(9 years, 7 months ago)
Lords Chamber
That the draft order laid before the House on 2 March be approved.
Relevant document: 25th Report from the Joint Committee on Statutory Instruments.
At the same time as moving the above order, I invite the House to approve the Retention of Communications Data (Code of Practice) Order 2015.
I should inform the House that the Joint Committee on Statutory Instruments and the Lords Secondary Legislation Scrutiny Committee have both considered the instruments that we are debating today. It might help the House in its consideration of these two communications data codes of practice if I briefly outline what the Government seek to achieve by them and why we have brought them forward at this time.
Communications data are the “who, where, when and how” of a communication, but not its content. It is crucial for fighting crime, protecting children and combating terrorism. The House will recall that last summer we enacted emergency legislation—the Data Retention and Investigatory Powers Act 2014. This Act preserved and added safeguards to our data retention powers. These codes are directly consequential on that legislation.
We are debating two codes today because communications data policy can broadly be split into two areas: acquisition and retention. Acquisition is carried out by relevant public authorities, such as law enforcement agencies. Retention is carried out by communications services providers. Noble Lords will see immediately that these areas are linked: data need to be retained in order to be accessed. These codes—a revised acquisition code and a new data retention code—set out the processes and safeguards governing the retention and acquisition of communications data. They are intended to provide clarity and incorporate best practice on the use of the relevant powers to ensure the highest standards of professionalism and compliance in this important investigatory power. We are bringing these codes forward now to ensure that the important safeguards within them—some of which follow concerns raised by the European Court of Justice judgment last year—come into force before Parliament rises.
I turn to possibly the most important new safeguard contained in the acquisition code: police access to journalists’ communications data. As your Lordships will know, the Interception of Communications Commissioner recently conducted an inquiry into this subject. He made two specific recommendations. His first was:
“Judicial authorisation must be obtained in cases where communications data is sought to determine the source of journalistic information”.
His second was:
“Where communications data is sought that does not relate to an investigation to determine the source of journalistic information (for example where the journalist is a victim of crime or is suspected of committing a crime unrelated to their occupation) Chapter 2 of Part 1 of the Act may be used so long as the designated person gives adequate consideration to the necessity, proportionality, collateral intrusion, including the possible unintended consequence of the conduct”.
He said that the revised code of practice, which had been consulted on,
“contains very little guidance concerning what these considerations should be and that absence needs to be addressed”.
The Government immediately accepted both recommendations. We have amended the code to implement the first recommendation as far as is possible in this Parliament and the second recommendation in full.
The acquisition code, which we are debating, now stipulates that law enforcement must use production orders under the Police and Criminal Evidence Act 1984, or equivalents in Scotland and Northern Ireland, when seeking to acquire communications data to identify or determine the source of journalistic information. This is because production orders require judicial approval. This will help to protect the freedoms that journalists and their sources enjoy in the UK. Whenever law enforcement wishes to access communications data to determine journalistic sources—including whenever law enforcement wishes communications data to support other evidence or intelligence of the identity of a journalistic source—the decision on the application will be made by a judge under PACE. However, this is only a stopgap until we can put this requirement in primary legislation in the next Parliament. Therefore, we have also published a draft clause that sets out how we would do this.
Changes to the guidance in the acquisition code have been made to implement the commissioner’s second recommendation. The code expands on the considerations of rights needed—in particular, the right to freedom of expression must be taken into account when appropriate—and it also contains additional guidance on the considerations of necessity and proportionality, including collateral intrusion and unintended consequences.
I turn briefly to some of the other key provisions in the codes. The revised acquisition code enhances the operational independence of the authorising officer from the specific investigation for which communications data are required. It includes new, enhanced protections for those who work in professions with a duty of confidentiality or privilege. We have not gone further in this regard because it is important to remember that we are debating communications data, which are not the content of a communication. In his report, the Interception of Communications Commissioner made it clear that communications data,
“do not contain any material that may be said to be of professional or legal privilege—the fact that a communication took place does not provide what was discussed or considered or advised”.
This important distinction explains why, while we are enhancing the protections for others in sensitive professions, we are making the change to judicial approval only where communications data are sought to determine a journalist’s source. The fact that someone spoke to, say, a doctor does not reveal what was said. However, if you are trying to establish the source of a leak, knowing who spoke to a journalist may be more important than knowing what was said. The acquisition code also sets out expanded record-keeping requirements for public authorities, improving transparency and implementing recommendations of the Interception of Communications Commissioner.
My Lords, I thank the Minister for his explanation of the two documents. Around 300 responses is quite impressive, and about 250 are wholly or primarily about access to the communications data of journalists. I have just had one about nine minutes ago, as the Minister started speaking. I cannot read it on my BlackBerry, so I cannot do justice to that person.
It is ironic that, in response to the consultation on the acquisitions code, the Interception of Communications Commissioner wrote that it is,
“unhelpful when the reports in the media”—
which I stress—
“misinform the public by stating the use of powers to acquire communications data for crimes, not deemed to be of a serious nature under the Act, are inappropriate. It is also wrong for the reports in the media to cite the Act as a terrorist law and infer that its use for non terrorist related matters is inappropriate”.
I am sure the parties will come together over the next few months in their understanding of this.
From the report of the responses, it is clear that there is still a certain amount of confusion about detail. I note that respondents’ concerns that,
“data would be retained which CSPs did not retain for business purposes”,
were rebutted, as were the concerns that,
“the processing of data by CSPs was a stepping stone to a central database”.
As I said, a lot more communication is clearly needed.
Inevitably, and rightly, there is a focus on data involving certain professions—the Minister mentioned doctors, lawyers and so on—including MPs. I am glad that someone still regards being a Member of Parliament as a profession. I accept that there is no strict privilege here because we are not dealing with content. However, I make the point that, once a person is identified as communicating, it is often only a short step to an assumption about the issues, if not the detail of the content. I was aware of the distinction when I was in practice as a solicitor but it always seemed to me quite a difficult one. If one was tempted to say that one had acted for someone in the public eye, those who heard that comment would make assumptions about what the issues were. I am a bit confused by paragraph 3.75, which says that,
“when an application is made for the communications data of those known to be in such professions … at the next inspection, such applications should be flagged to the Interception of Communications Commissioner”.
I did not immediately see why that should be done then and not straightaway.
If it is not the wrong phrase to say that I look forward to the review of RIPA and the further work on data in the next Parliament, at any rate I anticipate that we will have it.
My Lords, I, too, thank the Minister for his high-speed explanation of the purposes of these two orders which relate to emergency legislation enacted last year—namely, the Data Retention and Investigatory Powers Act, which goes under the happy name of DRIPA, which sought to retain existing data retention powers called into question, as the Minister has said, as a result of a European Court of Justice ruling. The subsequent regulations to the 2014 Act added a requirement for a code of practice on data retention to the existing requirement for a code on acquisition. Both codes are intended to set out how the legislation is to be implemented in practice. The two orders we are discussing bring the two codes into effect.
The two codes of practice before us set out the processes and safeguards governing the retention and acquisition of communications data which, as we know, can be a key factor in combating crime and terrorism and protecting children by law enforcement and intelligence agencies and other relevant public authorities, since communications data can show who was communicating, when, from where and with whom.
Both codes have been the subject of public consultation. As has already been said, the Government received some 300 submissions from organisations and individuals. When the issue of where those 300 submissions could be found was raised during the debate on these orders in the other place last week, the Minister in the Commons said he would write to my colleague, Diana Johnson MP, on this point. By the end of last week no written communication had apparently been received indicating where the responses could be seen. Perhaps the Minister could ensure that that information is provided.
The Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2015 before us enhances the operational independence of the authorising officer from the specific investigation for which communications data are required. It includes new enhanced protections for those who may have professional duties of confidentiality or privilege, particularly journalists. It reflects additional requirements on local authorities to request communications data through a magistrate, improves the record-keeping requirements for public authorities and aligns the code with best practice in regard to international co-operation and emergency calls.
The Retention of Communications Data (Code of Practice) Order 2015 deals with the new retention code implementing the requirements in the Data Retention and Investigatory Powers Act and the subsequent data retention regulations. The new retention code covers: the issue, review, variation and revocation of data retention notices; the communications service providers’ ability to recover their costs; data security; oversight by the Information Commissioner; and safeguards on the disclosure and use of retained data by communications service providers. It also outlines the scope and definitions of relevant communications data, including data that may be retained in the light of provisions in the Counter-Terrorism and Security Act 2015.
However, the 2014 emergency Act and these two codes of practice do not complete the legislative process. The Government have stated that one of the most important safeguards in the acquisition code covers access to journalistic material. The Interception of Communications Commissioner recently made recommendations following his own inquiry into police acquisition of journalists’ communications data. The acquisition code provides that an application seeking the communications data of a journalist in order to determine sources will be decided by a judge through the terms of a production order under the Police and Criminal Evidence Act 1984.
However, this is only a stop-gap measure—the Government’s words—since it is the intention of the Home Office to put this change in primary legislation in the next Parliament. The Independent Reviewer of Terrorism Legislation is currently examining the operation of the Regulation of Investigatory Powers Act 2000 and his report, which is expected to be completed before May, in a few weeks’ time, may well lead to changes in legislation. The Data Retention and Investigatory Powers Act 2014 itself has an end date of 31 December 2016, so will presumably require further consideration by Parliament.
It is all a very fragmented process of emergency legislation, of stop-gap measures, of imminent further reviews by the counterterrorism reviewer, of further primary legislation already flagged up for the next Parliament and of legislation passed only last year coming to an end in 21 months’ time. The process that has been and is being pursued for dealing with these very important issues does not exactly give the impression—whatever the reality may be—of a carefully planned, thought-through approach to what are very significant matters. Could the Minister say when it is expected that the codes of conduct we are discussing today will need to be updated and reissued in the light of the pending developments I have just mentioned?
Paragraphs 2.21 to 2.23 of the code of practice for the retention order refer to internet-based communications. Paragraph 2.21 states:
“Internet email under DRIPA is considered to be any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”.
Does that definition include social media or simply refer to internet-based email providers such as Hotmail and Gmail? Does the code of practice include messages sent on social media platforms such as Facebook? If it does, there does not appear to be a section in the guidance devoted to social media. If social media are covered, does a message extend to tagging another person? Specifically, if a person is tagged in a Facebook or Instagram post, does that count as a message for the purposes of this code? What about a person included in a tweet—does that count, as far as the code is concerned? In a situation where there is no user-generated content but there is an interaction, such as liking a post on Facebook, loving a photo on Instagram or favouriting a tweet, would these come within the code of practice?
Paragraph 2.23 says:
“An internet communications service under DRIPA as amended by the CTSA is a communications service which takes place on the internet and can include internet telephony, internet email and instant messaging services”.
The Minister in the Commons hardly clarified the position when he said in the debate on 16 March:
“The code provides that the Home Office may give further guidance to those implementing the requirements”.
He then went on to enlighten us with the statement:
“In other words, there can be further drill-down to give further specificity”.—[Official Report, Commons, 16/3/15; col. 559.]
No doubt, hopefully without too much further drilling down, the Minister will be able to assist in clarifying and placing on the record—which is quite important—how the code, including paragraphs 2.21 and 2.23 to which I have referred, should be interpreted in regard to the points and questions I have raised in respect of social media. That clarification is important and necessary.
The code of practice appears to give the Secretary of State considerable discretion over the review of retention notices, and indicates that factors leading to a review could include significant technological change. How will the dialogue with communications service providers operate and how will it ensure that the Secretary of State will be aware of major technological changes? The Minister in the Commons simply made the somewhat unhelpful and bland statement:
“The Home Office works closely with providers to ensure that it is aware of future technological changes that may lead to a review of a data retention notice”.—[Official Report, Commons, 16/3/15; col. 559.]
I do not really think that is an answer to the question that I have just asked—and was indeed asked in the Commons.
Can the Minister say why no impact assessment has been prepared in relation to the orders we are discussing? As far as I can see, these codes of practice cover the process for decisions regarding the level and extent of compensation payments provided to communications service providers and thus could have financial implications, as well as the potential to affect compliance requirements on businesses. In that regard, can the Minister say what is the total spend on compensation agreed with the communications service providers in each of the past five years?
I hope that the Minister will be able to respond—either now or subsequently—to the queries that I and the noble Baroness, Lady Hamwee, have raised on certain aspects of these two orders, which we do actually support, despite the comments I have made.
My Lords, I am grateful to the noble Lord for his comments, some of which I will have to come back to him about in writing, but I can certainly deal with his question about where the 300 responses are. They are now on the Home Office website. I can certainly send him a link to that but they are there, along with details of how they were considered and which elements have been included in the revised codes.
My noble friend Lady Hamwee was right to stress the importance of the protection of journalists. That links to the previous debate, when we were talking about the importance of freedom of speech and academic freedom within university settings and how these were going to be upheld. Equally, the freedom of the press is one of our cherished principles and we need to maintain it. Therefore, having this review undertaken by Sir Anthony May, who is the Interception of Communications Commissioner and a former High Court judge—he is widely respected—was a helpful step. He came forward with two additional requirements to ensure that there were extra safeguards in place and immediately the Government responded to say that they would do just that.
There had been a suggestion to go still further. I know that some of the respondents, particularly the NUJ, were concerned about issues in relation to seeking the journalist’s permission or notifying the journalist beforehand. But that was not something that Sir Anthony May felt was appropriate at this stage. Of course, that would result in a tipping-off situation, which would potentially put lives at risk.
The noble Lord, Lord Rosser, asked why there was no impact assessment of these codes. A full impact assessment was provided for the underpinning primary legislation, DRIPA, which was enacted last summer, so that contains the elements he referred to. He asked whether the code would need to be updated. Clearly, if Parliament enacts new primary legislation, there might be a requirement to produce new secondary legislation, including replacing these codes.
My noble friend Lady Hamwee asked why paragraph 3.75 of the acquisition code says that the Interception Commissioner should be notified of cases involving sensitive professions at his next inspection rather than right away, as this would mean waiting for nearly a year. We have of course consulted extensively with the Interception of Communications Commissioner in drawing up the code. The formulation is that the code is based on what the commissioner believes will best enable him to carry out a rigorous oversight function.
The noble Lord, Lord Rosser, asked whether we have maintained a dialogue with the communications service providers. As my ministerial colleague James Brokenshire said last week, we work very closely with the telecommunications sector and it alerts us to new technological developments that may have an impact on its obligations.
The noble Baroness, Lady Hamwee, asked why the requirement for judicial authorisation provides only for journalists—oh, I do not think that she did ask that, did she?
It is an excellent question, but I covered that in my pacy opening remarks because I was conscious that an important Statement was due to follow.
The noble Lord, Lord Rosser, asked whether paragraph 2.21 covers social media. As Minister James Brokenshire said at the Report stage of the then Counter-Terrorism and Security Bill:
“A communication can include any message sent over the internet. The legislation relates not to the retention of what the message contained, but purely to the fact that a message was sent”.—[Official Report, Commons, 6/1/15; col. 236.]
RIPA makes that clear and extends the machine-to-machine communications examples, such as the ones that were given.
In the light of what the Minister has said, does that mean that it does cover social media or it does not?
To the extent that social media are messages communicated machine to machine, it does. As to whether the specific examples that the noble Lord, Lord Rosser, talked about, such as tagging on a Facebook page or a tweet, I am going to have to get some further clarification on that and will write to him. But certainly messaging over those platforms would of course be covered.
Surely those aspects that the Minister has just touched on, and about which he says he will write to the noble Lord, Lord Rosser, have to be covered otherwise we have not got the coverage that we require.
I do not want to be drawn too much, at this stage, into the content of it. I have said that I will write to the noble Lord, Lord Rosser, and clarify that point. The noble Lord, Lord West, is absolutely right. Here, I tread very carefully, with my noble friend Lord King of Bridgwater waiting in the wings, but the communications data Bill, which David Anderson is undertaking a review on—he will report on 1 May—will need to be considered urgently. The types of deep web communications within the communications data Bill were felt to be an important part of providing our security services with the ability that they need to tackle the growing terrorist threat against us. That will be returned to as a matter of urgency in the new Parliament.
I am grateful for what my noble friend the Minister said. I think that he covered it in his opening remarks. I understood him to say that, as we go forward, both sides of the House now recognise the need for urgent legislation. I think that Mr Alan Johnson has just joined the club of people saying how impermanent this is. In that case, we have to make clear that there will probably need to be some form of revision of the code of practice to take account of what new forms might come forward. There is not much doubt about the speed with which they are coming forward through social media, WhatsApp and the other things that are happening. Probably a few more that we have never heard of will be in operation by the time that we tackle this legislation.
My noble friend is absolutely right. If there is new primary legislation, it is likely that what will follow is new secondary legislation. If there is new secondary legislation, it is almost certain that the codes that we are talking about today will need to be updated to reflect that. However, I have given undertakings that I will write to noble Lords and I give my appreciation to them for their comments.