and Cross-Bench support as it passed through the other place. Every Government amendment was accepted, and I thank the members of the Intelligence and Security Committee of Parliament for the productive way they engaged with and helped to shape the Bill.
In particular, we have agreed to tighten the drafting of clauses 22 and 23 in line with amendments proposed by the Intelligence and Security Committee. Those changes put beyond doubt that the Prime Minister may delegate warrants for the purposes of obtaining communications of parliamentarians in two, and only two, exceptional circumstances: the personal incapacity of the Prime Minister and a lack of access to secure communications. There is also a limit of five Secretaries of State to whom this responsibility could be delegated in those circumstances. Further to that, in respect of new part 7A, parliamentary scrutiny will be enhanced through a statutory requirement for the Secretary of State annually to inform the Intelligence and Security Committee about the new regime for bulk personal datasets.
My right hon. Friend mentioned the ISC’s scrutiny of these matters. He will understand the concern about widening the number of people who can play the role previously played exclusively by the Prime Minister. I understand the reasons for that, but has he considered limiting that to those Secretaries of State who have warranting powers?
We looked at that. There is a balance to be struck, and actually the bulk of those Secretaries of State to whom the function could be delegated in those two exceptional circumstances do have warranting powers—I think the Secretary of State for Defence is the only one who does not. My right hon. Friend’s point is a fair one, but the scope of the Bill is not much greater than that.
As a member of the ISC, I welcome the Government’s acceptance of our recommendation. However, I would like to understand why they are not accepting our other, simple proposal: that when a delegation takes place, the Prime Minister would be informed about that afterwards.
I think it is inconceivable that the Prime Minister of the day would not be informed of the use of a delegated authority.
It is not about the Prime Minister not being informed about the delegation; it is about the Prime Minister looking at the case afterwards—they would not be second-guessing it, obviously, because it would already have been agreed. We suggested that, as a matter of course, the Prime Minister should be informed afterwards of the contents of that warrant. For some reason, the Government are resisting that. I cannot understand why.
I understood the point that the right hon. Gentleman was making—perhaps my answer was not clear—but I suggest that it is inconceivable that the Prime Minister would not routinely be informed of the exercise of this power. Ultimately, that is a level of granularity that would add complexity to the Bill without utility. But, as I have said, through the passage of the Bill thus far, we have listened carefully to the Committee’s suggestions, and although we may not always agree, I can reassure him, other members of the Committee and Members of the House that we will continue to act in listening mode in relation to the Committee’s suggestions.
On that point, will the Home Secretary give way?
I thank the Home Secretary for giving way. He mentioned listening to scrutiny by the ISC. The Joint Committee on Human Rights has issued a call for written evidence on the Bill, and as he will know from the human rights memorandum, the Bill raises important human rights issues relating to the rights to privacy and to freedom of expression, and possibly the right to an effective remedy. Will he therefore undertake to look closely at any correspondence that the Joint Committee might send him when we have completed our scrutiny of the Bill?
I reassure the hon. and learned Lady that we will do exactly that.
I turn to the measures in the Bill. We are creating a new regime for bulk personal datasets that have low or no expectation of privacy: for example, certain datasets that are widely publicly or commercially available. Bulk personal datasets are an essential tool to support our intelligence services in identifying fragments of intelligence within a large quantum of data, in order to disrupt threats such as terrorism and hostile state actors. The Bill seeks to create a new statutory oversight regime for how the intelligence services access and examine bulk personal datasets held by third parties. It will place that oversight on a statutory footing, increasing the transparency of the regime. The regime will be subject to strong safeguards, including the double lock.
We are also making changes to the notices regime that will help the UK anticipate and address the risk to public safety of companies rolling out technology that precludes lawful access to data. We want to work with those companies to achieve common goals, but we must have the tools available when collaboration falls short.
I know that the Home Secretary wants to make progress, but I am grateful for the opportunity to comment.
These reforms to the IPA are necessary to upgrade our world-class regime and ensure that our frameworks are kept up to date with evolving threats and, importantly, technology. We know that the terrorists, the serious organised criminals, the fraudsters and the online paedophiles all take advantage of the dark web and encrypted spaces: to plan their terror, to carry out their fraudulent activity and to cause devastating harm to innocent people such as children, in the field of online paedophilia. Does he share my concern and indeed frustration with companies such as Meta and Apple? The former has chosen to roll out end-to-end encryption without safeguards and the latter has rolled out advanced data protection, which will allow these bad actors to go dark, which will severely disable agencies and law enforcement from identifying them and taking action, and will enable—indeed it will facilitate—some of the worst atrocities that our brave men and women in law-enforcement agencies deal with every day.
My right hon. and learned Friend—and immediate predecessor—makes incredibly important points. Digital technology and online technology have been a liberator in so many ways, but, sadly, as has been the case with technology throughout time, it has also been used by those who would do people harm. Indeed, she mentioned in particular the harm done to children. We take that incredibly seriously. We value the important role of investigatory powers and will continue to work with technology companies—both those well established at the moment and those of the future—to maintain the balance between privacy and security, as we have always done, and ensure that these technology platforms do not provide a hiding place for terrorists, for serious criminals and those people taking part in child sexual exploitation.
The three types of notices under the existing IPA are data retention notices, technical capability notices and national security notices. Those notices must be both necessary and proportionate, and they are of course subject to the double lock. The Bill does not introduce any new powers for the acquisition of data. The changes are about ensuring that the system is up to date and remains robust. The Bill will create a notification notice allowing the Secretary of State to place specific companies under an obligation to inform him or her of proposed changes to their telecommunications services or systems that could have an impact on lawful access. This is not a blanket obligation, and it will be used only where necessary and proportionate, and then only on a case-by-case basis.
The notice does not give the Secretary of State any powers to veto or intervene in the roll-out of a product or services. It is intended to ensure that there is sufficient time for appropriate consideration of the operational impact of the proposed changes, and potentially for discussions with the company in question about them. The public, rightly, would want their representatives to know in advance if companies were proposing to do something that would put public safety at risk, and responsible companies will work with Governments to avoid endangering people, who are of course also their customers.
The Bill will also amend the IPA to require the company to ensure that existing lawful access is maintained. That means the company cannot legally take any action that would negatively affect the level of lawful access for our operational partners during the review period. In the other place, the Government tabled an amendment to allow a timeline for review of a notice to be specified in regulations. We also gave the judicial commissioner further powers for managing the review process. Taken together, they ensure that companies are clear on the length of time that a review can take, which reduces uncertainty for their business as well as providing greater clarity for the review process. In the other place, my noble colleague Lord Sharpe of Epsom also committed to a full public consultation before amending the existing regulations on the review of notices, and laying new regulations relating to the notification notices.
The Bill also clarifies the definition of a telecommun-ications operator, to make it clear that companies with complex corporate structures that provide or control telecommunications services and systems in the UK fall within the remit of the IPA. These changes do not directly relate to any particular technology, including end-to-end encryption, but are designed to ensure that companies are not able to unilaterally make design changes that compromise exceptional lawful access.
The Bill makes changes to the powers of public authorities to acquire communications data. Section 11 of the IPA made it an offence for a relevant person in a relevant public authority to knowingly or recklessly obtain communications data from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority outside the IPA, giving greater clarity to public authorities that they are not inadvertently committing an offence. Further targeted amendments will ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data. Further changes will allow bodies with regulatory functions to acquire communications data.
The Bill also creates a new condition for the use of internet connection records—ICRs—by the intelligence services and the National Crime Agency. The IPA currently requires certain thresholds to be met on the known element of an investigation, such as exactly when a website has been accessed. That limits the ability of operational partners to use the ICRs to detect previously unknown criminals, terrorists or state threat actors who are acting online. The proposed measure will allow greater detection of high-impact offenders by removing the requirement to unequivocally know a specific time or times of access and service in use, and instead will allow these factors to be specified within the application.
I understand the use of the measure for the security services, but the Bill broadens the scope of how many people could be dragged into it. There is no judicial oversight of the Security Service or whoever is using it. The Bill states that the measure is for national security and economic wellbeing—that is a catch-all for quite a lot of things. Although the intent is right, there need to be some safeguards to prevent innocent people being dragged into that potentially broad measure.
I understand the right hon. Gentleman’s point. Innocent people’s data is often acquired in dataset capture, and it is always deleted. Economic wellbeing merely reflects the language that is used in other parts, for consistency across our various strands of work.
I thought we were here today to scrutinise the Bill. It should not be a chore for the Home Secretary to be asked questions. The definition of wellbeing could be quite broad. I understand the meaning of national security, as I think he does, and the House, but wellbeing could have quite a broad definition and I am not convinced that I have seen what it is. I am not sure that consistency with other legislation is a great argument for including it in this Bill.
The simple truth of the matter is that I disagree. In legislation of this nature, maintaining consistency of language with previous relevant legislation, including the Intelligence Services Act 1994, is incredibly important to clarity of intent. I recognise that the right hon. Gentleman has given thought to this, and we do not disregard his point, but we have thought through the importance of consistency of language, which is why we have maintained it.
A general listener to our proceedings might worry that the new powers could be used for fishing expeditions, rather than the very specific powers that they replace. Could the Home Secretary give some words of reassurance from the Dispatch Box that the broadening of bulk data collection without specific dates will not be used for fishing expeditions, which might affect the privacy of ordinary citizens who have done nothing wrong?
The hon. Lady makes an important point, but the powers could be applied to any bulk dataset collection, of which she knows there are many across Government. Provisions are in place to ensure that innocent people’s data is not held but deleted, and that our security services and other organisations that will utilise these powers always do so carefully and cautiously. There are relevant safeguards in place, as I have made reference to—the Investigatory Powers Commissioner and the tribunal—if there is wrongdoing. The proposals are put forward for a very specific reason. The Government have given thought to mission creep and broader expansion, and we feel that this is a modest extension that will give significantly greater protection to the British people.
As my hon. Friend the Member for Wallasey (Dame Angela Eagle) just said, we need to give confidence to the public that what we are rightly doing to protect ourselves has that level of security in it. There is no judicial oversight of internet connection records. If we are to give these powers to the Security Service—which I approve of—we should be able to say to the public that they are proportionate and that there is an independent process to ensure that they cannot be abused. Surely, judicial oversight throughout should be important.
The right hon. Gentleman specifically spoke about judicial oversight, but there is oversight—
There is oversight by the Secretary of State through the warrant process, and oversight of the whole process by the Investigatory Powers Commissioner. Through the Committee on which the right hon. Gentleman sits, there is oversight of the Secretary of State’s function.
I agree, and I support that oversight, even though this Government have not made our job on the ISC easy. Unless I am missing something, there is no judicial oversight of internet connection records in the Bill. If we want to give people confidence, that backstop of judicial oversight should be important.
As I said, I noticed that the right hon. Gentleman specifically said that there is no judicial oversight—
I am not disagreeing, but there is oversight. The Committee on which the right hon. Gentleman sits is part of that oversight process.
The Home Secretary has just touched on the importance of the oversight role of the ISC, particularly in relation to these additional provisions. I wonder whether he remembers the passing of the National Security Act 2023. During the final stages of that important piece of legislation, the Government tabled an amendment in lieu promising that they would progress a review of the memorandum of understanding within six months of the Act coming into force to ensure there was an updated and robust relationship between the ISC and the Government, and the Prime Minister in particular, the ISC having been unable to secure a meeting with the Prime Minister since 2014, remarkably. Given the nature of the ISC’s important role in these provisions, I wonder whether the Home Secretary could update us on that review.
That is not an element of this Bill. On a commitment for the Prime Minister to meet with the Committee, I will look at the details.
Will the Home Secretary give way?
I want to make progress to ensure that everyone who wishes to speak in this debate is able to do so, but I will give way to the right hon. Lady.
On that point, will the Home Secretary encourage the Prime Minister to go before the Intelligence and Security Committee at the soonest opportunity? My understanding is that that has not happened for 10 years.
I cannot make a commitment on the Prime Minister’s behalf. Members of the Committee will know that I appeared before the Committee in my previous role, and I think it is important that Government do make themselves available for this scrutiny. As I say, it would be inappropriate for me to demand of the Prime Minister attendance anywhere, but I will pass on the right hon. Lady’s point.
I will assist the Home Secretary with a little context. When I was a ranking member of the Intelligence and Security Committee between 2010 and 2015, it was a matter of routine that the Committee went to see the Prime Minister once a year, usually in the Cabinet Room. That stopped in 2014. Successive Prime Ministers have failed to reinstate it, although it must be said that the shortest-lived of them did offer to meet with the Committee, but sadly ceased to be Prime Minister before that became possible.
The lengths that some people will go to to avoid Committee scrutiny. I am trying to remember where I was; it has been such a long time since I looked down the page of this speech. All such applications must be necessary and proportionate and subject to independent authorisation or inspection.
The Bill will also strengthen safeguards for journalistic material within the Investigatory Powers Act’s bulk equipment interference regime, aligning it with changes to the bulk interception regime that are under way to ensure compliance with obligations under the Human Rights Act 1998. Prior judicial authorisation will be needed before material obtained through bulk equipment interference can be selected for examination using criteria where the purpose is to identify, or is highly likely to identify, confidential journalistic material or confirm a source of journalistic material. Prior judicial approval is also necessary before such material may be retained for purposes other than its destruction. The other measures in part 5 of the Bill will ensure that the resilience and protections of the regime are maintained and enhanced.
The Bill will also make improvements to support the Investigatory Powers Commissioner in effectively carrying out their role, ensuring that the world-leading oversight regime remains resilient, including powers to enable the IPC to appoint deputies, delegate some of their functions to judicial commissioners and the newly created deputies, and put certain functions on a statutory basis. The Bill will ensure there is a clearer statutory basis for reporting errors to the IPC.
I sense that the Home Secretary is coming to the end of his speech. We have mentioned parliamentarians and journalists, but I want to talk about another important group: trade unions. Some people fear that the Bill will open the door even further than its parent Bill on the surveillance of trade unions. Does the Home Secretary agree that there should be no place for the surveillance of trade unions in a democracy? If so, will he consider amendments to the Bill to ensure that that does not happen, including a redraft of clause 5?
I take the point that the hon. and learned Lady puts forward. There are a number of organisations not explicitly mentioned in the Bill where that argument could be made, and I am not sure it would necessarily be useful or right to list them all, but I will take on board the point she makes in good faith—genuinely.
The Bill will bring the Investigatory Powers Act up to date with the modern age, provide greater clarity, make the system more resilient and retain the world-leading safeguards of civil liberties and commercial integrity. Above all, the Bill will mean that the men and women who work so incredibly hard to keep us safe, often without recognition, have the tools they need to do so in the modern era. I therefore commend the Bill to the House.
I call the Opposition Front-Bench spokesperson.
My hon. and learned Friend will not be surprised to hear that I completely agree with her.
In fact, that brings me to the next point I want to raise in relation to clause 2. As well as putting in place what I struggle to see as being a reasonably operated assessment, the clause raises concerns in relation to consistency with data protection legislation and with human rights obligations. The factors to be taken into account when undertaking that really difficult assessment do not even expressly include the sensitivity of the data in question, which surely should be central to any question of processing. That is an inconsistency with existing data protection principles and laws, and I agree that the compatibility of such provisions with our human rights obligations is also surely highly dubious. Just because someone has shared personal data does not mean that they automatically lose their right to further protection around how that data is shared and processed, especially when it is sensitive personal data, as my hon. and learned Friend has just said.
The role of judicial commissioners in this area is even further diluted, reduced to reviewing by judicial review standards whether datasets do indeed relate to data where there can be low or no expectation of privacy. Frankly, that is not a safeguard at all. At the very least, their role needs to be strengthened when the Bill is considered in Committee. We also need to seek assurances around how the Bill will impact on the reporting of the retention and use of bulk personal datasets. If large numbers are retained under category authorisations, we may not know how many datasets are actually being gathered.
Let me turn to various aspects of part 4, on notices. Again there are some controversial provisions, particularly in clause 21 and the requirement on selected telecommunications operators to inform the Secretary of State if they propose to make changes to their products or services that would negatively affect existing lawful access capabilities. That seems like an extraordinarily broad power, without anything remotely appropriate in terms of oversight and limitations. These powers are going to make the UK a real outlier. Essentially, the Secretary of State will be empowered to say to tech companies, “You are not allowed to improve your products without consulting us, so that we can still break in to access the data that we need and when we want it”. Despite what the Secretary of State says, taken together with other changes to review processes, such powers could easily be used to significantly delay, or de facto veto, updates to security, rendering everybody’s data more vulnerable to hacking by third-party actors.
That is simply incorrect, and I know that the hon. Gentleman would not wish to continue down a road that he knows to be incorrect. Let me just be very clear: this is a continuation of a power that was granted in 2016. The notice does not extend that power; it merely enables a conversation to begin with companies before any action is taken, to maintain an existing standard and not in fact to change it.
I am grateful for that clarification from the Minister, and we will of course engage further in this debate in Committee.
These concerns have been raised not just by me but by significant tech companies; this is not something that has come to me simply through perusing the Bill. The key question remains: why is there to be no proper oversight of these notices and notice powers by independent advance authorisation? Why is there not even the double lock that applies to other notices that can be served on communications providers under that Act? Surely that scrutiny should be carried out in advance. There are also lots of question marks around the expanded claims of international jurisdiction. How will potential conflicts of law be resolved, especially if a company subject to one of these notices that is contrary to its domestic laws cannot even say anything about it because it is bound to secrecy by this legislation? What are the prospects of other Governments copying what our Government are doing and seeking to replicate such provisions, and what would the impact of that be on UK companies?
Turning to internet connection records, the starting point is that we should remember that no other European Union or Five Eyes country permits the requiring of ICR generation or retention in relation to its own residents, so this was a hugely controversial development in the 2016 Act. As we have heard, ICRs can reveal huge amounts of deeply sensitive information about a person. For now, secret services can seek ICRs only when certain facts that are already known, such as the identity of a person connecting or the time and use of the connection, so that the retention is at least targeted in some way.
The risk in this Bill is that reasonable suspicion will no longer precede targeted surveillance. Instead, the Bill would seek to use ICRs for the discovery of new targets, which is a really significant jump and development. I can genuinely understand some of the reasons being offered for this change, and I am not unsympathetic to the case being made, but if these powers are not carefully circumscribed, they risk creating a big step towards mass surveillance and fishing exercises. We need to ask whether there are less invasive alternatives and whether these powers are therefore really necessary. Alternatively, we need to look again at the oversight mechanisms for the use of these powers.
We also have concerns about the Bill’s proposals in relation to the offence created by the 2016 Act, where relevant persons in a relevant public body knowingly or recklessly obtain communications data from a telecoms or postal operator without lawful authority. This Bill seeks to set out examples of what would amount to lawful authority, which is a laudable aim. However, there are real questions about whether some of the examples in clause 12 are not in fact redefining the concept of lawful authority. In particular, the assertion that there would be lawful authority simply because
“the communications data had been published before the relevant person obtained it”
is controversial. That is particularly so when
“‘published’ means make available to the public or a section of the public (whether or not on a commercial basis).”
As I said in relation to bulk personal datasets, limited publication is not authority for intrusive surveillance. Could a simple private message not amount to publication of comms data? The implications of this definition of lawful authority need very careful scrutiny indeed.
Finally, on the interception and hacking of parliamentarians, making provision for circumstances where the Prime Minister is unavailable to play his part in a triple lock seems sensible, but the fact that the issue of snooping on MPs and others is being revisited should trigger us all to rethink the whole scheme. Our role of representing our constituents, interrogating legislation and holding the Government to account should not be interfered with lightly. We should take the chance to consider post-surveillance notification of MPs who have been spied upon, by judicial commissioners, once investigations are completed. As matters stand at the moment, redress is almost impossible to obtain. We should also require that the investigatory power commissioners be informed every time these powers are used, so that there is transparency about how often this is happening. All other options should be on the table as well.
I started by thanking intelligence and law enforcement authorities and I am happy to do so again in closing, but our respect for them does not mean we should ever consider writing blank cheques or handing them whatever powers they ask for. They are not perfect. From time to time they exceed their powers and certain individuals abuse their lawful capabilities. The powers that they seek through this Bill are extremely invasive and broad in scope. There is a real danger that key provisions of the Bill will go beyond what is necessary and get the balance with privacy and human rights wrong. These provisions will need serious scrutiny and revision in Committee, and that is what we in the SNP will seek to secure.
Let me start by thanking our security services. I think I am now the longest-serving member of the ISC, and it is a privilege to work with them and scrutinise their work, as our Committee does. They do not get a great deal of publicity—for the right reasons—but when they do, it is sometimes not factual by any stretch of the imagination. They do an invaluable job, and in protecting our democracy, the threat that they face—that we all face—is changing, so the Investigatory Powers Act 2016 needs revising.
As my hon. Friend the Member for Wallasey (Dame Angela Eagle) said, the important point is that any new powers that we give the security services to act on our behalf should come with an equally balanced level of scrutiny and oversight. I see the scrutiny of our security as like a three-legged stool, with the Investigatory Powers Commissioner, the Investigatory Powers Tribunal, and the ISC. Well, actually, I would say that it is more like a two-and-a-half-legged stool, because the Home Secretary has done what most Ministers do; they say how wonderful the ISC is, how much they value our work, and that they want us fully involved—in passing this legislation, for example—but since 2017, when I first sat on the ISC, there has been a marked increase in lip service paid to it, as I think we see again in the Bill. As my right hon. Friend the Member for Normanton, Pontefract and Castleford (Yvette Cooper) said, we have not met the Prime Minister for 10 years—any of them; I think we had one who offered to come in the dying days of her Administration. We have taken evidence from the security services on the Bill, and I have to say that they are not the problem: it is the Government who are the problem all the time. That was the case with the National Security and Investment Act 2021. Frankly, it is an uphill struggle to get things changed in this Bill—changes that would not only improve the Bill, but make sense. One has just been highlighted by the Chairman of the ISC, the right hon. Member for New Forest East (Sir Julian Lewis).
On occasions, it is a bit like going round in circles. I will give an example. We have actually made one little advance in the other place, in terms of acceptance of the changes to do with the triple lock. Now, though, the sensible thing we are asking for—that it should be in the Bill that the Prime Minister should actually see those warrants—is being resisted as though it would somehow stop the world. I am sorry, but I do not think it would. I think the Government believe that they have to be seen to be resisting any changes. I like the Minister, but the passage of the National Security and Investment Act was a pretty dark day for the Government’s relationship with the ISC, because we had to fight tooth and nail to try to get anything changed in that Bill.
I think the Minister was, actually. I think he picked up the tail end of that Bill.
The ISC has looked at this issue in detail. We have taken evidence from the heads of the security services, and we want to be supportive of change, but we also want that important role of scrutiny and ensuring the public are protected from the occasions when things might go wrong. The other thing that struck me today is that, although the Home Secretary can read a good speech, I am not sure he had a great grasp of some of the detail of the Bill. All I ask of the Minister is to please take on board some of the things we are saying, so that we can make progress in Committee. They are not radical things that are going to upturn the Bill; they are things that will improve it. I suspect that in certain parts of the Government there is a hatred of the ISC, and the belief that we have to be resisted at all costs. That will lead to a poorer Bill, because the amendments we will be tabling would actually improve the Bill. Lord West also did a great job in the other place.
I now turn to clause 2 of the Bill, which introduces the bulk personal data regime. There is a worrying gap: oversight of what are deemed low or no privacy datasets added to category authorisations. At the moment, the system does not work, because things like the electoral register have to get special permission. That is silly, frankly, but we need to ensure that these provisions are scrutinised.
New part 7A of the Investigatory Powers Act 2016, introduced by clause 2, provides for a light-touch regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of that data is deemed to have low or no reasonable expectation of privacy. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) said, people are increasingly giving their personal data with little thought to how it is going to be used—not just by the intelligence services, but for commercial purposes. That needs looking at.
Approval of such a dataset will be sought either under a category authorisation, which encompasses a number of individual datasets that have a similar content and may be used for a similar purpose, or by individual authorisation, which covers a single dataset that does not fall neatly into a category authorisation or is subject to a complicating factor. For a category authorisation, a judicial commissioner will approve the overall description of the category authorisation before it can be used. A judicial commissioner will approve renewal of the authorisation after 12 months, and the relevant Secretary of State will receive retrospective annual reports on the use of category and individual authorisations.
However, as the Bill is currently drafted, this oversight is all retrospective. The problem is that what is missing is real-time or even near real-time oversight of changes. Under the present regime, once a category authorisation has been approved, the intelligence services have the ability to add individual datasets to that authorisation through internal processes alone. They examine the dataset without being subject to any political or judicial oversight, and they would be able to use those datasets for potentially a year without anybody being any the wiser.
We do not question why the security services need these powers, but there is potential for mission creep without any oversight of what is being authorised. We are not saying that these powers are not required; they are required. What we are really being asked to do is rely on the good faith of the intelligence services to use the powers in a certain way. I do not think that is strong enough, and no legislation should be solely dependent on good will. We also have to guard against—there are such occasions—situations when mistakes happen or people use powers for purposes that are not in the public interest.
It is important that we fill this 12-month gap, and the ISC thinks that the easiest and simplest way to change this process would be for the Investigatory Powers Commissioner to be notified when an individual bulk personal dataset is added by an agency to an existing authorisation. I understand that Lord Anderson of Ipswich, in his review of 2023, recommended a similar proposal. The argument from the Government—it is similar to what they have used throughout this Bill, as the Committee Chairman has remarked—is that that will be onerous in adding to the work of the intelligence services. Well, it would not, because it would simply mean sending a one-line email to the Investigatory Powers Commissioner containing the name and description of the bulk personal dataset as soon as reasonably practicable.
The decision would be approved internally and then sent to the Investigatory Powers Commissioner, so it is not actually asking for approval. It is just making sure that the Investigatory Powers Commissioner is aware of what is being added, and that the individuals taking such a decision realise that they must inform the Investigatory Powers Commissioner. That would obviously allow the Investigatory Powers Commissioner to look at trends in what is happening. Clearly, after the 12 months, they could look back, but they could also intervene if they thought something was not in touch.
An argument the Government use quite often about this Bill is that it is to have a light-touch approach, and I think this suggestion is for a light-touch approach. I do not know what is onerous about the security services sending an email to the Investigatory Powers Commissioner. I think it would ensure the oversight that is needed. Real-time oversight is what we are suggesting, and I do not think it would add to the administration of the security services, but it would lead to the Investigatory Powers Commissioner at least having some visibility on another layer at which decisions are taken.
The proposal would be a very simple thing to do, and I do not understand why the Government are resisting it. I suggest they are resisting it for the many reasons they have resisted some of the other sensible things we have put forward: just because they want to do that. I do not know how we go forward with the relationship between this present Government and the ISC. Dragging information out of them screaming and kicking is taking a long time, even though we have a legal duty to get information, and the critical point now is the starvation of resources from the Committee which is creating real problems in the way that it can operate.
I hope that things change and that when we table amendments we will not get the usual response that amendments to this type of legislation should only be done in the Lords. Are we here to cause trouble for the security services? No, we are not; we want to ensure we do our job, which is set out in statute, to supervise the security services and improve the powers, but to ensure that the public have the recognised safeguards we should expect in a democracy such as ours.
I thank hon. and right hon. Members from across the House for their contributions not just today, but throughout the many different stages of the Bill. I pay huge tribute to the Members of the other place who have contributed enormously, in particular Lord Anderson, who has been an exceptional asset to the passage of the Bill and the condition it is in, and Lord West who, as a member of the Intelligence and Security Committee, not only shepherded some extremely important amendments into the Bill, but was kind enough to say that it was the first time in 14 years that he had ever had an amendment accepted by the Government. I am delighted to say that it was to this Bill. It was because we are so committed to working with all parts of both Houses and with the ISC that we got so much through in the other place. [Interruption.] That said, many comments will no doubt be raised in this House. I can assure hon. Members, especially the right hon. Member for North Durham (Mr Jones), that I will approach all suggestions in the way that I have done to date. Where we may not agree—it may not be that he is right, or that I am right—it will be for good reason and I will set out my reasons in the appropriate way.
The Bill is about one fundamental thing: the security of the British people. We rightly heard from my hon. Friend the Member for Broxbourne (Sir Charles Walker) about the nature of freedom, but the truth is that freedom without security is impossible. It is a chimera. The Bill is about ensuring that the British people have the security to enable that freedom. That is an absolutely vital responsibility not just of this Government, but of this House and the other place. I am grateful for the work that the hon. Member for Barnsley Central (Dan Jarvis) and the shadow Home Secretary, the right hon. Member for Normanton, Pontefract and Castleford (Yvette Cooper) have put in to ensure the co-operative, bipartisan and open approach to the Bill, as is merited by the work of our fantastic intelligence services to provide security for our whole country.
As the British public would expect, we keep our approach to national security under constant review. Where we identify the need for change or improvement, we will not hesitate to act. That is why we have brought forward the Bill, which acts on the findings of the Home Secretary’s report and Lord Anderson’s independent review into the Investigatory Powers Act 2016. Hon. and right hon. Members will not need me to rehearse the arguments, but we have seen an extraordinary, rapid evolution in the nature of the threats since the 2016 Act: Russia’s threat to the whole of Europe and not just to Ukraine; the violence that Iran is trying to bring not just in the middle east but even on to our own shores; and the way technology has enabled hostile states not only to steal our technology but to introduce intelligence-gathering platforms into our country through the guise of car sales.
We have seen a change in the way technology works and a change in the nature of the threats, and we must keep up to date with those changes. That is why this work is so important. It is essential that the United Kingdom’s investigatory powers framework remains fit for purpose to help our intelligence agencies detect and stop some of the most serious threats posed to the UK and its citizens, including threats from terrorism, state threats, and child sexual abuse and exploitation.
Because these are exceptional powers, Members have rightly pointed out that they require appropriate, robust and, in this case, world-leading safeguards, and that is what we have sought to set out. The changes in the Bill are relatively narrow in scope, but unless we make them now, the ability of our agencies to tackle evolving threats will be increasingly constrained in the face of global instability, technological advances and state hostility, so now is the time to act.
Let me now deal with some of the points that have been raised. The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) raised a rather interesting point about the changes to “lawful authority” in clause 12 in respect of published data. The purpose of new subsection (3A) is for material that has already been published not to require additional authority for its disclosure by a telecommunications operator to a relevant public authority. The definition of “publish” and reference to “a section of the public” would not include private messages unless they had been made public in some other way—just as our sitting room could not be considered a public place unless we opened it up to the public. It would be our choice, and nothing to do with the nature of the building.
The hon. and learned Member for Edinburgh South West (Joanna Cherry), who has made important contributions through her chairmanship of the Joint Committee on Human Rights, raised questions about the transparency safeguards in the 2016 Act. Those extremely robust safeguards are centred on considerations relating to intrusion into privacy, and that will remain the case in the Bill. They include a requirement for investigatory powers to be used in a “necessary and proportionate” way, with independent oversight by the Investigatory Powers Commissioner and redress through the Investigatory Powers Tribunal.
My right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes) contributed in his usual robust fashion to the debate—and, I should add, to the session that I was fortunate enough to have with the Intelligence and Security Committee, in which he was enormously helpful in assisting me with some changes to the Bill. He spoke about the five individuals who could be designated by the Prime Minister, and asked why we had not referred specifically to “those with warranting powers”. It is possible that a Minister with warranting powers who had that experience would then be moved to another Department, or indeed that the machinery of government change would alter the nature of the oversight. While we felt that it was right to limit the number to as few as possible, we also felt that it was right to have a relevant selection, which is why we left the number at five—after some very good consultation with the ISC, for which I am extremely grateful to my right hon. Friend the Member for New Forest East (Sir Julian Lewis) .
My right hon. Friend has been immensely generous both in giving way and in his earlier comments about my role. Will he briefly deal with the issue of the other bodies with the regulatory function who can compel the release of communications data? As he will remember, the point I made was that the existing law obliges them to take further procedural steps before they do so. Why is that no longer deemed appropriate?
As my right hon. Friend will know, several powers in the earlier Bill—the one that he took through the House—were indeed overseen in various different ways. The Bill does not seek to undermine any of that oversight; what it seeks to do is clarify, in certain areas, where it is necessary. My right hon. Friend has highlighted individual agencies or bodies, and I should be happy to write to him to ensure he is aware of exactly where that is being covered.
The right hon. Member for North Durham spoke about prior judicial authorisation for ICRs. The purpose of the Bill is to try to streamline operations for the intelligence services in areas where the risk is of, as we are calling it, low or no expectation of privacy. He will have seen in the Bill what the expectation means, including areas where information has already been readily made public. I accept his commentary and I would be happy to enter into further conversations with him, but the reason we are not currently going down that route is simply that the existing law, the IPA 2016, allows the collection of bulk data with prior authorisation. This is intended to speed the process up. If we put in the measures he is referring to, we would effectively remain in the same place that we are now. That would make it harder for the volume of data that is now coming to be considered by the intelligence agencies. That is why we have made the provision for a subsequent approval rather than a prior approval. He is right to say that it involves a maximum of a year, although I think it unlikely that it would go to that maximum. That will be in cases where this is low or no expectation of privacy—after it has already been agreed by a judge to be in the correct category. I think the right hon. Gentleman might be looking at this through the other end of the telescope.
What the Minister has to realise is that the big concern from the public—although let’s be honest, the public are not looking at the detail of this—is that somehow the security services will be getting access to huge amounts of bulk data and just having a free run at it. All that I and the Committee are suggesting is that an email should be sent when there are changes to the Investigatory Powers Commissioner. That would be a simple thing. It would not be onerous, and it would reinforce the point that there was at least some potential oversight of the process.
I think we may be conflating different aspects of the Bill. I do believe that this already has oversight.
Let me answer the point raised by my hon. Friend the Member for Broxbourne, which touches on a similar area. Where people have the right to and expectation of privacy and freedom, this provision does not remove that right. What it does is allow the intelligence agencies to use bulk data to target an individual at a particular point, and the excess collected information will not be able to be used for targeting an individual without the warrant process that would be expected for any initial search. In that sense, this is not undermining anybody’s privacy; it is allowing for the fact that information is now largely in bulk format. The hon. Member for Barnsley Central was talking about steaming open envelopes. It is impossible to steam open a single envelope today; one has to steam open thousands because that is how data comes. Without an amendment such as that set out in the Bill, we would simply be interrupting the work of the intelligence services to the degree that it would hold them back and make the process harder, but I would be happy to take this up with my hon. Friend the Member for Broxbourne later if he wishes.
I thank the hon. Member for Halifax (Holly Lynch), who was here earlier and made an interesting point about the various ways in which the memorandum of understanding should be looked at through the National Security Act 2023. Friends of mine will know my thoughts on that and know that I gave the Conservative party the chance to allow me to change that 10-year absence, but the Conservative party chose somebody else to make that decision so I have sadly lost the ability to have that influence.
My right hon. and learned Friend the Member for Kenilworth and Southam (Sir Jeremy Wright) made a typically insightful speech and typically sensible comments on the ways in which we must consider how the authorisation must not be used to mount general surveillance. Condition D will be used only when an applicant makes a clear and compelling case, based on tangible, reliable intelligence leads, information and analysis, that the resulting data will identify parties involved in a relevant serious crime or national security-related specified operation or investigation. The applicant must explain any anticipated collateral intrusion, and how this will be managed to ensure that the application is necessary and proportionate to the outcomes of the investigation.
I accept what my right hon. Friend says but, in the context I described, the case is being made to someone else within the intelligence agency. There are, of course, two types of authorisation—D1 and D2—and we are worried about D2, under which the application is made from inside the intelligence agency to inside the intelligence agency. That does not present the sort of external scrutiny that we suggest is necessary.
My right hon. and learned Friend is right, but he also knows that IPCO has retrospective oversight of these areas. Where it comes under a category allocation through “low or no”, there is an automatic review period within a year. Although he is correct that the application is made within the service, it is within the service subject to a pre-agreed condition and with follow-up oversight, so as to enable that speedy response.
On a different but not unrelated point, the Minister will recall that I referred to the annual report given to the Secretary of State detailing the individual bulk personal datasets that had been retained and examined. There is no extra work involved in letting the ISC and IPCO see that report. The only possible justifiable exclusion would be something that, at the time of the report, was still current. Is there any reason at all why IPCO and the ISC should not be sent that report, rather than a severely watered-down version?
My right hon. Friend answers his own question. The reason for the difference is the currency element.
In that case, we can reach agreement if the Minister would like to give us an assurance that the only difference between the two reports will be the exclusion of matters that are current at the time of drawing up the report, but I suspect that there will be many other differences between the two reports.
I will be very happy to talk to my right hon. Friend about that to make sure that he is satisfied. It is important that we make sure that the reports that go to the House—through the ISC, because of the nature of the reports—are relevant and allow appropriate scrutiny. I think we can all agree with that.
I have covered the points raised by my hon. Friend the Member for Broxbourne, so I will turn to the hon. Member for Strangford (Jim Shannon), who made an extremely important point: that his constituents, like any other citizens of the United Kingdom, should expect the right to privacy. He also made a compelling point about the need for security, and I think the Bill strikes that balance extremely carefully. He is right to say that people will be concerned, and he is not alone. I am also concerned that we maintain the right to privacy within our legislative framework, which is why we checked very carefully that the Bill is fully compliant with the ECHR right to a private life. It is also why we looked at the various exceptions.
The hon. Member for Barnsley Central mentioned the notices regime, and he is right that we will keep it under review. We maintain a regular conversation with companies that have an interest in this area, and he is right to say that there is an overseas element. I merely point out that it is the role of this House to legislate for the security of the British people and, in particular, for the safety of our children and families. Such security is not something we can outsource to tech firms on the west coast. We sometimes have a responsibility to pass extraterritorial laws—as he knows very well, we have done that in the past—so although this measure adds to that ability, it is not detrimental because it asks people to maintain their current position before making any changes and to talk to us during that period. There is no requirement to break any policies, change products or introduce new products; it is merely to maintain the status quo, so that we have the same ability to keep the British people safe until we have had a conversation about how that status quo should change.
Finally, the hon. Member for Barnsley Central raised a question about trades unions. He is right that there are many different professions where protected characteristics could come into play, including lawyers, doctors and psychiatrists, and where any such intrusive power should be used with exceptional caution. I would just say that, due to the nature of this place and Parliaments around the United Kingdom, the position of parliamentarian is particular, which is why it is set out specifically and separately in the Bill. That does not mean that any attitude against any other individual should be used cavalierly. It is not a question of the role or the post the person holds, but their rights as a British citizen. Those rights should be absolutely guarded from intrusion or aggression by the state without exceptionally good reason. This amendment, which the hon. Gentleman is kindly supporting, sets out that balance between British citizens’ right to privacy and their right to security. With that, I commend the Bill to the House.
Question put and agreed to.
Bill accordingly read a Second time.
Investigatory Powers (Amendment) Bill [Lords] (Programme)
Motion made, and Question put forthwith (Standing Order No. 83A(7)),That the following provisions shall apply to the Investigatory Powers (Amendment) Bill [Lords]:
Committal
(1) The Bill shall be committed to a Public Bill Committee. Proceedings in Public Bill Committee
(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Tuesday 12 March 2024.
(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.
Consideration and Third Reading
(4) Proceedings on Consideration shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which those proceedings are commenced.
(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.
(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and Third Reading.
Other proceedings
(7)Any other proceedings on the Bill may be programmed.—(Mark Fletcher.)
Question agreed to.
Investigatory Powers (Amendment) Bill [Lords] (Money)
King’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Investigatory Powers (Amendment) Bill [Lords], it is expedient to authorise the payment out of money provided by Parliament of:
(a) any expenditure incurred under or by virtue of the Act by the Secretary of State or a government department, and
(b) any increase attributable to the Act in the sums payable under or by virtue of any other Act out of money so provided.—(Mark Fletcher.)
Question agreed to.
(8 months, 2 weeks ago)
Public Bill CommitteesThis text is a record of ministerial contributions to a debate held as part of the Investigatory Powers (Amendment) Act 2024 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
Copies of written evidence received by the Committee will be made available in the Committee Room, and will be circulated to Members by email.
We now begin line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room; this shows how the selected amendments have been grouped together for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order they are debated, but in the order they appear on the amendment paper. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when they come to the clause to which the amendment relates. Decisions on new clauses will be taken once we have completed consideration of the existing clauses of that Bill. Members wishing to press a grouped amendment or new clause to a Division should indicate when speaking to it that they wish to do so.
Clause 1
Requirement for authorisation
Question proposed, That the clause stand part of the Bill.
It is a pleasure to be here under your chairship, Mrs Cummins. The exceptional growth in volume and types of data across society globally since 2016 has affected the intelligence services’ ability to work and collaborate at the necessary operational pace. The existing bulk personal dataset safeguards do not account for the way that data and its availability have evolved since the Investigatory Powers Act 2016 was passed. This creates a negative impact on operational agility, while making it increasingly difficult for the intelligence services to develop the necessary capabilities.
Clauses 1 and 2 introduce an alternative regime for bulk personal datasets where there is low or no reasonable expectation of privacy—the so-called low/no regime. Clause 1 specifically provides a mechanism for the intelligence agencies to determine whether bulk personal datasets should be authorised under part 7 of the 2016 Act for sensitive datasets, or proposed new part 7A for low/no datasets.
It is a pleasure to serve under your chairship, Mrs Cummins. I rise to speak very briefly to clause 1, and to thank the Minister for his opening remarks.
At the outset of our consideration, we should all take the opportunity to pay tribute to the exceptional men and women who have served in our law enforcement and security services. We owe them a deep debt of gratitude. Let me say that the Opposition support the Bill, which updates aspects of the Investigatory Powers Act 2016. It is imperative that legal frameworks are updated to ensure that our security and law enforcement services keep up with the challenges to communications technology in an increasingly challenging and complex landscape of threats to our safety and national security. None the less, the important provisions proposed in this Bill need to be scrutinised carefully. The shadow Home Secretary and I made it clear on Second Reading that we will work with the Government to improve it in places, following the example of the constructive cross-party work that was done in the other place.
What can I say? We have got a little further on clause 1 than I anticipated. I am grateful to my right hon. Friend the Member for South Holland and The Deepings, the right hon. Member for North Durham and other hon. Members who have spoken. Bulk personal dataset authorisation is clearly an important change, as my shadow, the hon. Member for Barnsley Central, has set out; I was interested to hear the suggestion from my right hon. Friend the Member for South Holland and The Deepings that this was the shadow Minister’s first step on the path to greatness and to leading the Opposition. I am grateful for the points that hon. Members have made.
The type of data that may fall into part 7A is indeed covered—things like news articles, academic papers, public and official records, and the sort of bulk personal data that many people would have access to routinely. The changing nature of the need to hold data has meant that bulk personal data must be authorised in a different way than was previously thought. Paragraphs 4.14 and 4.20 of the draft code of practice set out further details of the datasets that would fall under the section 22A test, of which the hon. Member for Barnsley Central is no doubt aware.
The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East touched on various aspects of data that might fall within this approach. He will remember that Lord Anderson noted in his independent review that MI5 and MI6 estimate that roughly 20% of their bulk personal data holdings would fall into the category of “low and no”; for GCHQ, the figure would be nearer to 8%. Clearly, these things will evolve. To answer the point made by the right hon. Member for North Durham, the simple fact is that our world is producing incomparably greater volumes of data than ever before. The need to understand, handle and triage that data is therefore essential.
It is worth making the point, right at the beginning, that creating and storing huge volumes of data is to nobody’s advantage, and particularly not that of the intelligence services. The only purpose of having or examining data is to enable investigatory operations to get to targets of interest. It is not about anything other than ensuring that investigations can be properly targeted against those who threaten the interests of the British people, under various existing laws. This measure does not change those laws; it merely assists the targeting.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2
Low or no reasonable expectation of privacy
I beg to move amendment 14, in clause 2, page 3, line 18, at end insert—
“(1A) This section does not apply to a bulk personal dataset unless it has been published in accordance with the Data Protection Act 2018.”
This amendment would ensure bulk personal datasets with low or no expectation of privacy have been published lawfully and in accordance with General Data Protection Regulation (GDPR) set out in the Data Protection Act 2018.
I will be brief. I back up the comments of the right hon. Member for North Durham: much more needs to be done to define clearly what we mean by “low or no”. In many ways, separating the two out would make everything clearer. Everybody can tell what “no expectation of privacy” means. It is when we get to low expectation of privacy that we have debates: “Is it this or is it that?”
The factors considered in determining whether something qualifies as low or no include
“the extent to which…the data has been made public”.
If there is no expectation of privacy, that is obvious, so I do not understand why we cannot have more clarity and say, “This is what we mean by no expectation of privacy, and this is what we mean by low.” It might be fine for us in this room to have an understanding of what we mean, but there needs to be public understanding.
We all know that every time we go on any website, we are asked to click to accept the cookies, and sometimes we cannot progress any further unless we do. Data is being gathered left, right and centre. With the best will in the world, not everyone reads every single line of the terms and conditions. We need to be absolutely clear about exactly what we mean so that legal challenges do not occur down the line.
Before I address those points, I want to address the shadow Minister’s somewhat contentious argument that learning French is not a security issue —that was a bold innovation from him.
The points that have been raised are essential to understanding exactly why the Bill is so important. I will cover the “no” and “low” areas separately, for the reason that the hon. Member for Midlothian touched on. We all know what no expectation is; that has been largely covered, and the reality is that even the slightly more restricted version of the electoral register is shared with political parties, as the right hon. Member for North Durham knows.
That is what I was going to say. Although the register is not publicly available and therefore would not fit in this category, that is where we get to the line. The “no” is for publicly available data, and that is relatively clear.
The “low” comes in areas such as the idea of leaked papers, which somebody raised—forgive me, I cannot remember who. That is where the Bill sets out terms under which datasets should be considered, because of course it is impossible for me to give an answer that applies to every single dataset into the future. One example that came up recently, as right hon. and hon. Members will remember, is the Panama papers. One would not argue for a second that the people listed in those papers had an expectation of openness initially. However, after those papers had been published and republished over many years, at what stage do we really think the expectation of privacy is maintained?
That is where the dataset becomes low expectation. We have set out the oversight regime in another area of the Bill, but I will touch on it. The Investigatory Powers Commissioner has a range of responsibilities, the judicial commissioners have other responsibilities for approving warrants and IPCO has responsibility for overseeing the regime. That is where that is addressed—in slightly ways at each moment of influence and each moment of power, but everything is covered.
I am interested in the Minister’s example of the Panama papers. As he rightly says, when those papers were originally held by a bank or a financial institution, there would be an expectation of privacy. However, he is alluding to where they are sourced from. Those papers have been freely circulating on the open internet and anyone can download them, and it is at that point that the low or no expectation would come in. Rather than the nature of the document itself, it is the fact that it is easily available online that matters.
My hon. Friend is absolutely right. The reality is that once papers are effectively public, the argument for privacy somewhat falls away. That is exactly where we are getting to in this area, which is why we have looked at how to oversee it and the different elements within it. Part 7A explains the oversight regime clearly and section 226A really gets to the nub of it.
It is important that we focus there, where the argument comes back to the essential element: when considering whether intelligence services have applied the test correctly, the judicial commissioner will apply the same principles that a court would apply on application for judicial review. We therefore have an internal legal process overseeing this before it would even get to any legal challenge. That is why it is more robust than some voices have gently suggested, and covers many of those internal challenges.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
First, unless I was distracted, I do not think I got a specific answer on the types of data mentioned in the amendment—for example a Facebook post, CCTV footage or anything else.
Those are covered under sensitive data areas; they would not be covered under bulk personal data. The hon. Gentleman also mentioned health data, and he is absolutely right that I did not answer that. I should be absolutely clear: it is hard to envision a case in which health data would be considered “low or no”, unless it was of very ancient historical standing, or there were other exceptional reasons.
I will just answer that directly, as the hon. Gentleman seems to be running away with this issue slightly. The test set out in proposed new section 226A still applies to all datasets. It is not removed; it goes through the whole thing.
That is useful to know. I will pray in aid the fact that we did not have any witnesses; anything I say that is daft, and anywhere that I do not understand how the Bill operates, I will blame on the lack of witnesses.
That is useful to know. I will go away and look at that and make sure that that all makes sense to me. That just leaves me with my earlier request: can we have some examples of what a category authorisation looks like? I can imagine that they could be incredibly broadly drafted, but they could also be very narrow. It would be useful to get a better understanding of how they will operate.
My final point is that the Government’s case appears to centre quite largely on using the material for machine learning. We have heard about language, online encyclopaedias and whatever else. If nothing else, why not use this streamlined process on that category of information and keep the existing processes in place for everything else?
I welcome the spirit in which the hon. Gentleman approaches this issue. He is asking important questions, and I do not challenge at all the validity of the way he has approached the issue; in fact, I should put on record that I am grateful for the way the whole House, and this Committee in particular, have approached it. It is important that any questions that any Member has, particularly the questions honourably and reasonably raised by the hon. Gentleman, are addressed.
The hon. Gentleman’s question on category authorisation is important, because the individual authorisation authorises the retention or retention and examination of a bulk personal dataset, to which part 7A applies. In other words, for every individual dataset there will be an individual authorisation. The normal rule is that each individual authorisation must be approved in advance by a traditional commissioner, as my right hon. Friend the Member for South Holland and The Deepings quite rightly addressed.
A category authorisation does not itself authorise the retention or retention and examination of a dataset; rather, the category itself is the means by which the normal rule of prior judicial approval may be disapplied in respect of the individual authorisation of datasets that fall within the description approved by the category authorisation. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East knows, that allows for the internal authorisation of an individual dataset that falls within an existing category. By definition, those categories are narrow enough to be identifiable but large enough to be useful. The reality is that that must be done on a case-by-case basis, but under the watchful eye of not just the unit within the intelligence service that requests it, but a senior officer in that service and a judicial commissioner.
That oversight means that we have an effective way of ensuring that we are able to use bulk personal data as categorised in different areas in a speedy fashion to enable the detection and prevention of harm, but with the oversight regime that the hon. Gentleman quite rightly expects of any apparatus of the state. The intelligence services in particular, for reasons of operational necessity, operate in the shadows, and therefore require an extra guarantee of reliance.
I will go away and consider what the Minister said. Our basic issue here is that a process is in place whereby every single individual dataset must be approved and have the approval and authorisation of a judicial commissioner. Under this scheme, if there is a category authorisation and then an individual authorisation under it, there will not necessarily be any involvement from a judicial commissioner. That is the bit that we have an issue with.
May I come back straightaway on that? To be clear, category authorisations are reviewed by IPCO at the very latest a year—12 months—after the authorisation, but they could actually be reviewed at any point. I am afraid the idea that a category authorisation stands forever just because it has been allowed is not accurate—I know that is not what the hon. Gentleman is suggesting. The judicial commissioner would have oversight of the wider category authorisation, and the IPCO review means that the whole thing is checked at the very latest every 12 months, and probably more frequently than that.
Again, I get all that, and I do not think that we are really at cross-purposes. However, we are talking about 12 months of access to datasets without necessarily having them before a judicial commissioner.
I do not think that anyone disputes that this is a slightly weaker form of oversight, which is because the services want to access this material at scale and regard the existing oversight mechanisms as cumbersome, slow and whatever else. We still ask the question of whether there is another way to do that that would still involve judicial commissioners but happen much more randomly and at scale. However, we will go away and consider that. I repeat my request—I know it is not easy—for some examples to reassure members of the public on how exactly this will work. That would be useful. In the meantime, I do not intend to push the amendment to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I will be very brief, because I fully support what the shadow Minister and the right hon. Member for North Durham have said. If we are going to go down the route of somewhat watering down the oversight of certain bulk personal datasets, we need greater transparency and accountability. Our amendment 38 has very similar motivations. It requires complete transparency with the ISC by listing all the bulk personal datasets that would be retained under a category authorisation in the report the Bill requires to be sent to the ISC. It answers the question of how we are supposed to know how these new powers will be and are being used unless we have one of these methods of transparency.
If I may, I will come to the last point first. The information going to the ISC on this basis would be, as far as possible, the same as that going to the Secretary of State. Obviously, the operational data may not be included, depending on the relevant operational case. I hope that will reassure this Committee and, indeed, the ISC that the intention is to make sure that the ISC is as fully informed as possible.
On the point made by the right hon. Member for North Durham, he will know that the Bill, in many ways, has been a joint project between the Government and the ISC. I have spent many hours with members of the ISC, including the Chair, my right hon. Friend the Member for New Forest East (Sir Julian Lewis), and with various members of the Committee. Their input has been exceptionally important to me and has been included in many areas of drafting on this.
Turning to amendment 15, the right hon. Member for North Durham and the hon. Member for Barnsley Central, in many ways, have both been the Occam’s razor of the Bill process, not just here, but in other areas. They have been rightly keen that we should not include powers or requirements that would otherwise constrain or block processes or confuse the law. I understand the argument that hon. Members are making about a one-line email, but the reason that I am not convinced—though I am very happy to have the conversation suggested—is that the reality is that it is possible for IPCO to investigate at any point, and it must investigate at 12 months. Therefore, if we ask for a legal requirement on the services, that would force an extra legal duty into the various elements and it will be an extra change.
I disagree with the Minister. Yes, IPCO can look back and can go in at any time to look at things, but if it does not know where the needle in the haystack is, how is it going to actually find it in the first place? This is not an onerous proposal, and I do not understand why the Minister is resisting it, to be honest. This measure would just send another reassurance to the public that, again, the extra powers being given to the security services, which I fully support, at least have some oversight. We need to address the Bill in detail and in such a way that we cannot be accused of handing over powers without also providing very light-touch reassurance that there is outside oversight. I accept that, in most cases, IPCO would not actually look at any of these.
In the spirit with which the right hon. Gentleman has approached this, may I commit to meeting him and the hon. Member for Barnsley Central to discuss this?
Well, the right hon. Gentleman could make a virtue of a necessity if he wishes. I certainly will. I shall enjoy meeting him to discuss this, and I hope that he will take that commitment in the spirit with which it is made.
I think that this has been a useful debate. There have been a number of sensible and constructive contributions from both sides of the Committee. The Minister has made a commitment to sit down and discuss this further, and I am grateful for that undertaking. As I have said, we do not intend to push this amendment to a vote.
I am grateful to my hon. Friend the Member for Bootle. I am happy to give way to the Minister if he wants to respond directly to that point.
The point about these powers is indeed to make better use of resources. One challenge is that many intelligence officers are tied up doing things that are no longer genuinely necessary for the protection of personal privacy, but they are following processes that, were they to be working for a private organisation —a company or whatever—would no longer be necessary because bulk personal data could simply be bought. Therefore, what we are actually looking at doing is using resources much more efficiently and therefore helping the protection of the British people, from a better financial position. However, the point made by the hon. Member for Bootle on resources is always one that I welcome.
I have nothing further to add, other than to beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 2 ordered to stand part of the Bill.
Clause 3
Duration of bulk personal dataset warrants
Question proposed, That the clause stand part of the Bill.
We are making sufficient progress, which perhaps permits me to say a word about why, as we have now dealt with those publicly contentious matters around bulk powers, we can move to the next part of the Bill with greater confidence. The Minister has been crystal clear that he—like me, the right hon. Member for North Durham and other members of this Committee—understands fully the important role of oversight and checks and balances. Those checks and balances are multidimensional because of the role of both those elected to this House and the judiciary. I know he will want to expand on that a little as we come to the next part of the Bill.
I thank my right hon. Friend. Clause 3 amends the duration of bulk personal dataset warrants under section 213 of the IPA from six to 12 months. BPDs tend to be used to support long-term strategic intelligence activities, and a longer warrant duration will enable the value of the BPD to be better demonstrated, which will provide the relevant Secretary of State with a more accurate picture of the necessity and proportionality when an application for renewal is made. The existing part 7 safeguards will remain in place, including the double lock by the judicial commissioner.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4 ordered to stand part of the Bill.
Clause 5
Third party bulk personal datasets
I beg to move amendment 16, in clause 5, page 14, line 34, at end insert—
“(4) A third party BPD warrant may not authorise the examination of a dataset consisting of the contents of the marked electoral register.”
This amendment would prevent a third-party bulk personal dataset consisting of the electoral register, which sets out whether people have voted, from being examined by the intelligence services.
I thank hon. Members for their points. The examination of third-party bulk personal datasets by the intelligence services is vital to their role of protecting the national security and economic wellbeing of the United Kingdom and preventing and detecting serious crime.
Clause 5 places an explicit statutory regime around the intelligence services’ examination, in situ, of bulk datasets held by third parties. The regime would apply only to the intelligence services, in line with the wider part 7 BPD powers in the IPA. The clause puts in place robust oversight and safeguards. For example, third-part dataset warrants are to be subject to a double lock, and the decision to authorise the warrant will need to be approved by both the Secretary of State and an independent judicial commissioner. The Investigatory Powers Commissioner and his office will oversee the regime to ensure the intelligence services’ examination of third-party datasets is both necessary and proportionate. That relates to the point made by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East about proportionality and need.
To answer the point made by the hon. Member for Barnsley Central, we do not consider it appropriate to exclude specific types of dataset from those for which a third-party dataset warrant can be sought. The reason is, as he knows, that we can begin to go down very tricky routes on this area, as the intelligence services have a requirement to keep safe not just our democracy but our wider nation. Therefore, limiting those different arguments can be problematic. What we are aiming to do is ensure the proportionality requirement is the test applied by both judicial commissioners and the Investigatory Powers Commissioner.
The Secretary of State may issue a warrant authorising the examination of a third-party dataset only where it is necessary and proportionate—that is going to be quite a high bar in some of the areas asked about—for the intelligence service to examine the dataset to which the warrant relates. That decision will be double-locked by an independent judicial commissioner who, among other things, is required expressly to review the Secretary of State’s conclusions in respect of necessity and proportionality when deciding whether to approve the decision to issue a warrant. That is already in the Bill. Each decision will be made on a case-by-case basis and will be subject to prior judicial approval.
I am grateful for the Minister’s response. I have to say, I am struggling to think of a scenario in which it might be necessary and proportionate to examine the marked electoral register. This is something we will reflect on.
That is a helpful and useful suggestion. I am happy to proceed on that basis, if the Minister is.
On that basis, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 5 ordered to stand part of the Bill.
Clause 6
Minor and consequential amendments
Question proposed, That the clause stand part of the Bill.
Clause 6 makes minor amendments to the 2016 Act to reflect the introduction of parts 7A and 7B, including making it clear that the Investigatory Powers Commissioner is responsible for oversight of the part 7B regime.
Question put and agreed to.
Clause 6 accordingly ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned. —(Scott Mann.)
(8 months, 2 weeks ago)
Public Bill CommitteesThis text is a record of ministerial contributions to a debate held as part of the Investigatory Powers (Amendment) Act 2024 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
The Investigatory Powers Act 2016 contains world-leading oversight arrangements, which have strengthened the safeguards that apply to the use of investigatory powers. The clauses will enhance this oversight regime, including the role of the Investigatory Powers Commissioner, to ensure it is resilient and that the IPC can continue to effectively carry out their functions. This includes creating a statutory basis for appointing deputy IPCs to whom certain functions can be delegated and, in exceptional circumstances, the appointment of temporary judicial commissioners. The clauses also place certain existing oversight functions on a statutory footing and provide clarity to public authorities in their error reporting obligations. These are important and targeted amendments to ensure the oversight regime remains robust and the IPC can continue to carry out their role effectively.
Question put and agreed to.
Clause 7 accordingly ordered to stand part of the Bill.
Clauses 8 to 10 ordered to stand part of the Bill.
Clause 11
Personal data breaches
I beg to move amendment 1, in clause 11, page 31, line 36, leave out “a court or tribunal” and insert “the Investigatory Powers Tribunal”.
This amendment is consequential on amendment 2.
With this it will be convenient to discuss the following:
Government amendment 2.
Clause stand part.
Clause 11 will ensure that there is clarity for telecommunications operators operating within the IPA framework about which regulatory body certain personal data breaches should be notified to. It also provides a statutory basis for the Investigatory Powers Commissioner being notified of such breaches. Without this change, there will be confusion about personal data reporting obligations and a regulatory gap in respect of certain personal data breaches by telecommunications operators not being dealt with by the appropriate regulatory body. The clause also ensures that an individual affected by a personal data breach can be notified of the breach by the Investigatory Powers Commissioner, if the IPC deems to it to be in the public interest to do so. This will enable them to seek remedy from the Investigatory Powers Tribunal.
Government amendments 1 and 2 build upon the provisions already contained in clause 11 by providing a clear route to redress for those affected by personal data breaches committed by telecommunications operators. They ensure that the Investigatory Powers Tribunal has the jurisdiction to consider and determine complaints about personal data breaches committed by TOs and grant a remedy. The IPT already has significant experience of considering complaints from individuals who believe they have been the victim of unlawful interference by public authorities. It is therefore the appropriate forum to consider complaints regarding certain personal data breaches.
Amendment 1 agreed to.
Amendment made: 2, in clause 11, page 32, line 19, at end insert—
‘(1A) In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—
(a) in subsection (2), after paragraph (b) insert—
“(ba) to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;”
(b) after subsection (4) insert—
“(4AA) The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.
(4AB) In subsection (4AA) “relevant personal data breach” means a personal data breach that the individual is informed of under section 235A(5) of the Investigatory Powers Act 2016 (serious personal data breaches).”
(1B) In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—
(a) in subsection (1)(b), after “65(2)(b)” insert “, (ba)”;
(b) in subsection (5)—
(i) the words from “section” to the end become paragraph (a), and
(ii) after that paragraph insert “, or
(b) section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.”
(c) in subsection (6), for “reference” substitute “complaint or reference has been”.
(1C) In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—
“(8) In this section “relevant Commissioner” means—
(a) the Investigatory Powers Commissioner or any other Judicial Commissioner,
(b) the Investigatory Powers Commissioner for Northern Ireland, or
(c) the Information Commissioner.”’—(Tom Tugendhat.)
This amendment provides for the Investigatory Powers Tribunal to be the appropriate forum for complaints by individuals about certain personal data breaches reported to the Investigatory Powers Commissioner under section 235A of the Investigatory Powers Act 2016 (personal data breaches).
Clause 11, as amended, ordered to stand part of the Bill.
Clause 12
Offence of unlawfully obtaining communications data
I beg to move amendment 39, clause 12, page 33, leave out lines 16 and 17.
This amendment would remove one of the examples cases where a relevant person has lawful authority to obtain communications data from a telecommunications operator or postal operator, being where the data has been “published”.
The clause relates to section 11 of the Investigatory Powers Act 2016, which created an offence where a relevant public authority knowingly or recklessly obtained communications data from a telecoms or postal operator without lawful authority. That is an extra protection against unlawful invasions of privacy by public authorities. Comms data can of course be vital to prevent serious crime or to assist in missing persons investigations, but it can also be seriously invasive if not monitored, as such data can reveal all sorts of details about our lives and the people that we are linked with. The clause makes changes to that offence.
It is said that there is a lack of clarity around the concept of lawful authority, so the clause includes some examples of what lawful authority is. Most are uncontroversial—for example, where there is a statutory basis for gathering the data, where there is a relevant court order or an authorisation, or where it is obtained to respond to a call to the emergency services. However, we contest the assertion that new subsection (3A)(e) is a proper example of lawful authority, referring to:
“where the communications data had been published before the relevant person obtained it”.
We are concerned that that is not a correct expression of the law as it stands.
The simple fact of data being published is not in and of itself lawful authority for it to be obtained and subject to surveillance. The fact that I publish a Facebook post at such and such a time in such and such a place does not give public authorities the right to seek it from Facebook. In fact, on a Zoom meeting about a controversial political campaign, it cannot be the case that Zoom can then be ordered by the police to obtain the relevant communications data simply because the data was published and available to those who attended the meeting.
We need a very careful explanation from the Minister about what precisely is intended by the example in paragraph (e) because as drafted—again, it depends on how we interpret these things—it seems to be open to an interpretation that anything even semi-publicly available can be obtained by public authorities without anything more.
I will speak more widely to clause 12 before addressing the amendment. The clause does not create new routes to obtain communications data outside the Investigatory Powers Act. Rather, it provides examples of existing routes to acquire communications data in order to put the existing position, as set out in the communications data code of practice, on to a statutory footing. This will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in section 11 of the IPA. It makes it clear that sharing of communications data between public bodies is lawful. It is not the intention of section 11 to discourage public sector sharing of data when administering public services for purposes such as fraud prevention. Clause 12 puts that beyond doubt.
While discussing clause 12, I will take the opportunity to set out that a communications data authorisation can amount to lawful authority to require a telecommunications operator to carry out any necessary activity on their systems to enable or facilitate the obtaining of the relevant communications data. The list of examples of what will amount to lawful authority in clause 12 will provide additional clarity to the existing drafting of section 60A(5) in the Investigatory Powers Act, which sets out what can be authorised under part 3 for the purposes of acquiring communications data.
I would also like to address an inconsistency with paragraph 176 of the explanatory notes for the 2016 Act and the conduct that the Act permits. To be clear, a communications data authorisation may authorise interference with equipment by a person where that is done to enable or facilitate the acquisition of communications data for the purposes of identifying an entity as well as information about their previous or current location.
The Government do not support amendment 39, moved by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East. Additional authority for published material should not be required for its disclosure by a telecommunications operator to a public authority when that data has been disclosed with the consent of that operator. The consent of the operator provides the lawful authority for the obtaining of the previously published communications data, which public authorities can rely on. It places the existing position, set out in paragraph 15.11 of the communications data code of practice, on a primary legislative footing. It does not create new acquisition routes.
Clause 13 amends the definition of communications data to include subscriber and account data, ensuring that this communications data is available to investigators with an IPA part 3, even if it is transmitted as the content of the message. That is not a broadening of the definition but a clarification of scope. “Subscriber data”, or “account data”, includes the details provided when someone completes an online registration form for a telecommunications service or system. This change overcomes the current uncertainty for investigators about the data types that will be “communications data” and therefore available to them.
Clause 14 restores the general information gathering powers to regulatory or supervisory bodies, which were repealed by section 12 of the 2016 Act. It will ensure that public authorities will be able to utilise their own pre-existing statutory powers to acquire communications data for civil purposes. These are existing statutory powers that have been conferred on public authorities by Parliament—for example, in the regulation of the financial markets to ensure market stability.
Since 2016, the data sought has increasingly moved online and is now being caught by the definition of “communications data” in the 2016 Act. For example, His Majesty’s Treasury is responsible for the civil enforcement of financial sanctions regulations. Some information that is essential in carrying out its civil enforcement functions, such as the timestamp of an online banking transaction, is now communications data, and His Majesty’s Treasury cannot currently use its powers to compel that information to be provided by a telecommunications operator. Communications data is available under the IPA only if the matter under investigation is a serious crime, and so is out of reach for public authorities exercising civil enforcement functions.
I thank the Minister for his response and his explanation. We will of course take that away and give it consideration again. He has referred to codes of practice being put into statute, so we will go away and look at those codes of practice. Of course, codes of practice can sometimes be inconsistent with various laws as well, so this is not necessarily the end of the matter. It would be helpful if the Minister could perhaps—in writing, or perhaps we will have to revisit it on Report—look at the specific examples that I gave and just explain whether or not those amount to prior publications of comms data.
I very much appreciate that, and that will hopefully help to clear things up before we get to the next stage of proceedings. I will withdraw the amendment.
As always, my right hon. Friend asks a pertinent question. I hope he will forgive me for saying that I very much hope that the letter I asked to be sent arrived in his inbox this morning. He may not have seen it, which I completely understand, as there are many pressing issues on his time. I have also attached it into the packet for the Bill and indeed copied it to the ISC secretariat, which has done such an important job in ensuring that we are all as one on this. I hope very much that that will answer my right hon. Friend’s questions. If it does not, he knows where I am—I would be delighted to clarify it further. As my right hon. Friend has very kindly asked, I shall give that list now, for the record: HM Revenue and Customs, the Financial Conduct Authority, the Department for Work and Pensions, the Treasury, the National Crime Agency, the Department for Business and Trade, and the Competition and Markets Authority.
My right hon. Friend reminds me of that famous scene in “Yes, Prime Minister”—thank God defence is held at central authority, or we would not have to worry about the Russians; we would have a civil war in two weeks. His point about local authorities having intelligence powers is valid. They do not have the same intelligence powers as MI5—let us be absolutely clear about that. That is not what we are offering.
It does the Minister great credit that he has made that list available during the course of our consideration. That is very important. What I had feared might happen was that we might not get it while we were in Committee. In fact, I have not actually seen it, but I am grateful to him for making it available, at least, during our consideration.
This is an area that concerns me. I am quite certain the security services have protocols on how to deal with such things, but it worries me that the DWP is on that list. Having been involved in work on the Horizon Post Office scandal for many years, I know the DWP did not cover itself in glory on some of those cases. Can the Minister reassure the Committee that there are protocols governing when and how it will use those powers? That, I think, would give the public some assurance that there is a standard for how they will be used.
The right hon. Gentleman tempts me towards an area that the Bill does not cover, so I hope he will forgive me for focusing on what it does cover, such as the safeguards. Clause 14 will limit communications data acquisition to the purpose of a body required to meet its civil functions and duties, such as a regulatory body providing oversight of financial markets, or indeed the DWP overseeing different elements of its responsibilities. Where disclosure is in support of a criminal prosecution and IPA part 3 authorisations for communications data must continue to be sought, using the existing safeguards and oversight provided for by the Investigatory Powers Commissioner’s office, the courts will oversee the use of those powers by public authorities in the same way as the acquisition of non-communications data under the existing powers. He has asked me specifically about a connected area, so—I hope he will forgive me—I will have a look at it and write to him very specifically about that.
May I suggest that the Minister does write to the Committee? I accept the safeguards in place, but for organisations other than the security services, I want to know what internal mechanisms they have to ensure that use of those powers is proportionate in terms of investigations and so on, and what training and protocols they are using. If the Minister could write to us on that, that would be helpful.
Forgive me, but the right hon. Gentleman is asking for a very large piece of work there. I am setting out the legal authority under which those organisations can act. Their internal processes may be different in different circumstances and be answerable to different Ministers.
I am sorry, but I do not agree with the Minister. He is giving those other public bodies additional powers, and I think it is quite reasonable for this Committee and the public to be assured of how those powers are actually going to be used. As I say, I have no problem with the security services, because I am well aware that they have very clear, strong protocols and safeguards governing the use of their powers internally, with authorisations and so on. I think he just needs to ask those other Departments how they are going to do this, and what the internal mechanisms are.
I am very happy to ask them; I am just stating clearly that they are not under the responsibility that I have as a Minister. The legal powers that they are given are not additional powers; they are repetitions of the IPA 2016, so they are not additional powers—[Interruption.] Forgive me, but they are not additional powers. Their existing codes of practice under the different organisations have their own responsibilities within them.
I beg to differ. In the next clause, we will come on to the breadth and depth of the new powers, but that is a different argument—I will save that until then. However, he is the Minister and, in my experience, the Minister leads the Bill. I would have thought it would be quite simple to ask those other Departments what those protocols are. If he does not ask, he does not get.
I will happily ask. The right hon. Gentleman is asking for internal management structures, though.
I am grateful to the Minister for offering me a second bite of the cherry. Perhaps I can offer a Hegelian synthesis between him and the right hon. Member for North Durham. We talked earlier about operational purposes, but we have to be careful about that: in the case of the agents of the police, one cannot publish purposes in fine detail, because that would be unhelpful. However, in broad terms, perhaps the way forward on this is to illustrate the kind of purposes that the bodies the Minister described might employ, within the legal constraints that he just set out. Perhaps that is the way forward; it would certainly satisfy me, and I cannot think that would not help to satisfy the right hon. Member for North Durham, who is a reasonable man—not my right hon. Friend, but a right hon. Gentleman and a personal friend, which is better than being a right hon. Friend.
As always, I welcome my right hon. Friend’s contribution. That is covered in many areas in the letter I wrote to him.
In an earlier response to comments by the right hon. Member for South Holland and The Deepings, the Minister helpfully mentioned the letter that I think has been sent to the right hon. Member and possibly other members of the Committee. Can the Minister confirm that that letter will also be sent to the Opposition?
To be absolutely clear, the letter was in response to my right hon. Friend the Member for South Holland and The Deepings, so it was sent to him, it was copied to the secretariat of the ISC and it is in the Bill pack. The hon. Member for Barnsley Central therefore has access to it.
May I ask the Minister to look at his internal process again? We also had this problem with the National Security Bill. I do not know whether he should change the pigeon post he is using to ensure people have it. May I also point out that the ISC is not constantly in session? Therefore, if he has to send it to the ISC, we do not automatically get it until our next meeting or when we do the next reading.
I am delighted to clarify that the letter was emailed to my right hon. Friend the Member for South Holland and The Deepings. He is a traditionalist in many ways, but I believe he has entered the electronic age.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 12 ordered to stand part of the Bill.
Clauses 13 and 14 ordered to stand part of the Bill.
Schedule agreed to.
Clause 15
Internet connection records
Question proposed, That the clause stand part of the Bill.
The changes made by clause 15 should transform the intelligence services and the National Crime Agency’s ability to detect serious criminals and those seeking to undermine national security. Current internet connection record conditions only enable identification of individuals involved in known events. That means an investigator must know the date, time and service being used, preventing identification of offenders where they cannot be linked to a specific time of access. For example, where analysis of a seized device identifies a site serving images of child sexual exploitation, it would not currently be possible to search ICRs for subjects accessing that site beyond a specific known event. New condition D would help to identify other subjects accessing those sites. This will not be a fishing exercise. As with all investigatory powers, the case for requesting ICR data must be necessary, proportionate and intelligence-led. As Committee members will have heard this week, the benefit to the agencies is in being more, not less, specific.
The new condition will be subject to robust safeguards, including limiting the statutory purposes available, stringent necessity and proportionality requirements and independent oversight, including regular inspections by the Investigatory Powers Commissioner’s Office. Where internal authorisation takes place for urgent and national security-related applications, authorising officers must be independent of the operation and not in the line management chain of the applicant. If an investigator knowingly or recklessly obtained ICRs—for example, if the request was clearly not proportionate—they would be at risk of having committed a section 11 offence of unlawfully obtaining communications data, which can result in a fine or imprisonment.
Exactly. That point was made when we debated the original Act, and I think that I committed at the time to those kinds of things being detailed in the annual report. To clarify a point that was made earlier, David Anderson was clear at the time, and has been since, that we cannot detail the operational purposes of the agencies if doing so would compromise them. The techniques and approaches that they necessarily use in the performance of their duties could be compromised if we were to talk in detailed terms about the character of their operational activities. However, we can speak in broader terms about the kinds of circumstances in which powers might be used—and all the more so for the other public bodies, in a sense, because even if a serious criminal investigation is taking place, those investigations are not typically as secret as they might necessarily be in respect of the security and intelligence community.
Perhaps those two grounds—greater sight of the processes in those bodies and clarity about the circumstances in which the powers can be used; in other words, exceptionally and for very serious matters—would be helpful ways of dealing with some of the points raised by my colleague on the ISC, the right hon. Member for North Durham.
As usual, right hon. and hon. Members have raised some excellent points. Let me be clear: it is not true to say that there is no judicial oversight. To say that there is no judicial oversight would be correct if the IPC were not in place. I know what the right hon. Member for North Durham is going to say, but that is a form of judicial oversight.
As to the way in which the authorisations work, I hope that I have been clear—I will repeat it to ensure that I am—that an investigating officer would have to make an application to use the powers. That would have to go to a senior officer in their service who is not in their chain of command: someone who is not overseeing the operation or in their management chain—a separate element. Any abuse of that system could mean that that individual, or those individuals, are in violation of section 11. I know that the right hon. Member for North Durham takes his responsibilities on the ISC exceptionally seriously and is fully aware that sometimes there can be a pressing need for operational action at pace. That is what this is also designed to help. It is important that officers have the ability to act under a regulatory framework that means that abuses are, at worst, extremely limited due to various constraints.
I accept that and I have confidence in the internal protocols—do not get me wrong on that—but the Minister does not have to convince me or members of this Committee; it is about the public perception. What is the problem? If we are not going to have judicial oversight in terms of judicial authorisation, what is to stop us having another system whereby, when it is used, the IPC is informed? We could send a simple email so that it would at least have ongoing oversight when these powers are being used.
The right hon. Gentleman is creating his own haystack here. Although I hope as ever that this power will be used only exceptionally rarely, sadly the nature of serious and organised crime and terror in this country means that it will be used more often. There is a slight misunderstanding as to how this will be used. Targeting a train website or a single authority would not be proportionate or meet the necessity provisions within the Bill. It would be neither necessary nor proportionate. In fact, it would be unnecessary and would be vastly disproportionate, because it would be a mass collection exercise that would neither be targeted in a way that would satisfy the proportionality requirement, and nor would it give a useful answer—it would give such bulk data as to be useless—and therefore it would not be necessary.
The whole point of this is that it sets out a series of conditions in which these powers could be used—perhaps against a certain website, that is true—but on the basis of intelligence. It would have to have a particular cause and a particular time. This is not a Venn diagram with a single circle, but a Venn diagram with four or five circles; it must be in the centre of those for it to be necessary and proportionate.
I would be reassured if there was independent advanced judicial oversight. The Minister has said a couple of times that the powers will be used “exceptionally”. What is the difficulty in making sure that there is an exception for urgent cases of advanced judicial authorisation for use of these powers?
“Exceptional” does not mean that there is necessarily huge amounts of time to act; exceptional means that the seriousness of the offence is extremely grave. These powers are for things such as child sexual exploitation. I wish it were not so, but even in this country, the police very often have to act extremely speedily to prevent harm to a child and sometimes, very sadly, multiple children. They have also to act extremely speedily to prevent terrorist plots or other forms of very serious organised violence or criminal activity.
That is why “exceptional” does not necessarily mean that it can be dealt with in a procedural way over a number of weeks; exceptional may mean absolutely pressing as well, and that is what this is designed for. The right hon. Member for North Durham may have been aware from briefings that I believe he has received that, in some circumstances, this Bill will reduce the time taken to interrupt serious abuse of children, from months and occasionally years down to days and weeks. That is surely an absolutely essential thing to do, but that will not work unless these powers are used according to the Act, with the important words being “proportionate” and “necessary”. The reason I repeat those words is that were the intelligence services to go on some sort of fishing expedition—and I know that the right hon. Gentleman is not suggesting that they would—that would not be legally permissible under this Act and nor would it achieve the required results, because it would turn up so much data that it would simply be an unusable, vast collection of fluff. Effectively, instead of targeting the needle, they would have merely collected another haystack.
It is not about a fishing expedition, but they will get into a fishing expedition anyway. He says that train lines would not be affected, but they would. If someone wants to see an individual’s travel pattern, that is what they may do. Therefore, a lot of people’s data will be dragged in, not because it has been looked for but because it will come in anyway.
The problem is that if the argument is about speed—which I do not necessarily think is the case in some cases—the Minister has to do two things to reassure people that the powers are going to be used in the right way. First, he must provide pre-authorisation judicial oversight, and secondly, the IPC should be told, perhaps via a simple email, when the powers are used. That would at least allow it to look at the trends and uncover any concerns. I accept the protocols in place and am 100% sure that they are being followed, but it is possible that some people will not follow them and that is what we have to guard against.
This is a somewhat odd argument, because the right hon. Gentleman and I are slightly together but also arguing at cross purposes. Both of us have a very high regard for the intelligence services and are confident in their integrity, but we are slightly at cross purposes because he believes that we are not satisfying the oversight element, but I believe we are.
Let me be clear. I am not being a stick in the mud about this for any political reason. I actually happen to believe that this is the right way to approach this. There is a constant balance in all forms of oversight between the ability to act quickly and the ability to be controlled from outside. I believe that this sets in place a very significant, burdensome requirement on those who are taking these responsibilities to act according to certain principles. To repeat, the principles are necessity and proportionality. I do not think anybody in here would argue against those. What this requires them to do is make sure that the principles are met by effectively targeting in advance.
The right hon. Gentleman’s comment about train line use would, I am afraid, not satisfy that proportional need. The individual would have to be specifically identified in advance. The pattern of use of the website from the single point and to the point of contact—from a phone to an internet server or whatever it might happen to be—would have to be clarified. These ICRs are Venn diagram circles that are getting narrower and narrower. The idea that this would end up with some sort of week-long or month-long trawl of a train line website is, I am afraid, not permissible under the 2016 Act. Were any intelligence officers to do it—though I do not believe that they would—they would fall foul of section 11 and would not be acting necessarily and proportionately. Therefore, it would not be permissible.
It is pretty clear that existing conditions B and C already enable public authorities to make an application for a known individual’s internet connections. New condition D only enables a request for details to identify individuals who have used one or more specified internet services in a specified time.
I think that is the point. I do not think anyone is arguing against the fact that there will sometimes be exceptional circumstances that require haste. Everybody accepts that, but the issue with condition D is that it is explicit in removing the targeted nature of the other conditions. It is where they do not know the time or person and do not have the data available that they are using condition D. There is nothing in the Bill to make clear that it can only be used in exceptional circumstances. How can we square that circle? I do not think that anyone would disagree with the fact that there needs to be an ability to move at pace at times, but there is nothing here that says that power could only be used in those sorts of circumstances. Condition D creates a situation where we are going to hoover up data on a huge number of people, but there is nothing to say how long we are going to hold on to that data for, or what would be done with it.
To answer the last part of the question first, the holding on to data and what is to be done with it is the same as under the IPA generally. Information can be held or not held according to those provisions. This Bill does not change any of that, which is why that is not covered here, and I know the hon. Gentleman would not expect it to be.
It is worth pointing out that condition D is not only no more intrusive than conditions A, B or C, in terms of data—
Let me just finish the point; I know the hon. Member will come back to me.
Condition D is no more intrusive, and it does require the serious crime threshold, which does add an extra layer before it can be used. I hear the hon. Member’s point; the condition still requires proportionality and necessity, so it could not be simply anybody who is using Facebook, because clearly that is not proportionate. It still requires that targeting; it still requires those Venn diagrams, if he likes, to close over a target; and, even then, it requires the serious crime threshold.
The key thing to understand here is that the agencies have always had the ability to intercept communications data. Communications data is one’s letters. Communications data is one’s phone calls. We speak about communications data now, mindful of the way that people communicate now, and we think of the internet and telephones, but the process of intercepting communications has been a core part of the work of the agencies since the agencies began, so we need to put this in context.
The difference here is the nature of how people communicate. It is right to say that—I rise to be helpful to the Minister—the character of encryption, in particular, is making it harder, even in the kind of serious cases that have been described, for those who are missioned to keep us safe to do so by accessing the information they need. So it is right that the law needs to be updated. The critical thing for me, therefore, is this matter of the threshold, which was debated when we debated the original Act.
As far as I understand, this Bill does not change the threshold; it reinforces the threshold. If that is the case and, as has been said, exceptionality is a measure of significance and not complexity—some cases will be complicated, but it is about significance—then the only outstanding difference, as the Minister has said, is oversight. I think the reporting in the annual report matters—the right hon. Member for North Durham made that point—and that would be a small concession to make, if I can describe it as such. I take the point about alacrity, too. What we cannot do is slow down the process by making it bureaucratic.
I think there is an easy way out of this. Being very clear about thresholds, as the Minister very helpfully has been today, is perhaps the way out of it. To clarify that in writing might be helpful.
I do not think anyone could describe the right hon. Member for South Holland and The Deepings or myself as woolly liberals, but I do have a concern with this. Where we are giving an extra power—which is what this is, although the Minister disagrees about the breadth—I want to ensure somehow that, in a democracy, we have oversight of it. I do not want to make it difficult for the agencies to implement their powers, but there are simple ways of doing so. That could mean telling the IPC when it occurs.
I have faith in the internal mechanisms that the Minister refers to, but I was also on the Intelligence and Security Committee in 2017, when we did our rendition and detention inquiry. All the safeguards were in there then, and they were ignored. That led to some fundamental changes, including the Fulford principles. There are occasions when the best things in legislation are not followed through, and that can lead to some very serious consequences.
I take the right hon. Gentleman’s point and the spirit in which it was made. I reiterate that requests for communications data must be approved by the Investigatory Powers Commissioner’s Office, as he knows, unless they are urgent or for the purposes of national security. That is where this is being focused. Condition D, which we have spoken about, will be restricted to only the intelligence services and the National Crime Agency when it is pursuing a national security element within its remit—that is a separate area, as he knows. Those organisations have the necessary expertise to raise compliant and proportionate restrictions.
Again and again, the principle in the Bill is that the least intrusive power must be used. The oversight starts internally, but very rapidly goes externally, whether it is to IPCO or a judicial commissioner. The ability to review is always there, and the penalties under section 11 of the 2016 Act, which we all hope will never be needed or used, are pretty onerous on anybody who abuses their power or in any way exploits their ability in order to conduct themselves in a way that we would all agree is unsatisfactory in a democracy. It is really important to say that.
Going back to the question raised by the hon. Member for Midlothian, the reality is that condition D applications will limit collateral intrusion as much as is reasonably practical. The returned data may only provide an indication of involvement in an investigation, and further analysis will likely be necessary to allow fuller determination. That is the nature of handling intelligence data and then conducting an analysis on the back of it. In all cases, that activity will have to be justified, and will be no more than is necessary to achieve the desired outcome.
To be absolutely clear, that has to be targeted. This is a series of circles in a Venn diagram to target as narrowly as possible. Were others to be captured in that narrowest possible target, that data could not be held, or a separate application would have to be made in order to hold it. For example, one can imagine a circumstance in which an intelligence agency is targeting a paedophile on a particular street. Using different forms of communication technique, it narrows it down from a handset to an operator, a particular website, a particular time, and so on, so the Venn diagram narrows—it is very focused. If it turns out that there is another paedophile operating in exactly the same area at that time, that would require a separate application, because it is a separate target. The data could not just be held. Nor would it be ignored—I am sure the hon. Gentleman would not suggest it should be. But the judicial oversight needs to be gone through and the application needs to be made. It is a separate warrant, and so on.
In the example the Minister gives, at the same time the agency targets that individual, it will have a lot of other people who communicated with that individual. How long will that information be kept? That is the concern people have. It is not the depth, but this is broad. Most of those people would be completely innocent of anything. There is then the issue of how long that information is kept and who makes the decision about how long to keep it.
Forgive me, but I disagree with the right hon. Member on this. It is unlikely that there would be a large number of people at a specific geographic location, using a specific cell site, from a specific handset, viewing a specific website at a specific time. Once it is narrowed down like that, the numbers are very small. That does not mean that any intrusion that is not legally authorised is acceptable—that is absolutely not what I am saying. But we are getting down to very small numbers of people, and quite deliberately so, in order to achieve an intelligence outcome.
As I understand it, the Minister is describing the powers that already exist under the 2016 Act. If we are down to that level of knowledge of where, when and who, then what in the Bill goes beyond that? I do not follow.
In the existing Act, one would have to be entirely specific about a particular time. It could not be 5.30 pm to 6.30 pm; an internet connection record could be done only at 5.30 pm exactly. The Bill extends that a bit, but it still has to be very targeted. This is a proportionate change in the law to allow the intelligence services to collect information that would enable the targeting of serious and organised crime.
Let me go back to the Trainline example. Suppose it is not child exploitation—the Minister is possibly right that it is specific, and hopefully there are not many people in one street—and someone is trying to look for a person’s travel plans, so they want to know how many people in an area have contacted Trainline. It will be more than one person, so there will be a lot of other people they are not looking for in there. That is the problem, and that is all that the ISC, the hon. Members for Midlothian and for Glasgow South and the Labour Front Benchers are saying.
Earlier the Minister used the words “control from outside”. I am sorry if he sees oversight as control, but I certainly do not. It is about giving confidence to the public that there is independent oversight over these powers, whether that is informing the IPCO when they are used or having pre-authorisation, as was suggested earlier. I do not see the problem with keeping people informed. The Minister is hiding behind IPCO, but it was introduced in the first place to give the public confidence.
I suspect we are not going to come to an agreement on this, so I will probably leave it after this point. The IPCO oversight means that IPCO can look at a request at any point. The maximum period it can go without looking at it is 12 months, but it can look at any point. We have said that requests for communications data must be approved by the Investigatory Powers Commissioner’s Office
“except where they are urgent or are for the purpose of national security”.
That interaction, which the right hon. Gentleman rightly supports, is already there, so I do not accept it is lacking.
On the question of proportionality, the amount of information that one may need to investigate a paedophile network, for example, may mean being slightly vaguer about the specific time, whereas following a known individual may require different forms of flexibility and proportionality. I am afraid I am going to be very cautious about setting out what each one means, because these principles will have to adapt and be applied as appropriate.
We are going to have to close this down and move on because we have other things to do. Perhaps the way through is, as was suggested a few moments ago, that this be reviewed over time. If in the annual report we have a really thorough examination of how the measure has been applied and in what circumstances—in broad terms, of course, because we do not need the details of the crimes—that would give us the assurance we need. Our Committee has made that point emphatically. That would be a terribly good way out of this and it would not be a huge step. If the Minister agrees to that, I would certainly be satisfied.
It is not for me to tell the ISC what it should look into, but I would be surprised if it did not want to look into this in great depth.
I think the Minister might have misunderstood. Forgive me; I did not mean that. I meant that this could be reviewed in the IPCO annual report. That would obviously be considered by the ISC in the way he describes. I think we need a summary of how this will work in practice and a commitment that we do that now. He sort of talked about a retrospective review. Rather than debate this further now, that would be a very good way forward.
I am entirely supportive of the idea that IPCO should update the ISC and the Secretary of State about how it is working and provide information so that a proper view can be taken. I think that is entirely appropriate.
Well, that would be fine if the Government did not redact things in IPCO reports and try to stop us getting access to—[Interruption.] I am sorry, but the Government are doing that. They have done it over the past few years. That is the problem. The Government are paying lip service to the ISC. We are not trying to thwart the work of our security services; we are an important part of the democratic oversight of them. That is why we were set up under the Justice and Security Act 2013. I am sorry to say that the Government are trying to drive a coach and horses through it, including by preventing information from IPCO from being given to us.
I think we have covered the area, and I have said all I am going to about the matter.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16
Powers to require retention of certain data
Question proposed, That the clause stand part of the Bill.
Section 87(4) of the IPA provides that a data retention notice cannot require the operator to retain so-called “third party data”. There is no intention to revisit the principle of this important provision, but technological advancements have highlighted some discrete and unintended consequences. For example, the Secretary of State is prevented from placing communications data retention obligations on a UK telecommunications operator in relation to data associated with users of a foreign SIM card within the UK.
Clause 16 addresses those unintended consequences and makes an exception for that data within Section 87(4), so that data in relation to roamers using a foreign SIM in the UK would be treated in an equivalent way to the data that could be retained in relation to users of UK SIM cards. Clause 16 also clarifies that communication data required for an internet connection record can be subject to a data retention notice. All existing safeguards will continue to apply.
Continuing to clause 17, the IPA already has extraterritorial effect. Data retention notices—or DRNs—and interception technical capability notices—or TCNs—can be given to a person overseas where there is an operational requirement, and it is necessary and proportionate to do so. However, only TCNs are currently enforceable in relation to a person overseas.
Clause 17 amends section 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs, if required, for UK security purposes when addressing emerging technology and the increasing volume of data being held overseas, bringing them in line with interception TCNs. It is vital to have this further legal lever, if needed, to maintain the capabilities that the intelligence and law enforcement agencies need to access the communications data that they need to in the interests of national security and to tackle serious crime.
I have some comments to make about extraterritoriality, but I will do so in the next debate.
Question put and agreed to.
Clause 16 accordingly ordered to stand part of the Bill.
Clause 17 ordered to stand part of the Bill.
Clause 18
Review of notices by the Secretary of State
Question proposed, That the clause stand part of the Bill.
The notice review mechanism is an important safeguard. If operators are dissatisfied with a notice that they are given, or with any part of it, they have a statutory right to refer it to the Secretary of State for a review. Clause 18 is essential to ensure that operators do not make any technical changes during the review period that would have a negative impact on existing lawful access capabilities.
Operators will not be required to make changes to specifically comply with the notice. However, they will be required to maintain the status quo. If there was lawful access at the point at which a notice was given, access to data must be maintained by the operator while the notice is being comprehensively reviewed. This will ensure that law enforcement and intelligence agencies continue to have access to vital data during that period in order to keep people safe.
To be clear, companies can continue to make technical changes or roll out new services during the review period, so long as lawful access remains unaffected. The status quo will apply only to services or systems specified within the notice; anything outside the scope of the notice will be unaffected. If, at the conclusion of a review, the Secretary of State confirms the effect or varies the notice, maintaining the status quo will be vital to ensure that law enforcement and intelligence communities do not lose access to data during the review period that they would otherwise have been able lawfully to obtain. In the Lords, the Government amended the Bill to introduce a timeline for the review of a notice.
I will be very brief. I am grateful for the Minister’s remarks, but I want to raise the concerns of some telecommunications operators and of organisations representing the sector about clauses 18 and 19. These include a view that the role of the proposed new notices regime would hinder and even veto product development.
I know that the Minister and his Department have engaged with stakeholders about those concerns, as have Labour Members. I would be grateful if the Minister briefly set out whether recent engagement has taken place with stakeholders with regard to these matters, and whether he has any further plans to address the concerns that they have expressed about clauses 18 and 19.
I want to make a similar case. We are now getting into territory where I struggle to understand exactly what is going on, because I am not a tech geek. We are speeding past this measure almost as if it were inconsequential, but the language in some of the briefings that we have received about it is pretty dramatic.
The bundle that was emailed to Committee members this morning includes evidence from Apple that I think needs to be addressed:
“At present, the SoS must navigate important oversight mechanisms before they can block the offering of a new product or service they believe will impact…ability to access private user data.”
Apple summarises the suite of clauses that the Committee is considering, including the requirement in clause 18 to maintain the status quo during the review process, as allowing the Secretary of State
“to block, in secret, the release of a product or service even before the legality of a Technical Capability Notice can be reviewed by independent oversight bodies. The effect of this amendment will be to, extraordinarily, hand the SoS the power to block new products or services prior to their legality being ascertained. This result upends the balance of authority and independent oversight Parliament struck in the IPA.”
Given the new definition of “telecommunications operator” in clause 19, Apple has also warned that there will be serious implications for conflicts with other laws, including the EU GDPR and with US legislation.
As well as Apple, we have heard from various other organisations. TechUK has highlighted problems with broadening the definition of “telecommunications provider” before control of provision of a telecoms service, including to UK users, is established overseas. It also highlights the potential conflict of laws. What if the domestic law in the country in which a company is based does not allow for compliance with the notice that the Home Secretary has delivered? That company might not even be able to raise the issue of a conflict of laws, because it would be sworn to secrecy under the Bill.
According to TechUK, the proposed changes mark a departure in the way that the UK approaches the extraterritorial reach of the UK or UK laws and the consequential conflicts of laws. That was all recognised in the 2016 Act, in which a partial solution was found in the form of a UK-US agreement. Currently, however, the Government have not set out any plans to work towards equivalent solutions.
In relation to clause 21, I will raise similar concerns from other experts, but it is clear that some very serious companies and organisations have significant concerns about what the combination of these notices may end up delivering. Those concerns need addressed.
I thank hon. Members for the spirit in which they have engaged. To be clear, it is absolutely right that we listen to representations from companies around the world, as I am absolutely sure all Members across the House would expect. We are still engaged in conversations: the Home Secretary was on the west coast of the United States only last week, I think, and I maintain regular communication with many different companies, including many of the same companies to which the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East referred.
Let me be quite clear about one aspect. There is a real challenge here, and it is absolutely worth getting to the heart of it. The way in which communications data has evolved means that there are now jurisdictions in which the UK cannot protect its citizens without the co-operation of certain companies overseas. That was always bound to happen to a certain degree, but it is now very much the case: I do not know whether the hon. Gentleman has children, but he will know that many children use tablets and internet-connected devices in their bedroom.
The reach of these companies into the personal life of children in our country has to be a matter of concern to the British Government—it just has to be. The question is who governs these spaces. Are they governed by the association agreements and terms and conditions of the companies, or are they governed by the laws of the United Kingdom passed by Members of this House, of whichever party? That is the fundamental question.
The jurisdiction of this House must be sovereign. If sovereignty is to mean anything, it must mean the ability to protect our children from serious harm. That is basic. Under the IPA and previous legislation going back to the 1980s, this House has always exercised a certain element of influence. Yes, the Bill is extraterritorial, but so are many other Bills that this House passes in relation to the protection of our citizens and our interests. We can have operational reach further than the UK border in order to protect our citizens. That is what we are doing here, and that is what makes it proportional.
It is true that there are conflicts of interest that we have to resolve. I must be honest with the hon. Gentleman: this has come up before. It has even come up in my time. It is something that we have to look at in order to ensure that we address those conflicts and see where the balance of proportionality lies.
It is our very good fortune that many of the conflicts arise between jurisdictions with which we are extremely close. The United States, for example, is an extremely close ally. We regularly—in fact, I regularly—have conversations with the US Justice Department and others to make sure that we manage those conflicts of interest in the best interests of all our citizens. It is unusual for us not to find a resolution, but there are means of dispute resolution when we do not. Although I take the hon. Gentleman’s point, it is not exceptional for companies rightly and understandably to defend their interests where they feel that they have a commercial advantage. That is, of course, reasonable.
The reality is that we are not stopping companies doing anything; we are asking them not to change our ability to protect our citizens, until we have found a fix. If they want to introduce a new product or service or change the way they operate, that is fine: it is nothing to do with us. All we ask is that they maintain our ability to protect our citizens during that translation and into the future.
I will come on later to another line of argument that relates to the unintended consequences of these permissions, but for now I have a specific question. The Minister has spoken about how conflicts of law can be resolved. Is there not an added complication? If we put a notification notice—if we are calling it that—on a company, it cannot share the fact of that notification with anybody at all. Does that not make it well-nigh impossible to resolve the issue with conflicts of law?
Without going into details that it would be inappropriate to share: no, it does not. I can assure the hon. Member that this is a long-standing practice that has been tested, and it does operate.
On clause 19, I wish to put one further point on the record. The clause will amend the definition of a telecommunications operator, out of an abundance of caution, to ensure that the IPA continues to apply to those to whom it was intended to apply, building on the work that my right hon. Friend the Member for South Holland and The Deepings has laid out. There are circumstances in which a telecommunications system that is used to provide a telecommunications service to persons in the United Kingdom is not itself controlled from the United Kingdom; we have talked about some of those services. The clause will ensure that multinational companies are covered in their totality in the context of the IPA, rather than just specific entities.
Clause 19 does not seek to bring additional companies within the scope of the definition, nor does it seek to constrain how a company structures itself. It is a clarificatory amendment that will improve the effectiveness and efficiency of the regime and the process of giving notices.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clause 19 ordered to stand part of the Bill.
Clause 20
Renewal of notices
Question proposed, That the clause stand part of the Bill.
Currently, a notice must be kept under regular review by the Secretary of State, but it does not cease to have effect unless the Secretary of State revokes it. The clause will introduce a notices renewal process such that if two years have passed since a notice was given, varied or renewed, it must go through the double lock process to obtain the approval of a judicial commissioner, in addition to a full necessity and proportionality assessment by the Secretary of State. This change will provide reassurance to operators that their notice remains necessary and proportionate.
Question put and agreed to.
Clause 20 accordingly ordered to stand part of the Bill.
Clause 21
Notification of proposed changes to telecommunications services etc
I beg to move amendment 6, in clause 21, page 45, line 7, leave out first “person” and insert “relevant operator”.
This amendment and amendments 7, 8, 10, 11, 12 and 13 provide that the expression “relevant operator” is used consistently in inserted sections 258A and 258B of the Investigatory Powers Act 2016.
With this it will be convenient to discuss the following:
Government amendments 7 to 13.
Clause stand part.
Clause 21 is required to safeguard lawful access to critical data, which is needed by law enforcement and intelligence agencies to keep the public safe from serious threats such as terrorism and child sexual exploitation.
Technology has advanced rapidly since 2016, presenting a risk to lawful access capabilities. Notification notices have been introduced in response to technological advancements and will require relevant operators who provide, or are expected to provide, lawful access to data of significant operational value to inform the Secretary of State of any technical changes that they intend to make that will have an impact on existing lawful access capabilities.
The requirement will apply only to relevant services or systems specified within the notice, which will be agreed in consultation with the operator, prior to the notice being given, and will not necessarily apply to all elements of their business. It should be noted that technical capability notices already contain a notification requirement; this is not a new concept to the IPA. The clause replicates the power as a standalone obligation within notification notices.
To be clear, there is no ability within the notification process for the Secretary of State to delay, prevent or alter the roll-out of the operator’s intended change. The requirement is needed to provide the Secretary of State—and, by extension, operational partners—with time to identify and evaluate any potential impact that the change may have on lawful access capabilities. It will also be important in giving operational partners time to adjust their ways of working to ensure that lawful access is maintained. The primary objective of the obligation is to create an opportunity for collaborative working between operators and Government to protect the crucial capabilities required to keep people safe.
Amendments 6 to 13 are minor and technical amendments to ensure consistency of language throughout the clause and the IPA.
I want to pursue another line of argument that has been put to members of the Committee. I spoke earlier about the principles of the notification regime; I now want to probe the Government on the extent to which they have considered the possible unintended consequences of setting it up.
The evidence circulated this morning includes a letter from academics and experts from the United Kingdom and across North America, who express considerable concern about the outcome of the proposal. During the last debate, the Minister explained that the justification is that companies from across the world have a reach into children’s homes in the United Kingdom, and it is the duty of this Parliament and legislators to keep them safe. I do not think anyone would dispute that at all.
The experts argue that an unintended consequence of being as radical as the proposal in the Bill is that citizens in the United Kingdom could be less safe. Although the Government are trying to restrict the scope of the regime to what happens in the United Kingdom, in reality it will mean that certain updates and security features will not be rolled out to the United Kingdom. In fact, certain organisations may think twice about developing products for the UK market at all.
I am way outside my comfort zone, so I will go straight to what the experts argue in their evidence:
“If enacted, these proposals would have disastrous consequences for the security of users of services operating in the UK, by introducing bureaucratic hurdles that slow the development and deployment of security updates. They would orchestrate a situation in which the UK Government effectively directs how technology is built and maintained, significantly undermining user trust in the safety and security of services and products.”
They argue that this contains a significant risk of increased cyber-crime, as well as of endangering the encryption of important services. They conclude that
“these proposals are anathema to the best interests of UK citizens and businesses and internet users everywhere, and contradict universally accepted security best practices.”
I want to probe the Government on the extent to which they have considered the possible unintended consequences of how these companies may react to their proposals.
I thank the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East for the way in which he has approached the issue, and I am grateful to him for raising it, but I simply disagree. I disagree on the basis of advice that I have received from intelligence services, from UK-based companies, from the National Cyber Security Centre and indeed from many others.
Let us be quite clear. A notification notice does not create any conflicts of law, prevent any updates or prevent the application of any security patches. The only thing that it does is ask a company to keep the UK Government informed if it is going to change the way the UK Government will be able to protect British people. That has led to somewhat more caution in the reading than is necessary in reality; I have had many conversations with companies about that.
This is a difficult area, but as I understand it, the argument is not that the notification notices themselves have that issue, but that the combination of notices, together with the technical capability notice, the new provisions in relation to review and the status quo, could give the Government that sort of power. That is the argument.
I hear the hon. Gentleman’s point. I will just say that many of these powers have been in place for a significant period. The situation that he describes is not one that we have found or noticed in any way at all. I believe that this is a case of people gilding a lily to turn it into lead.
Amendment 6 agreed to.
Amendments made: 7, in clause 21, page 45, line 8, leave out “person’s” and insert “relevant operator’s”.
See amendment 6.
Amendment 8, in clause 21, page 45, line 29, at end insert—
“‘relevant operator’ has the same meaning as in that section.”
See amendment 6.
Amendment 9, in clause 21, page 45, line 35, leave out “notice, as varied,” and insert “variation”.
This amendment provides that references to the variation of a notice are used consistently in Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
Amendment 10, in clause 21, page 46, line 2, leave out first “person” and insert “relevant operator”.
See amendment 6.
Amendment 11, in clause 21, page 46, line 2, leave out second “person” and insert “relevant operator”.
See amendment 6.
Amendment 12, in clause 21, page 46, line 5, leave out “person” and insert “relevant operator”.
See amendment 6.
Amendment 13, in clause 21, page 46, line 6, leave out “person” and insert “relevant operator”—(Tom Tugendhat.)
See amendment 6.
Clause 21, as amended, ordered to stand part of the Bill.
Clause 22
Interception and examination of communications: Members of Parliament etc
I beg to move amendment 3, in clause 22, page 47, line 17, leave out from “and” to end of line 19 and insert—
“(b) has the necessary operational awareness to decide whether to give approvals under subsection (2).”
This amendment replaces the reference to an individual being required in their routine duties to issue warrants under the Investigatory Powers Act 2016 with a reference to an individual being required to have the necessary operational awareness to decide whether to give approvals under section 26 of that Act.
Government amendments 3 and 4 require that any Secretary of State to be designated by the Prime Minister as an alternative approver must have the necessary operational awareness of the warrantry process to undertake the role. This change will replace the current drafting inserted in the House of Lords relating to “routine duties”, which is over-restrictive and will undermine the resilience of the triple-lock process that the clauses seek to safeguard.
Requiring relevant operational awareness will ensure the necessary flexibility and resilience while maintaining a proportionate scope for delegation. It will allow scope to include those who may be new to their role and do not yet carry out such duties routinely, or who no longer carry them out routinely due to machinery-of-government changes but have valuable pre-existing knowledge that makes them a suitable alternative approver.
I am grateful to the Minister for the fact that his amendment goes some way to dealing with the issues that I and others raised in relation to the change from existing practice. At the moment, the Prime Minister provides the element of what has been described as the triple lock. The Government proposal is that other Secretaries of State should perform the role when the Prime Minister is unable to for a number of reasons. My anxiety, reflected by the Intelligence and Security Committee, is that those Secretaries of State who act for the Prime Minister in such circumstances should be people with operational experience. Typically, that would mean people with warranting powers—people accustomed to the business of issuing warrants, with all that that suggests.
The Government amendment speaks of operational awareness. I think “operational experience” is a better turn of phrase, although I accept the Government’s point that if there was a new Secretary of State—a new Home Secretary would be a good example—they would not necessarily have experience. By definition, they would be new in the job, whether that was the Home Secretary or Foreign Secretary and so on. It might be possible to speak of experience and responsibilities, so it could be either responsibilities or experience. Of course, the Government rightly say that a former Home Secretary, Foreign Secretary or Northern Ireland Secretary who was then doing a different job in Government could be one of the people designated, so I take that point.
The issue here is ensuring that the people who perform the role are competent to do so, and I know that is something on which we agree. It is really a matter of the semantics, but semantics are not always insignificant. I am aware of bolshevism and liberalism, but I would not want anything to do with either of them. I am aware of the separatist case on the United Kingdom, but awareness is as far as I want to go with that—I say that without contention or, indeed, acrimony of any kind. I am not sure that “awareness” is quite the right word, and I simply offer that semantic but not insignificant point to the Minister for his consideration.
I think so, because the original wording talked about being able to nominate basically anybody. It was then defined, but the amendment widens it again. It says, “necessary operational awareness”; is that, for example, that any Secretary of State is aware that it is a voluntary process? For example, the Foreign Secretary and the Home Secretary sign warrants, and another Secretary of State could say, “Yes, I’m aware of that.” As the right hon. Member for South Holland and The Deepings said, “operational experience” would be better wording, because “necessary operational awareness” is too broad. What does it actually mean in practice? For example, must they have any experience of having signed a warrant before? Or do they just need to know that the warrantry system exists?
First, I place on the record my gratitude to the ISC, to which I have listened extremely carefully on this matter; indeed, the Bill has been changed because of it. Let me be clear that although many people are aware of things, to be operationally aware is not the same as to be just aware. Many people were aware of the conflict in Helmand, but I argue that only the hon. Member for Barnsley Central and I were operationally aware of the conflict in Helmand. It is rather a different requirement. It does not mean that one knows about the operation; it means one is aware in an operational sense of it. It is not just an observation of the challenge.
I have to say that from my experience as a former Minister in the Ministry of Defence—I said I was never a Secretary of State—I was not only aware of what was going on but operationally aware. Could an Under-Secretary of State at the Ministry of Defence therefore be designated as one of these people? On Tuesday mornings every week, I was very operationally aware of what was going on in Helmand, for example.
First, this goes alongside the code of practice, which challenges the right hon. Gentleman’s point. It would need to be people who were briefed into the warrantry process. It needs to be somebody who understands what a warrant is, so it is not somebody who is merely observing it, such as a Secretary of State for Culture, Media and Sport.
On the point that my right hon. Friend the Member for South Holland and The Deepings made about experience, I understand the debate. There is a possibility—I know that he and I will do everything we can to prevent it—that there will be a change of Government soon. In that case, there will be an awful lot of people who have absolutely no experience at all of these matters. It would therefore be wise not to set up a provision that would immediately require amendment. Disappointed though we would be at that outcome, my right hon. Friend would agree that he would not want a law to be amended in its first year, if we could possibly avoid it.
To be clear, the Government view the four alternative approvers as being likely to be the Home Secretary, the Foreign Secretary, the Defence Secretary and the Northern Ireland Secretary. Only three would be able to act as the triple-locking Secretaries of State, because of course we would have already used up two of them to do the first two functions. That is why the numbers are required, and why I am incredibly grateful to the ISC for pointing it out and being very cautious on it.
If what the Minister has just said is the case, why do the Government push back on a suggestion that I think they actually made earlier on? The Minister is now pushing back on it. Although I understand the need for the code of practice, if there was a change in it—because there might be sometime—would that come back to Parliament to be approved? We are dancing on the head of a pin here. I do not know why, but that is quite common with the Home Office. The Minister says that it will be mainly four people, but I would love to know what he means by “necessary operational awareness”, which is clunky language.
Codes of practice will be brought forward through regulations in the usual way, as the right hon. Gentleman is aware, and the House will scrutinise them in the usual way. This is a very legalistic process, as I recognise from the inside as much as he does from the outside. It is true that if, for example, the Northern Ireland Secretary became the Education Secretary, they could then be included. The idea is to ensure that it is somebody who is appropriate to the task, which is why the measure is worded as it is. I always listen to right hon. and hon. Members across the House. I believe that the amendment is the best version that we have come to so far. I will continue to listen to the right hon. Gentleman, as always.
Given what the Minister said about a change in Government—I do not expect one, but I suppose it is a remote possibility—perhaps the words “operational responsibility or experience” would cover the point made and be slightly tighter than “awareness”. Also, there is the matter of notifying the PM. The Committee made the good suggestion that the PM should be notified as soon as practicable, which may be something with which the Minister agrees. If the Prime Minister were indisposed because of illness or whatever, they would be notified as soon as is practicable that a warrant had been issued.
On the second point, I am sure that, like me, my right hon. Friend finds it absolutely inconceivable that that PM would not be notified. I am not convinced that that must be in primary legislation. I find it genuinely inconceivable that the Prime Minister would not be notified at the earliest opportunity. Obviously, if they could be notified immediately, the provision would not be required.
But, Minister, let us be honest: a lot of things that we would have taken for granted were ignored in Downing Street over the last few years. Until Boris Johnson became Prime Minister, it had been a great part of our constitution that convention was followed. Surely it would therefore be better to have the point about notification in the Bill; otherwise, we are leaving it to the free will of convention. I would have trusted convention, but we have had Boris Johnson as Prime Minister.
I want to help the Minister, because I do not necessarily agree with the right hon. Member for North Durham; occasionally, he and I do disagree, despite the impression that we have created in this Committee. Notification could be covered in a piece of statutory guidance that supports the Bill. It could state that the Prime Minister should be notified as soon as reasonable practicable, exactly in the terms just described. How’s that?
As is so often the case, I absolutely agree with my right hon. Friend.
I will look at putting it in the guidance, as suggested by the right hon. Member.
I have said what I am going to say on the matter.
Amendment 3 agreed to.
I beg to move amendment 17, in clause 22, page 47, line 26, at end insert—
“(2G) If a warrant is issued by an individual designated by the Prime Minister, the Prime Minister must be informed of that decision as soon as it is reasonably practical to do so.”
This amendment would require the Prime Minister to be notified of a decision of a designated Secretary of State to authorise the interception of certain elected representatives’ communications as soon as is reasonably practicable.
I am conscious of the debate that has just taken place, so I anticipate what the Minister may say in response. Let us give him another go anyway.
Amendments 17 and 18 relate to the decision of a designated Secretary of State to authorise the interception of elected representatives’ communications and interference with equipment relating to elected representatives. As the Minister will know, two similar amendments were proposed by Lord West in Committee in the other place. The reason for tabling the amendments in Committee in the Commons is that the Opposition believe that the Prime Minister’s overall involvement in the warrants must be retained, even if, in designated cases, it could be retrospective. As I said, I am mindful of the debate that has just taken place.
In the other place, Lord Sharpe rejected Lord West’s amendment on the basis that the oversight arrangements for warrant decisions taken by a designated Secretary of State, which include review by the judicial commissioner, are sufficient scrutiny. I understand that argument, but I wonder why it should not be the case that a Prime Minister is at least notified about decisions to issue warrants that they have had to delegate due to their being unable to do so. Furthermore, would a Prime Minister not being notified of a decision unnecessarily diminish their operational awareness in making future decisions to issue warrants?
My amendment would require the Prime Minister to be informed of a decision taken by a designated Secretary of State on their behalf as soon as the circumstances that have prevented the Prime Minister from approving a warrant in the first place have passed. I hope the Minister and the Committee will understand the emphasis on the important nuance in the difference between review and notification. Mindful of the earlier debate, I hope that the Minister will consider accepting the amendments.
For want of repeating myself, I will probably leave that to stand.
We are speaking about elected representatives who are then appointed into Government and make decisions, and we have rightly had an important debate, to which the Minister has responded. If possible, it would be helpful if he could confirm who from the agencies would also be involved in the decision making. That would add some faith as to the robustness of the decision making that takes place when such actions are taken.
I am cautious about answering that question, for the simple reason that it depends on where and how the information was gathered, whether it was gathered deliberately or accidentally as part of an existing operation, and whether it was tangential. It is absolutely inconceivable that the chief of whichever agency it was would not be aware and therefore not part of that conversation.
With this it will be convenient to discuss the following:
Clause stand part.
Clause 23 stand part.
New clause 1—Requirement for the Prime Minister to appear before the Intelligence and Security Committee—
“After section 26 of the Investigatory Powers Act 2016, insert—
‘26A Requirement for the Prime Minister to appear before the Intelligence and Security Committee
(1) The Prime Minister must appear before the Intelligence and Security Committee of Parliament to provide oral evidence on the matter set out in subsection (2).
(2) The matter is decisions made by the Prime Minister or an individual designated under section 26 to—
(a) give approval to issue warrants to intercept and examine communications of Members of Parliament;
(b) interfere with equipment belonging to Members of Parliament;
(c) other relevant decisions relating to Members of Parliament in the interests of national security
(3) The duty in subsection (1) applies once every session of Parliament.
(4) Subsection (1) does not apply if the Intelligence and Security Committee does not require the Prime Minister to attend.’”
This new clause would require the Prime Minister to appear before the Intelligence and Security Committee to provide oral evidence on decisions made to approve warrants to intercept and examine communications of MPs or to interfere with equipment belonging to MPs, and other relevant decisions relating to MPs.
New clause 4—Interception notification for Members of Parliament etc.—
“After section 26 of the Investigatory Powers Act 2016 (Members of Parliament etc.) insert—
‘26A Interception notification for Members of Parliament etc.
(1) Upon completion of conduct authorised by a warrant under section 26, or the cancellation of a warrant issued under that section, a Judicial Commissioner must notify the subject of the warrant, in writing, of—
(a) the conduct that has taken place, and
(b) the provisions under which the conduct has taken place.
(2) The notification under subsection (1) must be sent within thirty days of the completion of the conduct or cancellation of the warrant.
(3) A Judicial Commissioner may postpone the notification under subsection (1) beyond the time limit under subsection (2) if the Judicial Commissioner assesses that notification may defeat the purposes of an ongoing serious crime or national security investigation relating to the subject of the warrant.
(4) A Judicial Commissioner must consult the person who applied for the warrant in order to fulfil an assessment under subsection (3).’”
This new clause would require members of a relevant legislation who are targets of interception to be notified after the fact, as long as it does not compromise any ongoing investigation.
Clauses 22 and 23 will increase the resilience and flexibility of the warrant system. They will ensure the effective processing of warrants that authorise the interception of, or the use of equipment interference to obtain, the communications of a Member of a relevant legislature when the Prime Minister cannot fulfil their duties due to medical incapacitation or a lack of access to secure communications. The changes will enable the authorisation process to function in an agile manner, thereby enabling the important work of the intelligence agencies to continue while maintaining a high bar for the authorisation of some of the most sensitive warrants.
I rise to speak to new clause 1, which relates to oversight by the Intelligence and Security Committee of warrants to intersect and examine the communications of Members or the interference with equipment relating to Members. The context of the new clause will be clear to those who followed the debates in the other place about the role of the ISC. To be absolutely clear, I am not seeking to debate the Wilson doctrine—I know that Members will be relieved to hear that.
The purpose of the new clause is to probe and seek further safeguards for the ISC to provide essential oversight of this extremely sensitive matter, codified by the 2016 Act as part of a wider context of decisions made by the Prime Minister in the interests of national security. Members of this Bill Committee who also serve on the ISC will know that successive Prime Ministers have, unfortunately, not appeared in front of that Committee since, I believe, 2014. As a result, there has been no opportunity for direct accountability over prime ministerial decision making on warrants to intercept and examine Members’ communications, or on interference with equipment relating to Members.
I shall speak to new clause 4. We are discussing our very important role as legislators—people who have to scrutinise the Government to represent our constituents. Any interference with that role, and any surveillance of us, is a matter of great significance and some controversy, so there should be as much oversight and transparency as possible. I am not a member of the ISC, and I do not know whether this is something the Minister will be able to tell us, but I would be interested to know how often powers have been used to institute surveillance on MPs in each and every of the past few years.
New clause 4 allows us to debate the possibility of post-surveillance notification. That proposal was debated in the House of Lords, but I think it is something that MPs should be alive to as well. Post-surveillance notification would give judicial commissioners a mandatory duty to notify parliamentarians subject to surveillance once a particular operation or investigation had ended. That would typically introduce a further safeguard to protect democracy and our role as legislators, and would ensure the Government are complying with their obligations under article 8 of the European convention on human rights.
Various objections were made to that line of argument in the House of Lords. For example, it was argued that notification would risk revealing sources or methods. That does not have to be the case; post-surveillance notification can inform an individual of the fact of past surveillance without having to disclose such information. Such a post-surveillance notification regime works in Germany, for example.
In particular, there would be no risk—this was alleged by the Government in the House of Lords—of affording judicial commissioners any operational decision-making power. That is because notification would occur only when a surveillance operation was no longer active and, secondly, any such notification regime could allow the judicial commissioner to consult whomever applied for the warrant in the first place. I am absolutely open to a discussion with the Government about the safeguards that would needed to allow such a measure to be implemented.
The other line of argument pursued by the Government in the House of Lords was that redress is already available to parliamentarians thorough the Investigatory Powers Tribunal. As we all know, however, if someone does not know that they have been subject to surveillance, they have no reason to go to the tribunal in the first place.
This proposal is not without some difficultly, but it is worthy of discussion. The Government’s resistance to it has not always stacked up so far, so I look forward with interest to hearing what the Minister will say.
On the point about notification: forgive me, but it is inconceivable that it should be required in law to inform somebody that they have been subject to an investigation by the intelligence services in such a way. I would be delighted to discuss with the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East in a more secure environment why, for a whole series of reasons, that may not be such a good idea. On the question of the Prime Minister appearing before the ISC, my friend the hon. Member for Barnsley Central knows my views—I have expressed them on many occasions—but that is way above my pay grade.
For now!
Question put and agreed to.
Clause 22 accordingly ordered to stand part of the Bill.
Clause 23
Equipment interference: Members of Parliament etc
Amendment made: 4, in clause 23, page 48, line 15, leave out from “and” to end of line 17 and insert—
“(b) has the necessary operational awareness to decide whether to give approvals under subsection (3) or (6).”—(Tom Tugendhat.)
This amendment replaces the reference to an individual being required in their routine duties to issue warrants under the Investigatory Powers Act 2016 with a reference to an individual being required to have the necessary operational awareness to decide whether to give approvals under section 111 of that Act.
Clause 23, as amended, ordered to stand part of the Bill.
Clause 24
Issue of equipment interference warrants
Question proposed, That the clause stand part of the Bill.
The Bill makes minor changes to the equipment interference regime, specifically in relation to the warrantry processes associated with its authorisation. The purposes behind those changes are to correct minor drafting errors in the IPA to provide greater clarity, and to improve the efficiency of the warrantry process for equipment interference.
Question put and agreed to.
Clause 24 accordingly ordered to stand part of the Bill.
Clauses 25 and 26 ordered to stand part of the Bill.
Clause 27
Bulk equipment interference: safeguards for confidential journalistic material etc
I beg to move amendment 19, in clause 27, page 50, line 9, at end insert—
“(2A) Where a senior official acts on behalf of the Secretary of State under subsection (2), they must inform the Investigatory Powers Commissioner of the selection for examination of BEI material as soon as reasonably practicable.”
This amendment would require a senior official acting on behalf of the Secretary of State who has selected BEI material for examination when there has been an urgent need to do so to inform the Investigatory Powers Commissioner as soon as reasonably practicable.
Amendment 19 would require a senior official acting on behalf of the Secretary of State who has selected bulk equipment interference material for examination, when there has been an urgent need to do so, to inform the Investigatory Powers Commissioner as soon as is reasonably practical. It would ensure that every reasonable oversight arrangement was in place concerning the Bill’s investigatory powers provisions.
The amendment does not suggest that the Investigatory Powers Commissioner retrospectively reviews the approval, but instead proposes that they be informed to ensure that there are the most comprehensive and effective oversight arrangements on investigatory powers. We intend not to burden the police and the security services with additional duties, but to ensure that there is the maximum possible oversight with the minimum possible additional work. I hope that the Minister will at least agree with the intentions of the amendment and consider its merits in further strengthening the Bill’s oversight arrangements.
I welcome the amendment, and not only do I agree with it, but I feel that we have already done it. My understanding is that the provision duplicates what already occurs in practice under the current regime, as well as the changes made by clause 27. Currently, the Investigatory Powers Commissioner is already effectively notified when a senior official acting on behalf of the Secretary of State, in urgent circumstances, approves the selection for examination of journalistic material derived from bulk equipment interference. Clause 27 already inserts into the IPA new section 195A(2), which will ensure that the Investigatory Powers Commissioner is notified as soon as is reasonably practical by the Secretary of State when a senior official approves the use of criteria to select for examination journalistic material in reliance on an urgent approval. Effectively, the senior official is informing on behalf of the Secretary of State, or indeed the Secretary of State is informing on behalf of the senior official. We all very much hope it is the former of the two.
Clause 27 enhances the safeguards already afforded to journalistic material within the IPA, and the Government recognise the importance of journalistic freedom within free and democratic societies, which is why we are introducing this measure. Under the current regime, the Investigatory Powers Commissioner must be informed when a communication that contains confidential journalistic material or sources of journalistic material is retained following its examination for purposes other than its destruction. The clause introduces a requirement for prior independent approval by the IPC before any search criteria are used to select such material. Prior independent approval is also required before it is removed.
I am grateful to the Minister for that clarification. On that basis, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 27 ordered to stand part of the Bill.
Clause 28
Exclusion of matters from legal proceedings etc: exceptions
Question proposed, That the clause stand part of the Bill.
Clause 28 will amend schedule 3 to the Investigatory Powers Act 2016 to provide exceptions for disclosures of intercepted materials to inquiries or inquests in Northern Ireland or Scotland into a person’s death. The clause will create parity with existing provisions for coroners in England and Wales. It also adds an exception to enable panel members of the Parole Board in England and Wales to access intercepted materials when considering parole applications and any subsequent appeals. It will also enable relevant coroners in Northern Ireland and sheriffs investigating deaths in Scotland to access intercepted material in connection with their inquiry or inquest.
Question put and agreed to.
Clause 28 accordingly ordered to stand part of the Bill.
Clause 29
Freedom of information: bodies dealing with security matters
Question proposed, That the clause stand part of the Bill.
Under the Freedom of Information Act 2000, the Investigatory Powers Commissioner’s Office is not, and never has been, a public authority within the scope of the Act. The lack of control over the onward disclosure of information related to the functions of the judicial commissioners raises security concerns and has the potential to compromise the IPC’s inspections, which are often, by their very nature, intrinsically sensitive. The clause would prevent sensitive intelligence being further disclosed under the FOIA once such information is supplied by IPCO to a public body.
Question put and agreed to.
Clause 29 accordingly ordered to stand part of the Bill.
Clause 30
Power to make consequential provision
Question proposed, That the clause stand part of the Bill.
With this it will be convenient to discuss the following:
Clauses 31 and 32 stand part.
Government amendment 5.
Clause 33 stand part.
Clauses 30 to 33 are typical clauses that are included in the vast majority of legislation. Clause 30 allows the Secretary of State, by regulations made by statutory instrument, to make provision that is consequential on this Act. Clause 31 details the extent of the Bill. The Bill extends and applies to the whole of the United Kingdom, with the exception of measures contained in clause 28, in which subsection (2) applies to England and Wales only and subsection (3) applies to Northern Ireland and Scotland only.
As national security is a reserved matter, a legislative consent motion is required from Scotland only in relation to a small number of clauses in part 2—the oversight aspect—of the Bill. I am pleased that the Scottish Government have recommended that legislative consent be given.
Clause 32 details when the Bill commences. Part 6 comes into force on the day on which the Bill is passed; the other provisions come into force on such day as is appointed by regulations made by the Secretary of State.
Question put and agreed to.
Clause 30 accordingly ordered to stand part of the Bill.
Clauses 31 and 32 ordered to stand part of the Bill.
Clause 33
Short title
Amendment made: 5, in clause 33, page 56, line 1, leave out subsection (2).—(Tom Tugendhat.)
This amendment removes the privilege amendment inserted by the Lords.
Clause 33, as amended, ordered to stand part of the Bill.
New Clause 2
Report on the Prime Minister’s engagement with the Intelligence and Security Committee
“After section 240 of the Investigatory Powers Act 2016 insert—
“240A Report on the Prime Minister’s engagement with the Intelligence and Security Committee
(1) The Secretary of State must publish a report about the Prime Minister’s engagement with the Intelligence and Security Committee in relation to the investigatory powers regime and lay the report before Parliament.
(2) The report must be published within six months of the passage of the Investigatory Powers (Amendment) Act 2024, and annually thereafter.””—(Dan Jarvis.)
This new clause would ensure the Secretary of State publishes a report on the engagement, including any meeting held, between the Prime Minister and the Intelligence and Security Committee in relation to the investigatory powers regime.
Brought up.
I recognise that we have already had an extensive debate on this matter. I do not intend to detain the Committee any longer, and there is therefore nothing further I wish to say about new clause 2, so I do not wish to move it.
New Clause 3
Impact of Act on EU data adequacy decisions
“Within six months of the passage of this Act, the Secretary of State must publish a report assessing the potential impact of this Act on EU data adequacy decisions relating to the United Kingdom.”—(Dan Jarvis.)
This new clause would require the Secretary of State to publish a report on potential impact of the provisions within this Bill on the requirements necessary to maintain a data adequacy decision by the EU.
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
New clause 3 relates to the impact of the Act on EU data adequacy decisions. When a similar measure to this new clause was proposed by my noble Friend Lord Coaker during the Bill’s passage through the other place, the response from the Minister, Lord Sharpe, confirmed the UK Government’s regular contact with the European Commission about the Bill to ensure that any changes are understood. We welcome that but, as I hope the Minister will understand, such engagement is a continuous process, not a single event or even a series of events. As part of this continuous process, we believe that the Secretary of State should publish a report assessing the potential impact of the Act on EU adequacy decisions.
As Lord Coaker said in the other place:
“The adequacy agreement is dependent on the overall landscape of UK data protections”.—[Official Report, House of Lords, 23 January 2024; Vol. 835, c. 688.]
That is even though the UK protections require some further work. However, given the time pressures, Mrs Cummins, that is all I will say about new clause 3.
First, I welcome the interactions we have had on this point, as well as the work of Lord Coaker and Lord Sharpe to ensure that this is widely understood. The work that has been done is important. We face the challenge that although we obviously commit to fulfilling our side of the TCA and the various agreements we have struck, this is really a matter for the European Commission to determine, so it is not one that we can pass into UK law. It is really a matter for them.
I have nothing further to add. I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
On a point of order, Mrs Cummins. I would like to express my extreme personal thanks to Tom Ball and the Bill team, Phoebe, the Lucys, and the many others who have contributed brilliantly to ensure that this Bill has proceeded with speed and professionalism. I thank not only the members of the Committee, but all Members of many parties, and particularly the ISC, which has contributed so much to this Bill, despite what the right hon. Member for North Durham claims. May I say a particular thanks to my very good friend and shadow, the hon. Member for Barnsley Central? It is an enormous pleasure to think that we have gone from fighting the Queen’s enemies to passing the King’s laws together.
Further to that point of order, Mrs Cummins. I join the Minister in warmly extending my thanks on behalf of Labour to all members of the Public Bill Committee and all the officials, both in the Department and in the House, who have done a sterling job in getting us to this point. I am grateful to the Minister for his collegiate approach, which I very much hope we will be able to maintain during the further passage of the Bill. Thank you, Mrs Cummins.
(8 months ago)
Commons ChamberThis text is a record of ministerial contributions to a debate held as part of the Investigatory Powers (Amendment) Act 2024 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
I know that the hon. Member takes these matters incredibly seriously, and he has raised an important point. To be absolutely fair to the Minister and to his Department, I know that this is a matter that the Government have considered very carefully, and that there has been an extensive process of consultation with a range of tech companies—I have met a number of them myself—but I think it only fair to conclude that while of course there are important contributions to be made by tech companies to this debate, these are ultimately matters for the Government and the House to determine. Having said that, new clause 2 would provide a helpful and constructive mechanism for the Government, and we have tabled it in a genuine attempt to be helpful and to monitor very closely the significant challenges that our national security faces from serious and organised crime as a consequence of rapid developments in technology.
I thank the hon. Gentleman for the spirit in which he has addressed this issue, and he deserves a proper response. There is a valid concern that this is a process of engagement with tech companies, and there needs to be a partnership. I will be frank with him: I do not support new clause 2, for the very simple reason that the way in which this interaction takes place has evolved a lot, even in the two years that I have been in post. I suspect that during the four or five years that this House will supervise the Bill, under the next Government and in the five years beyond that, the interaction will evolve again.
What concerns me is that we could write into law a system of oversight and regulation that does not properly address the way in which tech companies are involved in this area. Therefore, the best answer is to have a more iterative process, which I have no doubt the fantastic civil servants with whom I have the privilege to work will adapt. Whoever takes over from me in 20 or 30 years’ time will no doubt want to iterate that as well.
I am grateful to the Minister for clarification on the response to new clause 2. He understands that we have tabled it because we genuinely think that it is a mechanism that—let us be honest about it—would not be particularly onerous for the Government, and would be helpful in focusing minds across Government. I completely agree with the point he made about his civil servants, who have been excellent throughout the passage of the Bill. We just happen to differ on this issue, because the Opposition think that the new clause would provide a useful forum for the Government to consider the challenges. He is absolutely right about the rapid evolution of technology, and we think it would be no bad thing to condense Government thinking into a report that would be issued on an annual basis.
That is a very important point, and I completely agree. These are complex and difficult matters of public policy, and I completely understand that none of this is easy from the Minister’s perspective. However, if the right hon. Gentleman does not mind my saying so, his point strengthens the case for new clause 2, because we think it would provide a useful mechanism for the Government to track the development of these important matters, but also provide a mechanism for Members of this House to hold the Government to account on them. I am very grateful for the points he has made.
Before turning to amendment 24 on BPDs, which stands in my name, I would be very grateful if the Minister could say whether any progress has been made on arrangements to notify the Investigatory Powers Commissioner when adding new BPDs to existing category authorisations. It might not be in the Bill, but we think that even a reference to it in the IPC’s annual inspection would be helpful progress on this matter. The Minister, my right hon. Friend the Member for North Durham and I have discussed that, and I would be grateful if the Minister could said something about it.
I acknowledge the amendments on BPDs that were tabled by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald). Both of our parties have concerns about the definition of “low or no expectation of privacy” for BPDs, which we debated in a pretty constructive fashion on Second Reading and in Committee. However, Labour does not oppose the concept of “low or no expectation of privacy” for BPDs, which is why we will not support amendment 7, which was tabled by the SNP spokesman. Instead, amendment 24, which stands in my name, seeks further clarification on how “low or no expectation of privacy” will be applied to BPDs, with the aim that the parameters must be as clear as possible for the House to understand.
In Committee, the Minister used the Panama papers as an example of leaked and widely republished material being defined as a BPD with a low or no expectation of privacy. I understand why the Minister chose to use that example, but most other leaked documents containing personal information do not attract anywhere near the same level of media attention. Again, I would be grateful if the Minister took this opportunity to provide another example of information from a leak without widescale press coverage that would be suitable for the designation of a bulk personal data set with a low or no expectation of privacy.
As always, the hon. Gentleman is quite right to highlight the areas I touched on. The important thing about the Panama papers was that they changed. They would have enjoyed a high level of privacy, but with republication they became “low/no”. It would not be right to say that any leaked document enjoys “low/no”, but the law should reflect the reality of the data that is currently being held. When data goes from being secret to being effectively public, it would be absurd to hold the intelligence services to a different standard from that which would apply to any of us, who would be able to access it on a website.
That is a very useful clarification, and I thank the Minister for it.
I very much hope the right hon. Gentleman has brought Lord West’s smelling salts with him, because I would like to clarify the concession that Lord West got in the Lords here in the Commons. I can happily commit to strengthening the language on notification requirements in the code of practice, when it is formally brought forward in due course, to require that the Prime Minister “will” be notified of any decisions under the alternative process, rather than “should” be.
I welcome that, but can I hear it again and pin the Minister down a little more? I am sure it is a massive victory, but is he giving a solemn pledge to the House that the code of practice will remove the word “should” and insert the word “will”? Is that what he is agreeing to?
Victory at last—there is such power in changing one word. The Minister has given a solemn undertaking on the Floor of the House that the code of practice will change the word “should” to “will”. A small victory for the ISC, but I am sure my colleagues will take it in the spirit in which it is offered. I say to the Minister gently that we could have agreed that the other day when we met, but no doubt the issue that we will be voting on tonight was concentrating his mind.
With that great victory under my belt and those of the members of the ISC, I turn to other amendments. New clause 3, in the name of the right hon. Member for Haltemprice and Howden, deals with
“cruel, inhuman or degrading treatment”.
I understand why he has proposed the new clause. It is always worthwhile debating the issues, which run through the entire Bill. Am I assured that there are processes in place that protect our civil liberties? Yes, I am. However, there are occasions when things can go wrong or people ignore them. I think they have been strengthened greatly, but the right hon. Gentleman refers to an important point. I was on the Committee in 2017 when we did the inquiry into detention and rendition. That took a long time, but it was a good report given where it got to. It unearthed things that were not pleasant but had been done in our names as a democracy.
One conclusion the Committee came to was that in its view the UK tolerated actions and took others that were regarded as inexcusable. Well, they were inexcusable, because as the report outlined, we passed on information to allies who then used it. I think things have changed, and to give Members an example of how the ISC can improve things, we called for a review of the consolidated guidance surrounding the way that security operatives should operate regarding issues of rendition or torture. That led to the Fulford principles, which I think have moved on and tightened up the rules and guidance for members of our security services. That was a big movement forward.
I do not think the right hon. Member for Haltemprice and Howden will push the new clause to a vote, but it reinforces the point that if we have a situation whereby, again, we get information that is passed to one of our allies, we must ensure that those principles are upheld. Am I confident that they are upheld now? I think I am, but how did we get to that pretty damning report in 2017? We got there because those principles and the guidance in place were not followed. We must be vigilant about that, and over the years the right hon. Gentleman has done not only this House but the country a service through his tenacity on these subjects.
I agree, but that then places an unnecessary burden on the system. The current process with the Secretary of State, the judicial commissioner and the Prime Minister is robust enough to ensure that people are not doing this to find out what someone ordered on Amazon Prime this weekend or to look at their Tesco account, so I think those assurances are fine.
New clause 4 would
“remove the ability of the Secretary of State to authorise the interception of the communications of, or the obtaining of communications intended for, or private information belonging to, Members of Parliament.”
Again, it is good to have this debate, but I would support such a measure for the reasons I have outlined.
The other change in the Bill concerns bulk data. The right hon. Member for South Holland and The Deepings covered the original investigatory powers in detail, but there are now big data sets held not only by public authorities but by others, and that has made it more important that our security services are able to access them. Whenever we do this, however, it means more intrusion, so let me deal with the issue of oversight in the Bill, and with the broader, more intrusive powers to obtain internet connection records for the discovery of targets.
Again, that is something that I and other ISC members totally support, but the authorisation process is internal. One stance that the ISC has taken throughout all this is that if we are to give more powers to our security services, there must be a balance. There will not be a situation whereby what people have seen can be identified, but this power will drag in a lot of people who, as the right hon. Gentleman said earlier, are completely innocent. As I said, there is a need for such a power, but we thought there should be more oversight from the Investigatory Powers Commissioner. Therefore, the points I made about amendment 15 are important.
The Investigatory Powers Commissioner’s Office does a great job of ensuring public support for what we do, but, again, there is an issue around bulk datasets. Some of the examples that were given to ISC members—thanks must go to the Minister, who arranged a meeting for the Committee to be briefed on this—make sense when it comes to the issue of low or no reasonable expectation of privacy. It is burdensome, for example, to access the electoral register, but today the Government have said that somehow that is a secret document. Well, that is not the case under this Bill, in which case it is important that the security services should be able to use it, rather than having to go through the warrantry process. That goes to the point, which my hon. Friend the Member for Barnsley Central raised earlier on, about the definition of “low expectation”.
Another perfectly legitimate reason that the security services need these measures is related to testing new AI models of learning. They need access to these new big datasets, which are out there and which companies use, and the Bill will allow them to have it without going through the warrantry system. If intelligence is going to be on the front foot when it comes to AI, we will have to have these big datasets that will teach the systems how to do it.
The problem comes back my hon. Friend’s question of what is deemed a low or no reasonable expectation of privacy. That is something we have considered throughout this process. One thing the ISC has considered is adding to the existing categories. One suggestion we put forward was that, when the agencies do this, they should have to email the Investigatory Powers Commissioner to notify them that they have done it.
I hope the Minister is not going to intervene again. My legs might get wobbly if I have to sit down again. I might even need some smelling salts. He has explained the internal system, which I am quite satisfied with, but as I said to him and his civil servants—I think other members of the ISC have also said this—it is not us that he has to convince, but the public.
I thank the right hon. Member for giving way. I just want to assure him that I have taken on board his points. I went back to the agencies and assured myself of the challenge that he had raised and found what I think is a better answer than the one we looked at when we were chatting. I wrote to Sir Brian Leveson and I am delighted to say that he responded, confirming that he will pay specific oversight to this regime in the early years until he is content that it operates in the way that the ISC, the Government and the British public would expect. IPCO has taken on this responsibility, which, I think, answers the question more succinctly than it would be if it were included in the Bill.
May I just get some clarity? That is a perfectly legitimate way of doing it, and it will mean not interfering with the existing system, which was the concern of both the services and the Minister. I understand that this not as simple as an email being sent. Will that mean that there will be a section looking at this issue in the first annual report? If that is the case, we could at least say to the public that it is actually being considered and the promise is being followed up.
The right hon. Member will understand that IPCO is operationally independent, so I will not instruct the office or speak for Sir Brian, who has been unbelievably rapid and helpful in his response today. I am sure that he will have heard the comments that the right hon. Member made and, no doubt, will want to draw attention to any areas where he has any doubts at all.
I understand where the right hon. Gentleman is coming from. Our original idea about having an email was explained when I met the Minister and his civil servants. I think that that would really cut across some of the processes that we have in place. The suggestion that has been made would be one way of doing it, but IPCO already has the powers to look at such things. The only problem with doing that is that we would then have to set up someone in the agencies to produce another report. I do not want to do anything that holds up their work, and I think that that might do it.
Possibly the Minister’s suggestion of how Sir Brian Leveson is going to do it will give the public some reassurance. Let us not forget that Sir Brian has the power to take action if things are not being done correctly. If we read his reports, we can see that he is not fearful of doing these things. A fair compromise has been put forward. I think we have one and a half victories so far—
I will satisfy my right hon. Friend immediately and, I hope, save him time in his speech. Local authority trading standards teams are responsible for a range of legislation where enforcement requires investigation and may need to draw on communications data. The idea is that the powers in this Bill will be in keeping with those powers, not for them to be expansive, so my right hon. Friend is right: it is for serious crimes, as has already been set out.
That is excellent—it helps, because the schedule associated with that part of the Bill does not make that explicit. I hope that the Minister, having given that binding assurance to the House, will reinforce it in the explanatory notes associated with the Act and in the code attached to it.
I am seeing the Minister nodding. He might want to say a word or two more when he sums up.
The Minister may want to intervene on me again to do exactly what the right hon. Gentleman has suggested.
On the grounds that it will save me time when I wrap up at the end of the debate, I will make it clear now. His Majesty’s Treasury is responsible for civil enforcement of financial sanctions regulations, and some information that is essential to carrying out its civil enforcement functions is now communications data, such as the timestamp on online banking transactions. His Majesty’s Treasury cannot currently use its information powers to compel that information to be provided by a telecoms operator, so to go back to the statement I made earlier, local authority trading standards teams are responsible for a range for legislation where enforcement requires investigation and may need to draw on communications data.
That is very helpful and, I think, goes a fair way towards what I want to achieve. The Minister has therefore made clear that the power will not be permissive. If he uses those very words—forgive me for putting them into his mouth, Madam Deputy Speaker—that would also help. These are going to be rarely used, particular powers associated with regulatory or legal functions of local authorities, not permissively available to those local authorities at their whim. That is clear as crystal, is it not?
If my right hon. Friend will forgive me, I will use the words I am using. Those powers will be used as infrequently as we all hope they will be, but they will be used in keeping with the law as described. If the frequency increases, it will be because of the need to act; I am very cautious about saying that these crimes will disappear, and therefore the frequency will change. I am not willing to predict that criminality now.
I entirely understand. I used the example myself of trading standards: in Lincolnshire, we have an issue with the sale of illegal cigarettes that has become not a trivial matter, but one of organised crime. It is not restricted to my county or locality: it is a national problem, and it is of course an example of where a local authority, working closely with the police, might well need to use those powers. By the way, those local authorities will be working with other agencies too: because money laundering is involved, His Majesty’s Revenue and Customs might be involved, and so on and so forth. That is a good example of where those powers might be useful in catching very serious criminals indeed, but the word I wanted the Minister to use is that these powers are not permissive. He will understand what I mean by that, and I cannot see why that would present any problem at all, given the reasonable, sensible man he is.
I apologise to my right hon. Friend. These powers are not permissive in the sense that they are expansive: they are permissive only in the sense applied to them by this law, with the restriction of the powers that local authorities already have. They are not to be used in any way other than as set out very clearly in the Bill.
I think that is helpful. The Minister will remember that when we debated the original Bill that became the Investigatory Powers Act, one or two newspapers used the term “the snoopers’ charter”, and images were used of local authorities using those powers to investigate people’s rubbish to make sure they were recycling properly, for example. I do not want to add unnecessary levity to our consideration tonight, because we are dealing with very serious matters indeed, but the Minister will understand how that kind of misunderstanding—indeed, misinformation—could do far more harm than good.
Again, just to clarify for my right hon. Friend, this Bill offers no greater expansion than his own Bill did in 2016. In the same way he ensured that Bill was no snoopers’ charter, I assure him that this one is not either.
Yes, exactly. The right hon. Gentleman has put it very clearly, and the sense of what the Minister has said has reassured me that it is not the Government’s intention to extend those powers beyond the very strict legal limits associated with the kind of organised crime that he and I have both cited. For me, that is considerable progress. The right hon. Gentleman spoke earlier about half a win; I think that is three quarters of a win, at least. For that reason, I feel that I can move on to my next request of the Minister.
We spoke earlier about IPCO, and its role and association with Government. As the Minister will know and as the right hon. Member for North Durham referred to, this legislation provides for a report to be made available to the ISC on an annual basis. There has been some concern that that report might be rather different from the one that is made available to Ministers and others, and my anxiety is that it should not be different. All that it should exclude is current operational matters; nothing else should be excluded from what my Committee considers, and clearly, it needs to be the same as what IPCO gets. We cannot have three or four different reports.
That is a 100% win. It is not half a win or three quarters of a win; it is just a win. So we are making huge progress tonight, partly due to the diligence of the members of the ISC and other Members of this House, including the official Opposition, but largely due to the reasonableness of the Minister. He is a listening figure, and he is growing in stature and reputation as a result. I am delighted that the Minister has agreed to the fourth of my requirements.
I thank the right hon. Gentleman for his intervention. I share those concerns, but I wish to put on the record my concern for my constituents in relation to how the changes are interpreted and how they will affect people.
I will give the last sentence of the quotation from the Computer & Communications Industry Association:
“They could risk deterring investment in improving service for UK consumers and contribute to a sense that the UK is not a safe market in which to invest.”
Those are the four tech companies, and the questions are on the record—I put them in Hansard—so that perhaps the Minister can give me an answer. Will he outline what mitigations are in place for the matters affecting those four companies in order to secure the tech industry’s place in the fabric of our lives in the United Kingdom?
I am pleased that the Minister has accepted amendment 23, which was tabled by the right hon. Member for North Durham (Mr Jones). The Democratic Unionist party was minded to support that amendment, but, because it has been accepted, we will not need to do so.
While I am aware of valid concerns, I am also aware of the need for this Bill, which the gallant Minister will know about better than most in the House. He served in Northern Ireland, so he understands the implications for us in Northern Ireland and the lives that we have led for some years. I was a part-time soldier in the Ulster Defence Regiment and in the Territorial Army for 14 and a half years. I have been a recipient of security intelligence and know how it can save lives. I am here today because of intelligence, which found out what the IRA’s intentions were. That is a fact. That has affected not just me; over the years, the intelligence services have saved the lives of other hon. and gallant Members. I have many friends who served and who are alive today because of the intelligence service or the Security Service. I had many other friends who unfortunately are not alive today; I remember them as well, so I do.
We must remember that the whole objective of the Bill is to keep us safe, to keep us secure and to ensure that our lives with our families can continue. I do hope that a balance has been struck, as the Minister outlined, because freedom is a prize worthy of getting it right. I know that the Minister wants to get it right, and I want it to be right. Madam Deputy Speaker, you want it to be right as well. Let us do it and get it right tonight.
Right hon. and hon. Members will be delighted to hear that, having answered colleagues as we went along, I have only a few short words to conclude. [Hon. Members: “Hear, hear!”] I know how to keep them happy.
Amendments 3 to 6 to clause 14 concern the restoration of specified public authorities’ general information powers to secure the disclosure of communications data from a telecommunications operator by compulsion. I pay tribute and thanks to my right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes). I hope that Members will have noticed that I have listened carefully to Members across the House, and I believe that this Bill has been pulled together carefully alongside the Intelligence and Security Committee. It is a slight shame I cannot thank the right hon. Member for New Forest East (Sir Julian Lewis) in person, who is sadly at a funeral today. He has played an important role in contributing to and leading the engagement of which I have had the advantage in preparing this Bill.
Let me quickly touch on one or two points. My right hon. and learned Friend the Member for Kenilworth and Southam (Sir Jeremy Wright) spoke about notices. It is important to note that the notices do not block innovation. They do not stop a technical patch or infringe on companies’ ability to update their systems. All they do is make sure that the existing level of access remains while that is being looked at. That is a reasonable element to ensure that the British people are kept safe by the British law enforcement authorities.
I understand what my right hon. Friend is saying, but the practical consequence of issuing such a notice is that the development of the product about which concern has been expressed has to stop. Therefore, the infringement on commercial liberty, in practice, is exactly what I have described, is it not?
If my right hon. and learned Friend will forgive me, I will be able discuss that in a more secure environment, but I can only say, “Not necessarily.” I will be able to describe why that is in a different environment, but I cannot do it here.
The reason for not accepting amendments 22 and 23 —I understand the points made by right hon. and hon. Friends and Members across the House—is that we are talking about a very limited number of people. One Secretary of State is already used to do the initial request. The second person on the triple lock is a judicial commissioner—a judge. The third therefore has to be one of the four Secretaries of State left. Therefore, it is important that we make sure that it is somebody in whom the Prime Minister has confidence. Given that we are about to have a new Government—I hope the new Conservative Government, but still a new one—it is entirely possible that there will be a new Cabinet and that the routine explanation will not be satisfactory. As routine duties do not have legal clarity, we will not use them.
The Minister has used that argument before about new Secretaries of State, and it is complete nonsense, is it not? It would not happen on day one unless the Prime Minister suddenly got covid or was indisposed. By the time this came in, those three people would be there anyway. His argument is pretty weak.
The right hon. Member has made his point and I have made mine; I am afraid I will leave it there rather than continue. The ways in which we have been able to engage on the Bill has been incredibly supportive and helpful.
The removal of clause 15 from the Bill would prevent the intelligence agencies and the National Crime Agency from detecting some national security and serious crime threats, and those intent on committing child sexual exportation and abuse. Given the robust oversight of the regime in general, and the internet connection records in particular, we simply do not believe that this is in the best interests of the British public. Removal would benefit only those who threaten our safety and serve to make the work of the intelligence services and the NCA significantly harder as they seek to protect us and bring paedophiles to justice. The Investigatory Powers Commissioner already has the necessary powers to inspect and report on all parts of the CD regime. If the Investigatory Powers Commissioner wishes is to focus attention on condition D of the internet connection record, they have the power to do so. With those clarifications, I commend the Bill to the House.
Question put, That the clause be read a Second time.
I beg to move, That the Bill be read the Third time.
I pay huge tribute to all the contributions from across this House, and particularly to my hon. Friend the Member for North Cornwall (Scott Mann), who whipped this through in exemplary fashion and will be delighted that since my appointment he has not had to take a Minister’s place on a Bill. He will also be grateful, along with me, to Lord Sharpe in the other place who has led on this Bill brilliantly, and taken us through with exemplary speed. I thank the hon. Member for Barnsley Central (Dan Jarvis), who has been a great friend for many years. We have now completed a Bill together, which really does bring us that bit closer. I also say an enormous thanks to Phoebe, Fintan, Francesca, James, Emer, Lucy x 2, Megan, Sophie, and Tom Ball, whose exemplary work in the Bill Committee has been fantastic.
It is gratifying that we will get this Bill on the statute book, because it will give our security services the necessary powers to keep us all safe. I add my thanks to the staff of the Committee on which I and other Members served, and like the Minister I thank the civil servants who I have engaged with throughout the passage of the Bill. I also thank my hon. Friend the Member for Barnsley Central (Dan Jarvis) for his engagement on the Bill. The right hon. Member for New Forest East (Sir Julian Lewis) would have liked to have been here today. He has played an integral part not just in speaking about the Bill, but in his work on the ISC. As I said earlier, unfortunately he is at the funeral of Lord Cormack; the House will understand his reason.
As I said, the Bill will improve our abilities. Perhaps the Minister would also like to put on record his thanks to the ISC, which he forgot to do. It might have been a painful process at times, but can I give him some advice, possibly for the future? He may well have been able to solve some of these issues earlier in our discussions, and avoided keeping his colleagues here on a Monday night—[Interruption.] The Secretary of State for Levelling Up, Housing and Communities says from a sedentary position that that was impossible, but the Minister has agreed to our amendments.
Some of us should take yes for an answer.
(7 months ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Investigatory Powers (Amendment) Act 2024 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
That the House do agree with the Commons in their Amendment 1.
My Lords, with the leave of the House, I will also speak to Amendments 2 to 17.
The Investigatory Powers (Amendment) Bill has returned to us in good shape thanks, in great part, to the expert input of noble Lords when we first considered the Bill. The Government have therefore made only a small number of amendments to the Bill in the other place, which we will consider today.
Clause 11 ensures that there is clarity for tele- communications operators operating within the IPA framework, as to which regulatory body certain personal data breaches should be notified to. It also provides a statutory basis for the Investigatory Powers Commissioner to be notified of such breaches.
Amendments 1 and 2 update this clause to provide a clear route to redress for those impacted by personal data breaches committed by telecoms operators. They ensure that the Investigatory Powers Tribunal has the jurisdiction to consider and determine complaints about such breaches, within the context of the use of investigatory powers, and grant a remedy.
Turning to Amendments 15 and 16, noble Lords will recall that the Government accepted several amendments tabled by the noble Lord, Lord West of Spithead, on Report in relation to the alternative triple lock process for warrants which enable the intelligence agencies to acquire the communications of parliamentarians. As I set out at the time, while the Government agreed with the bulk of these amendments, our view was that we would need to clarify one relatively small aspect. The inclusion of “routine duties” was overly restrictive and would have undermined the resilience of the triple lock process that these clauses seek to safeguard. Amendments 15 and 16 therefore replace this with “relevant operational awareness” to ensure the necessary flexibility and resilience while maintaining a proportionate scope for delegation.
I turn now to Amendments 3 to 6, which make changes to Clause 14. This clause concerns the restoration of specified public authorities’ general information powers to secure the disclosure of communications data from a telecommunications operator by compulsion. These amendments do not create new powers for these bodies. These amendments limit the restoration of the powers to those public authorities already listed in Schedule 4 to the IPA and those in new Schedule 2A.
Bodies in Schedule 4 to the IPA may use powers within the IPA to acquire communications data for the statutory purposes within the Act. Therefore, it is right that they are also able to use their existing statutory regulatory and supervisory powers outside the IPA in support of their statutory functions, provided there is no intention to use the communications data for the purpose of investigating or prosecuting a criminal offence.
The creation of new Schedule 2A ensures that those bodies which are not in Schedule 4 but have a clear requirement to utilise their existing supervisory and regulatory powers can continue to do so, such as His Majesty’s Treasury in respect of the sanctions regime. This schedule can be amended in future via a new delegated power, ensuring continued parliamentary oversight of which bodies are included.
Once again, I would like to thank the noble Lord, Lord West of Spithead, and members of the Intelligence and Security Committee for their engagement on improving this clause. I hope that noble Lords will agree that the amendments provide greater clarity and ensure that Parliament has oversight of the bodies to which the relevant powers can be restored.
Finally, Amendments 7 to 14 make minor and technical changes to Clause 21 on notification notices, ensuring consistency in language across the Investigatory Powers Act. Amendment 17 removes the privilege amendment inserted by the Lords and is procedural. I beg to move.
My Lords, I thank all noble Lords who were involved in the passage of the Bill. I restate my thanks to the intelligence agencies and law enforcement for their contributions to the Bill and of course for the work they do every day to keep this country safe.
I have to say to the noble Lord, Lord Coaker, that I genuinely thought that I had got away with being the Prime Minister’s diary secretary for once. I am afraid the answer is that I have not.
I thank both noble Lords for their appreciative comments about the Bill team and indeed about the Government. We have tried hard to engage to make the Bill as good as it can be, and by and large I think we have succeeded.
I shall address the specific points that were raised. The noble Lord asked about His Majesty’s Treasury and local authorities. New Schedule 2A has been created to provide Parliament with further clarity on which public authorities will have their regulatory and supervisory information-gathering powers restored by Clause 14. That follows concerns raised by the noble Lord, Lord West, and other members of the ISC.
We are aware that His Majesty’s Treasury and local authorities in particular require legal certainty on the exercise of their pre-existing statutory powers in respect of their supervisory and regulatory functions. Other bodies which have been affected by the revocation of powers by Section 12 of the IPA, such as His Majesty’s Revenue and Customs and the Financial Conduct Authority, are already listed in Schedule 4 as they are able to acquire communications data in support of their criminal investigations under Part 3 of the IPA. There will be other public authorities which have pre-existing information-gathering powers in respect of their supervisory and regulatory functions, but it has not been possible to establish a complete list at this time; instead, we have created a new delegated power to add further bodies to Schedule 2A as necessary.
On the specific questions asked by the noble Lord, Lord Coaker, the existing definition of “local authority” as found at Section 86 of the IPA applies in respect of the communications data acquisition powers under this Act, so it is not mayors. I have, helpfully, been sent what “local authority” means and I will read it into the record. It is a district or county council in England, a London borough council, the Common Council of the City of London in its capacity as a local authority, the Council of the Isles of Scilly, a county council or borough council in Wales, a council constituted under Section 2 of the Local Government etc. (Scotland) Act 1994 and a district council in Northern Ireland. In terms of the Treasury and what that involves, it is the Treasury and its arm’s-length bodies.
The noble Lord also asked why we are using the negative procedure, rather than an affirmative one, to add new bodies to Schedule 2A. These amendments limit the effect of Clause 14 and will afford Parliament greater scrutiny than under the original drafting. The House did not object to the original drafting, so I hope we will welcome the additional parliamentary oversight that the amendments provide. As the process will focus solely on ensuring that pre-existing statutory powers can be effectively exercised, an affirmative procedure would be disproportionate. This is because the appropriate in-depth parliamentary scrutiny will have already occurred when relevant bodies were given their statutory responsibilities in the first place. The negative procedure is more appropriate as it allows for additions to be made to the schedule swiftly to ensure that existing statutory powers are not unduly inhibited from being exercised. Since the information-gathering powers are necessary for these bodies to fulfil their regulatory and supervisory functions, any delay could hinder a body from operating effectively. These reinstated powers will be available only where there is no intention to use that data for the purposes of investigating or prosecuting a criminal offence.
The Bill will help our intelligence agencies and law enforcement agencies keep pace with developments in technology and changes in the threat landscape. They will help to make the UK a safer place. I remain hugely grateful for their work, and I hope that noble Lords will see fit to agree to the handful of Commons amendments before us today.
That the House do agree with the Commons in their Amendments 2 to 17.