I beg to move,
That the draft Data Retention Regulations 2014, which were laid before this House on 21 July, be approved.
The Data Retention and Investigatory Powers Act 2014, which passed into law last week, was a necessary response to a European Court of Justice judgment that called into question the legal basis on which we require communications service providers in the UK to retain communications data. The judgment was handed down in April this year, not August as the explanatory memorandum accompanying the regulations incorrectly states—an administrative error for which I apologise to the House.
Communications data—the who, where, when and how of a communication, but not its content—are crucial for fighting crime, protecting children and combating terrorism. Indeed, Members will have seen the recent reporting on the National Crime Agency’s child abuse investigation, which led to more than 600 arrests and the protection of more than 400 children. The NCA has confirmed that much of the operation would have been impossible without access to communications data. Where an investigation starts with an internet communication, as in online child sexual exploitation cases, for example, communications data will often be the only investigative lead. The loss of such data would have been potentially devastating and would have impacted seriously on the ability of the police, law enforcement agencies and security and intelligence agencies to investigate crime, uncover terrorist links, protect children, solve kidnappings and find vulnerable people in danger. I am therefore extremely grateful for the support shown in both Houses for the passage of the Act. I put on the record my thanks to right hon. and hon. Members—and in particular to the Opposition—for the constructive way in which they engaged in the debates.
However, as was made clear last week, secondary legislation is required to cover the detail of the operation of the data retention regime and to ensure that the appropriate processes and safeguards can be applied to the retention of such data. That approach mirrors the existing position, in which the detailed data retention regime is set out in secondary legislation. That has worked well for a number of years. It is to those regulations that our attention must now turn.
Members will be aware that a provisional draft of the regulations was published before the legislation was introduced. The regulations before the House today are substantially the same as those which have been available for scrutiny and examination. I am grateful to the Joint Committee on Statutory Instruments for considering and reporting on them. I put on record my thanks to the hon. Member for Leeds East (Mr Mudie), the Chairman of that Committee, for arranging an exceptional meeting to consider the regulations.
Before turning to the content of the regulations, let me deal with the discussion that took place during the passage of the Act about the speed at which the legislation was being passed. Without revisiting those debates today, I will briefly explain why we consider it necessary for the regulations to be passed before the summer recess.
To ensure a strong legal basis for continued retention by service providers, we need to get the regulations in place before the House rises. The regulations ensure that the data to be retained are subject to appropriate safeguards, and the communications service providers concerned will welcome the certainty that the regulations bring.
The Act gives the Secretary of State the power to issue a data retention notice to a communications service provider, if he or she considers the retention to be necessary and proportionate. The regulations made under the Data Retention and Investigatory Powers Act 2014 revoke and replace the 2009 data retention regulations. In large part the regulations replicate the obligations placed on providers under the 2009 regulations. In particular, they set out the types of data that can be retained. As was made clear during the debates on the Act, the list goes no further than the existing regulations. Crucially, the regulations set out the nature of the controls that must be placed on the data, both to ensure that they are adequately protected while they are being retained and to ensure that they are appropriately deleted at the end of that period.
The regulations also ensure that service providers are not penalised financially as a result of complying with a notice or the regulations. That is in line with previous practice and is a fair way of ensuring that the data are retained effectively and that there is no distortion of the communications market, given that obligations may be placed selectively. The regulations contain transitional provisions for the continued effectiveness of a notice under the 2009 regulations, until a new notice is given under the new regulations. We will work closely with providers in the coming months as they make the transition to the new regime.
As I highlighted to the House, the regulations contain additional safeguards. They differ from the 2009 regulations only in the context of those additional safeguards. They provide for data to be retained for a maximum of 12 months and allow the notice to specify that different types of data may be retained for shorter periods, where appropriate. If it is not proportionate to retain certain data for a full 12 months, a lower period can be chosen. The 2009 regulations provided for a blanket 12 months, although the directive on which they were based allowed for periods between six and 24 months.
The regulations also provide for a number of issues which must be considered before a retention notice is issued. I wish to assure the House that my right hon. Friend the Home Secretary and I take our responsibilities seriously, scrutinising in detail any case for imposing a data retention notice to ensure that it is necessary and proportionate. It is with equal care and attention that we will approach our obligation to keep such notices under review.
The Home Office has always worked closely with communications service providers prior to serving a data retention notice, and the regulations enshrine this existing best practice in law by requiring the Secretary of State to take reasonable steps to consult the provider affected. As I have previously explained, the regulations will ensure that the data are subject to appropriate safeguards and controls. Those who followed the scrutiny of the draft Communications Data Bill, including some Members in the House this afternoon, will be aware that there was some uncertainty as to the extent to which the Information Commissioner would oversee the integrity and deletion of retained data, as well as their security. The regulations therefore clarify that the Information Commissioner will oversee all elements of the protection and security of the data. We have discussed this with the commissioner and will provide him with the necessary additional resources to carry out this vital role.
Finally, the regulations amend the Regulation of Investigatory Powers Act 2000 to enable the creation of a data retention code of practice. That will allow us to provide further guidance to communications service providers on how to implement their obligations under a mandatory data retention notice and the regulations.
The House may wonder why certain other changes that we agreed to make are not given effect in the regulations. Separately, we will also update the data acquisition code of practice under RIPA to make it clearer that the officer authorising access to the data should be independent of the operation, and to ensure that consideration is given to the level of intrusion where there may be concerns relating to professions that handle privileged information. I know that that has been of concern to hon. Members on both sides of the House.
The House will have the opportunity in due course to review and comment on both draft codes of practice. In addition, we have announced that a number of public authorities will lose their access to communications data under RIPA and we will bring forward secondary legislation in the autumn in this regard. Hon. Members who followed the discussions about the draft Communications Data Bill will be aware that communications service providers are also able to retain communications data on a voluntary basis under a code of practice made under the Anti-terrorism, Crime and Security Act 2001. The regulations apply the same security safeguards and access restrictions to data retained under that code.
As right hon. and hon. Members know, the Data Retention and Investigatory Powers Act will be repealed on 31 December 2016. Any notices made under the Act and the regulations will similarly fall away. The Government have begun the process of a wider review of investigatory powers and it is right that there should be a full and proper debate on the threats, capabilities and, of course, safeguards that govern the use of such powers. I am sure the House will agree that that should include a wider public debate on the issues.
I am sure the Minister will agree that for that public debate and a review to take place, we need good statistics and information. One of the few things that seems to be missing from the previous regulations and the new ones is a section about statistics. Will he confirm that there will be the same or stronger requirements on public communications providers to keep good statistics on such data and how they are used? How will those will be provided to the Government, who will then publish them?
I am grateful to my hon. Friend for highlighting this aspect. As he knows, in the debates last week we underlined the need for greater transparency and reporting of information about the use of the powers under the Act. I can assure him that we will take that forward. He will be aware, too, of the requirement on the interception of communications commissioner to report on a six-monthly basis—I know that was of concern—to assure the House and the public about the use of the powers under the new Act. Therefore, I expect that providers of information and communications service providers retaining that information would provide data to facilitate transparency and to ensure that the public are informed about the use of the powers under the Act.
As has been made absolutely clear over the past week, this legislation merely preserves the status quo. The Act passed last week and the regulations before the House today do not extend or create any new powers or obligations on communications companies that go beyond those that already exist; they simply ensure that the communications data that have been retained by the communications service providers will continue to be available to ensure that the police, the law enforcement agencies and the security and intelligence agencies have the capabilities they need to protect the public and keep us safe. I commend the regulations to the House.
I very much support the process that the Government have brought forward today. The Opposition will support the regulations before the House this afternoon. As the Minister has said, they are made under the Data Retention and Investigatory Powers Act 2014, which we debated last Tuesday, although it seems a long time ago. It was certainly an interesting debate.
The Minister has outlined clearly why the regulations are needed. Last week we supported him in taking the Act through the House, because we recognise, as he does, that retaining records and data is vital in fighting crime, whether tackling serious organised crime, dealing with child abuse or helping to prevent terrorism. We also welcome the safeguards we discussed last week in relation to access to those data. As he explained, the regulations put in place broadly what is already in place, and they therefore have our support.
In offering our support, I wish to raise two issues that the Minister might like to respond to in any winding-up speech he cares to make. First, there was limited consultation on the regulations. As outlined in the explanatory memorandum, the 2009 regulations had a 12-week public consultation. Due to the pressing nature of the legislation we passed last week, the regulations before us had nothing that could be called a full consultation. Therefore, can the Minister confirm that the six-monthly review by the Information Commissioner of how the legislation is working will include the regulations so that providers and other individuals have an opportunity to put on the record any concerns they have about their operation and so that those concerns can be examined?
The interception of communications commissioner is required to make a six-monthly review, and my expectation is that that would certainly cover the use of those powers. We need to consider the interrelationship with the Information Commissioner, because it is a separate regulator that looks at the retention of those data. Obviously, we will consider any interrelationship and any discussions that might need to take place between the two regulators to give an assurance to the public about the use of those data.
I am grateful to the Minister for that response. My main point is that the legislation’s sunset clause means that it will cease to have effect in December 2016. The regulations are being made by the House today, but I want to ensure that they are examined on a regular basis, given that there was no proper consultation because the Act had to be rushed through last week.
Secondly—I raised this matter privately with the Minister’s office earlier today—the initial regulations specified 8 August 2014 as the date on which the European Court of Justice declared the data retention direction 2006/24/EC invalid. The date was in fact 8 April. I just want to be clear that the Minister has relayed that matter to the Joint Committee on Statutory Instruments so that there is no doubt about what we are discussing today and the way it has been framed.
I am grateful to the right hon. Gentleman for contacting my office earlier today to highlight that point, to which he will have heard me make specific reference in my opening remarks. A further draft of the explanatory memorandum is certainly in the process of being relayed, if that has not already been done, as he rightly indicated. We are clear that that has no bearing on this afternoon’s debate.
I just thought that it was worth placing that on the record, as I would not wish there to be any confusion, given the nature of the debate we are having today.
I am happy to support the regulations, given the potential for review and the safeguards we have put in place with regard to the Act. I look forward to formal reviews, as secured by the legislation. Given the assurances the Minister has given today, he will have our support for the regulations.
I am grateful for the support for the regulations offered by my hon. Friend the Member for Cambridge (Dr Huppert) and the right hon. Member for Delyn (Mr Hanson). I understand the concerns that the hon. Member for Hayes and Harlington (John McDonnell) flagged up last week during our debates on the Act. He has highlighted issues relating to different categories of what I might describe as either protected or special groups of individuals in relation to the powers under RIPA. It would be the intent to obtain data from a communications data provider that would principally be at issue in such a context, and that would appear to fit within the code of practice relating to acquisition and disclosure. We therefore intend to bring forward amendments to that code as part of the arrangements. However, I recognise that the hon. Gentleman has flagged up those issues, and I will perhaps write to him—
Equally, I will see whether it is possible to facilitate a meeting with my officials so that they can hear more directly any concerns that might be raised.
I can tell the right hon. Member for Delyn that the interception of communications commissioner will look at the operation of the new legislation, which includes the regulations made under it, as part of his six-monthly review. I hope that that clarifies that point and gives him further assurance.
I also want to make it clear that I stand by the statement in the explanatory memorandum about compliance with the European convention on human rights. That is the purpose behind the Act and the regulations, reflecting the judgment. That is why we have made these changes to secure the legal base—
The hon. Gentleman asks about the legal advice. He will know that it is not the practice of the Government to share or publish our legal advice, but I stand by the statement that has been made. I welcome the support of the House this afternoon, and the regulations will come into effect.
Question put and agreed to.
Resolved,
That the draft Data Retention Regulations 2014, which were laid before this House on 21 July, be approved.