(8 years, 6 months ago)
Public Bill CommitteesThis will be a long session: five hours. If anyone is worried about comfort breaks, I do not have the constitution of Mr Speaker, so I will call one at around 4 o’clock or 4.15 pm. We are then expecting a vote on a programme motion at around 6 o’clock. That will, I hope, break it up nicely.
On a point of order, Madam Chairman. I mentioned at the outset this morning that I had written to you and intended to make copies of that correspondence available to Committee members. In the course of the proceedings, I heard the Solicitor General report that I had also written to journalists. Hard copies of all that correspondence are available at the front of the room for collection by members, and I understand that it has also been sent to members by email.
Thank you very much.
Clauses 70 and 71 ordered to stand part of the Bill.
Clause 72
Lawfulness of conduct authorised by this Part
I think I can take this in fairly short compass. The clause deals with the lawfulness of conduct authorised by this part of the Bill. The amendment would delete clause 72(2)(b), the effect of which would be that conduct would have to remain unlawful if it could not be justified. As it is currently worded, the clause allows an exception to that principle, and that is not an appropriate exception. Conduct is either lawful or unlawful. If it is unlawful, it should be characterised as such and should not be justified. Strictly, if the amendment were to be passed, subsection (3) would have to be left out as well, for tidying-up purposes.
May I reassure the hon. and learned Lady that the provisions relating to lawfulness of conduct authorised by part 3 of the Bill replicate those that currently apply in the Regulation of Investigatory Powers Act 2000, and the Bill goes no further in providing indemnity from civil liability for conduct incidental to or reasonably undertaken in connection with a communications data authorisation? The clause is drafted to ensure that a person who engages in conduct only in connection with an authorisation cannot be subject to civil liability unless that activity could itself have been authorised separately under a relevant power. It must follow that the removal of that provision would mean that a person who was acting lawfully under an authorisation that had properly been granted under the Bill would be at risk of civil liability if some incidental or reasonably connected conduct were not expressly covered by the authorisation.
I can see the thrust of the hon. and learned Lady’s argument, but I hope that I have reassured her that the Bill does not go any further than the status quo. For that reason, I urge her to withdraw the amendment.
I beg to ask leave to withdraw the amendment for the time being.
Amendment, by leave, withdrawn.
Clause 72 ordered to stand part of the Bill.
Clause 73 ordered to stand part of the Bill.
Clause 74
Certain transfer and agency arrangements with public authorities
Question proposed, That the clause stand part of the Bill.
There are matters relating to this clause on which I would like to press the Minister. This is the clause that provides for what is effectively the transfer of certain functions between the Secretary of State and other public authorities. The functions to be transferred are the functions in clauses 58 to 60, at which we looked in some detail last week: the filtering arrangements for obtaining data. As set out in clause 58, it is for the Secretary of State to maintain and operate arrangements. It is then for the relevant public authority, acting through a designated senior officer, to effectively carry out the exercise, using authorisations as and where necessary and appropriate. We discussed that arrangement.
Clause 74 provides for a transfer of functions of the Secretary of State—which I take to include establishing, maintaining and operating arrangements—from the Secretary of State to another public authority. That seems to me to cut through the thrust and the purpose of clause 58, which has a clear hierarchy to it: the Secretary of State, then the designated senior officer. Subsection (1)(b) is freestanding and transfers any function exercisable by a public authority back the other way to the Secretary of State, so there is a complete provision for a swap of roles. Subsection (3) indicates that:
“Regulations under subsection (2) do not affect the Secretary of State’s responsibility for the exercise of the functions concerned”.
Then schedule 5, in the back of the Bill, is referred to, but that does not add a great deal.
The question for the Minister is: how is it anticipated that these powers are to be exercised? On the face of it, this is an odd structure for a Bill to set out. This structure goes from the Secretary of State down to the relevant public authority, with the Secretary of State having a much wider role of setting up the arrangements, only for us to find, several clauses later, that it is possible to flip the functions and have the public authority making the arrangements. That seems to remove some of the formality and the safeguards intended by clause 58.
The hon. and learned Gentleman, with his typical diligence—which is at least matched, by the way, by those on the Treasury Bench—has identified, quite properly, both the reasons for this clause and the character of the transfer of arrangements that it details. He accurately identified subsection (3), which emphasises that:
“Regulations under subsection (2) do not affect the Secretary of State’s responsibility for the exercise of the functions concerned”.
The transfer of arrangements will change neither the Secretary of State’s responsibility nor the process for authorising requests for data. It is about the technical running of the filtering capability. It is there to require flexibility; it might be appropriate at some future point for another authority to exercise the filtering function, but without responsibility moving from the Secretary of State. The Secretary of State will retain responsibility, but the operational running of the filter might change over time. This is essentially about future proofing.
I am grateful to the Minister. I am not being pernickety; I just want to be clear. Subsection (3) appears to apply only to regulations under subsection (2), which I think is about changing the powers of public authorities lest they should not have the power to carry out functions on behalf of the Secretary of State. In other words, when the Secretary of State is modifying the powers available to a public authority, that comes within subsection (3). On reflection, I wonder whether sub-clause 3 should say “regulations under subsections (1) and (2) do not affect the Secretary of State’s responsibility”, because I think that is the thrust of what the Minister said.
That is not an unreasonable point, actually. Someone who read the Bill could certainly come to the same conclusion as the hon. and learned Gentleman. I will look at that from a drafting perspective, because it is important that we are clear. First, in all these matters, filtering arrangements take effect only as the result of a lawful process; the process for permission will not change. Secondly, that permission rests with the Secretary of State; I do not want there to be any ambiguity—as the hon. and learned Gentleman suggests there might be—about which parts of this clause that affects. On re-reading the clause, I can see what he means, so I am happy to take it away and check whether the drafting needs to be amended in the way that he describes. In that spirit, and with that immensely generous offer, I hope we can move on.
I am grateful.
Question put and agreed to.
Clause 74 accordingly ordered to stand part of the Bill.
Schedule 5 agreed to.
Clause 75 ordered to stand part of the Bill.
Clause 76
Extra-territorial application of Part 3
I am grateful to the hon. and learned Lady for her intervention. I am not pressing amendments 150 and 151. They have been put forward to draw attention to concerns. The hon. and learned Lady made submissions last week about service in relation to civil proceedings under the White Book, which I noted and could see the sense of. I do not want to push amendment 150 and accept that “unfeasible” and “inappropriate” may not be the best way to articulate the point.
What underlies both amendments is a genuine concern on the part of those who, when the Bill receives Royal Assent, will be called on to assist in relation to warrants and who want clarity on how the procedure is to operate, what they are to do and what the safeguards are, in particular when they find themselves, as we mentioned last week, required under penalty of criminal proceedings in this country to do something that constitutes an offence in the country in which they are operating. That is a very real concern for them.
I shall deal as pithily as is possible with the points the hon. and learned Gentleman made. The first was his helpful contribution in the form of this schematic, to which I will not respond now. He would not expect me to as I have only just seen it. It might form part of my next letter to the Committee to explain why in different parts of the Bill these matters are handled in different ways. In doing so, I will implicitly consider his point about whether that is healthy eclecticism or unhappy inconsistency.
Secondly, it is important to point out that clause 76 essentially maintains provisions on extraterritoriality as they are now, replicating the arrangements under RIPA, clarified by the Data Retention and Investigatory Powers Act 2014. The hon. and learned Gentleman is right, but there is nothing new here.
Thirdly, there is a need to retain flexibility about where the notices are served. I take the hon. and learned Gentleman’s point that companies may take a view on these things, and sometimes those might be overlapping or conflicting views about different aspects of the Bill, but in those terms it is important to maintain a degree of flexibility about the communications data notice and where it can be delivered.
Fourthly, on the hon. and learned Gentleman’s point about coming more speedily to an agreement that is more satisfactory than either current arrangements or those that might be delivered through a mutual legal assistance treaty, I can offer the Committee the assurance, as I have previously, that that work is under way. We are hopeful—indeed, confident—that we can achieve the sort of outcome that he has described. He referred, as I did, to the comments of David Anderson, which were critical of the mutual legal assistance treaty process on the grounds that it is slow. It is not always the best way of achieving the objective set out in the Bill, because it is not designed for that purpose but an entirely different one.
Finally, I would say that this is really important. Although the hon. and learned Gentleman is right that this is a particular part of a particular part of the Bill and so could be overlooked, it is important to understand that, in terms of the objectives we seek to achieve—that is, those of us who want the Bill to work well, which I think applies to the whole Committee—these powers are significant. Much of what happens is now happening overseas and much of the process by which we deal with overseas organisations is vital to the work of our security services and others. Dealing with extraterritorial matters is significant, but not straightforward. It is dynamic, for the reasons that we have both offered to the Committee. In that respect, I believe we have got the Bill about where it wants to be. I do not say that these things will not evolve over time, but for the purposes we have set out, the clause works.
As with all these things, I start from the perspective of wanting to be both convivial and conciliatory; both helpful and positive. I never ignore arguments put in these Committees or on the Floor of the House, as people know who know how I operate. The House has an important function in making government as good as it can be, and that is partly about the interaction and tension between Government and Opposition. Of course I am always prepared to listen, but I think we have got this right. With the appropriate humility, I suggest that we move on.
I indicated would not press the amendments at this stage. I beg leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
I will not make a case again for the clause, but I shall say this, in the spirit of helpfulness and kindness. It is really important that the Committee sends out a combined message to overseas communications service providers—on which the obligations will have an important effect because their commercial endeavours have a significant relationship with the powers we are trying to cement in the Bill—so that they have a very clear impression that we as a Committee of this Parliament are clear that we expect them to do their bit to do what is right. We should not, out of a sense of good will, allow ourselves to be misled and encouraged not to have high expectations or make serious demands of those organisations.
I simply say to the hon. and learned Lady that clause 76 is about giving a clear signal, as does clause 57, with which it should be read in tandem, that telecommunications operators should comply with the notice given, whether or not they are in this country. I accept that that is difficult and challenging—I made that point at the outset—but my goodness, it is vital that we take these steps. I know that she is open-minded and a woman of great good will, but we should not allow that to dilute in any way that common message to those big companies. I do not want those companies to get away with anything that that should not get away with.
I am not so much concerned about the message we send out to the companies; I am more concerned about the message we send out internationally and potentially to authoritarian regimes. The difficulty is that if the British Government demand from these companies unqualified co-operation with British laws, that might encourage authoritarian Governments to do likewise. We clearly would not want that, so we need to be very careful about the messages we send out and think carefully about their full implications. That is why such matters should be approached by way of mutual legal agreement internationally, rather than the unilateral imposition of one Parliament’s will outwith the area where its sovereignty operates.
Question put, That the clause stand part of the Bill.
It is a joke, Ms Dorries. We now come to a very important clause. In some respects, over the last part of Thursday and today we have been working backwards through the way in which the functions will be exercised, because clause 78 is the starting point in relation to communications data. It relates to the power to require retention of data in the first place, and everything we have discussed has been about how those data can be filtered and accessed after they have been retained. It is a very important clause.
I draw attention to the breadth of the clause, which states:
“The Secretary of State may by notice…require a telecommunications operator to retain relevant communications data if the Secretary of State considers that the requirement is necessary and proportionate for one or more of the purposes falling within paragraphs (a) to (j) of section 53(7)”.
The first thing that crops up in relation to the clause is what the test for retention is. The test is, of course, necessity and proportionality but the real question is: what does that necessity and proportionality bite on? That pushes us straight back to clause 53(7), which is problematic because it sets such a low threshold for these extensive retention powers.
There should be no doubt that this provision gives the Secretary of State the power to require the retention of a huge amount of data. There may be circumstances in which that is necessary and proportionate, but the test for whether that power is exercised is pushed all the way back to clause 53(7). To take an example that we touched on last week, extensive data can be retained
“for the purpose of preventing or detecting crime”—
any crime. Any crime of any level can trigger a power to retain data. The importance of the issue of retention over that of access is that at this stage it is about retaining the data of those who are not necessarily suspects or targets but anybody whose data come within the types that are intended to be retained. It is a very wide provision.
Sign-off is by the Secretary of State, so there is no double lock and no reference to a judicial commissioner here. The Secretary of State operates the powers, which are very wide. Clause 78(2) states that
“a retention notice may…relate to a particular operator”;
it may
“require the retention of all data or any”;
it may
“identify…periods for which data is to be retained”;
it may “contain…restrictions” and
“make different provision for different purposes,”;
and it may “relate to data” that are not even in existence at the time. These are very wide-ranging powers triggered by the test set out in clause 53(7), and that is a cause of significant concern. The retention period is 12 months, so this is an extensive hoovering-up exercise.
It is clear that the clause applies to internet connection records, because that is stated in subsection (9). We touched on internet connection records last week in relation to when internet connection records are to be accessed. Now, I touch on it for a different purpose: to highlight how all our internet connection records can be swept up in a data retention notice issued under this provision.
For that purpose, one obviously starts with the definition of internet connection record in clause 54(6)(a) and (b), which we looked at last week. I will not read it out again but just give some examples of what is intended to be included. I will do so in chronological order. The operational case for the retention of internet connection records was published in August last year. Page 3 made it clear that internet connection records are:
“a record of the internet services that a specific device connects to—such as a website or instant messaging application—captured by the company providing access to the internet”.
So that is within the scope of an internet connection record, as set out in the operational case of August 2015. An annexe setting out terminology and definitions was put in evidence before the Joint Committee in January this year, which made it clear that not only web and IP addresses are included, but names and addresses, email addresses, phone numbers, billing data, customers, users, and so on. In the explanatory notes to the Bill, paragraph 2.30, on clause 78(9) makes it clear that,
“communications data that can be retained includes internet connection records. Internet connection records, which are defined in clause 54(6), are a record of the internet services that a specific device connects to—such as a website”
That is therefore consistent with the operational case.
What is swept up under clause 78 are internet connection records, which means connections to the internet and websites to which any device has connected. When anyone uses a device to connect to a website, that is recorded by the provider and comes within the definition. It therefore comes within the retention order. That is what the clause gives the Secretary of State power to retain.
It is fair to point out that clause 54(4), which deals with accessing the data that are retained, says that the access through an authorisation can be allowed only if the purpose is to identify: which person is using the internet, which internet service is being used, where the person or apparatus whose identity is already known is, and so on. It is true to say that on the point of access there is restriction of the way in which internet connection records are accessed, but we need to be absolutely clear that for the purpose of retention, it is a record of all websites visited or accessed by a device.
I do not doubt that my hon. and learned Friend the Solicitor General will deal with these points at some length, but is it not fair to say—the hon. and learned Gentleman is in the mood to be fair—that the two subsequent clauses both build a set of safeguards into the system and provide for a review of the system? There is further work in the Bill that caveats what might be taken to be the extremes of his argument.
I am grateful for that intervention, and I accept that there are safeguards in subsequent provisions. I will be corrected if I am wrong, but on the face of it at least—I am not saying they are incapable of a review—the safeguards do not restrict the definition of an internet connection record in a way that would prevent websites visited being swept up in the retention order.
The message to my and all of our constituents is that, even if they are not a target, a record of the websites they have visited can be retained under a data retention order, and if retained will be retained for 12 months—every website they have visited. But if somebody later wants to access it, there is then a tighter test for that. The chilling effect of clause 78 is that the websites visited will be retained if a retention order is issued. We need to be absolutely clear about that. The tighter definition does not kick in until a later stage of the exercise, and that is a cause of real concern to our constituents, certainly to the people who have engaged with me on the topic, and to our fellows across both sides of the House.
It is a great pleasure to rise as part of this ongoing scrutiny, and to offer my hon. and learned Friend the Member for Edinburgh South West brief respite in this Committee. It is also a great pleasure to serve under your chairmanship, Ms Dorries. It is great to follow the hon. and learned Member for Holborn and St Pancras, who in his customary fastidious and engaging manner has covered in a short space of time all the aspects of many amendments. Some of that bears repeating, and I will speak to new clause 10, which is tabled in my name and that of my hon. and learned Friend the Member for Edinburgh South West.
My hon. and learned Friend spoke at length about the important role that the judiciary, in the form of judicial commissioners, should bring to this process. We do not think it is good enough that the Bill only proposes to use judicial commissioners to review the process used by the Secretary of State in making a decision. The Government may claim that it is important that the Home Secretary retains the power to issue retention notices to internet service providers, as it will ensure that democratic accountability is a salient feature of the process, but I do not accept that to be the case. In fact, I would argue that because of the political arena that any Home Secretary operates in, it is right that this power is handed to and delegated to an independent official such as a judicial commissioner.
It is also worth noting that we know very little of the various notices that the Home Secretary issues, and as such there is no possible opportunity to hold her to account for them. Building the role of judicial commissioners into this part of the process will help to ensure that we have appropriate checks and balances when it comes to the retention of communications data. This is vitally important, because it is the proper constitutional function of the independent judiciary to act as a check on the use of intrusive and coercive powers by state bodies, and to oversee the application of law to individuals and organisations. Liberty rightly points out that judges are professionally best equipped to apply the legal tests of necessity and proportionality to ensure that any surveillance is conducted lawfully.
I turn now to new clause 7. Schedule 4 provides a lengthy list of bodies that are able to access or retain data, including several Government Departments, such as the Department for Transport, and a range of regulatory bodies, such as the Food Standards Agency and the Gambling Commission. This suggests that access to communications data may be allowed for a range of purposes which may be disproportionate and inconsistent with the guidance offered by the European Court of Human Rights.
I draw the hon. Gentleman’s attention to clause 79, which we are not debating at the moment but which is directly relevant to the point he made about proportionality. Clause 79(1)(a) states:
“(1) Before giving a retention notice, the Secretary of State must, among other matters, take into account—
(a) the likely benefits of the notice”.
To me, that would be a pretty strong way of enforcing proportionality. Yet the hon. Gentleman is in his peroration claiming that that would not be taken into account, or not sufficiently so.
I am grateful for the Minister’s intervention. I appreciate that that is a safeguard, but we must ask whether those Departments should be getting access in the first place.
I do not want to be unnecessarily brutal with the hon. Gentleman, but either he is making an argument about proportionality or he is not. If he is saying that nothing is proportional, then it should not happen at all, that is hardly an argument about proportionality. Those of us who take a more measured view of these things are considering whether such collection and access to data are proportionate. Proportions by their nature require an assessment of balance, do they not? Yet the hon. Gentleman is suggesting that the scales are weighted all on one side.
The Minister did not actually address why these Departments need access to these data in the first place. I appreciate the point that he is making, but these Departments should not, in my view, require access to this information.
I am delighted to see you back in the Chair, Ms Dorries, as I break my couple of sessions’ silence; it is always very reassuring. I certainly do not wish to keep the Committee here all night, but I will reiterate a point that I made earlier in our considerations, and that relates to the retention of certain data. As my hon. and learned Friend the Member for Holborn and St Pancras pointed out, we understand the need for data retention. However, on looking at the Bill, I am still not entirely satisfied that the Government have taken into account the need for additional security for data retention.
I look to the Minister for reassurance that, when telecommunications and internet providers and suchlike are obliged to retain data, there is a consequent obligation on them to maintain it securely. We know that several such providers have problems with internet security: we saw that with the TalkTalk hack, and we believe another large provider has been hacked recently. Those attacks were on personal data; the Solicitor General and I have had exchanges in this room about the potential for charging them as theft—about whether the sanctions against somebody who committed that offence would be contained in existing legislation.
This part of the Bill needs to look at obliging or maintaining a minimum acceptable level of security, to provide security and privacy for people whose data may have been accepted. I realise that it might not necessarily be covered in detail in the new clause, but now might be a good time for the Ministers to consider whether they believe internet security and the security of personal data held under the terms of clause 79 should be considered in the Bill. Do they believe guidance should be given to telecommunications providers to maintain that security, or do they feel that it is not relevant and that they are quite satisfied with the status quo? I must say that I am not. Notwithstanding the need for the retention of individual data, as described so eloquently by my hon. and learned Friend, it remains a major concern of mine that individual privacy and data are at risk: it puts a question mark over the whole clause and over the areas we are discussing.
I am grateful to hon. Members for a wide-ranging debate. I would first like to reiterate on behalf of the Government the position adopted by the Joint Committee on the draft Investigatory Powers Bill, which quite clearly indicated its conclusion that the case was made for a retention period of up to 12 months for relevant communications data. In the report from David Anderson QC, “A Question of Trust”, recommendation 14 is:
“The Home Secretary should be able by Notice (as under DRIPA 2014 s1 and CTSA 2015 s21) to require service providers to retain relevant communications data for periods of up to a year”.
There we have it: the Government are acting upon the specific endorsement of an independent reviewer and a Joint Committee of this House. There is an element of the waving of the proverbial shroud when it comes to the retention of data, because the word “relevant”, which is contained in the second line of clause 78(1), is the governing word here. It is very important to remember that this is not carte blanche for the Secretary of State to authorise communications service providers to retain everything for 12 months. That is not the case. Where there is no case of necessity and proportionality for a 12-month period, a shorter period must be adhered to. Indeed, if the material is not relevant, it falls outwith the ambit of any such authorisation.
I reassure the hon. Member for City of Chester, who makes quite proper points about the integrity of data, that he is right to make them. That issue affects all those in this room and beyond. He is also right to allude to the criminal law. I reassure him that communications service providers have to comply with the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, which together contain those requirements that the data is appropriately secured. When he has the time—which I am sure is as precious to him as it is to the rest of us—chapter 16 of the draft communications code of practice contains an entire set of provisions relating to the security, integrity and, indeed, destruction of retained data, which very much underpin the principles of why CSPs have to operate and will give him the reassurance that he properly seeks about the position with regard to individual data and people’s privacy.
Data retention legislation has existed in this country since the Anti-terrorism, Crime and Security Act 2001, which allowed the Secretary of State to enter into voluntary agreements with telecommunications operators so that they could retain data that otherwise would be deleted. The Data Retention (EC Directive) Regulations 2007 were the first piece of data retention legislation that provided for the Secretary of State to require the retention of such data. We currently have DRIPA 2014 and the data retention regulations of that year. We hope to replace those with the provisions in the Bill. A very important point is that there is nothing new about these proposals. Our data retention legislation has always had the Secretary of State involved in the process and there are very good reasons for that. It has worked successfully until now. As I have indicated, it has been recommended to us by David Anderson.
The amendments that have been tabled seek to drive a coach and horses through all of that. There is a simple and blindingly obvious reason why we wish to maintain the system of data retention. For example, when a crime happens or a child goes missing, it is impossible to know in advance which data would be relevant in any subsequent investigation. It is therefore important that we require the retention of all relevant communications data that matches a certain description wherever it is necessary and important. Because it is impossible to know which data will be the most relevant in advance of any crime, it is impossible to know whether a specific piece of data will be of value to MI5 in locating a terrorist, for example, or to the National Crime Agency in identifying a paedophile, or for any other legitimate purpose. For that reason it does not make sense for those authorities to apply for retention warrants individually. What makes sense is for the requirement of all relevant public authorities to be considered together. The person best placed to do that is the Secretary of State. Public authorities set out their requirements for data retention to the Home Office and they are then carefully considered. As they usually overlap, the Secretary of State is able to identify the specific telecommunications operators and specific data types that it is necessary and proportionate to make subject to data retention notices. As the full costs of data retention are covered by the Secretary of State, only he or she can decide whether or not the benefits of data retention are proportionate to the costs.
There has been some discussion about cost again today. The £170 million figure is based on the cost of our anticipated implementation, which takes into account data that is already obtained under existing legislation. We noted the evidence of BT when it talked about the costs being dictated by its implementation approach, and we continue to discuss implementation with those communication service providers likely to be inspected. Whatever the final cost, however, the important underwriting by the Government is a vital factor in giving reassurance to the industry, not only on the practicability of these measures, but on the importance therefore of involving the Secretary of State.
My worry is that if we went down the road proposed by the amendments, we would end up with a rather confused system that would not allow for the overall benefits of retaining a particular type of data, because the judicial commissioner would only ever be able to consider the benefits to the particular public authority applying for a warrant. It would therefore be impossible to judge the overall necessity and proportionality of requiring a particular company to retain a particular dataset.
We have heard about new clause 10 and its provisions. Given that it is impossible to predict in advance what data would need to be retained, this approach relies on data being retained only after a crime has been committed and/or an investigation has begun. Preservation only works if the data are there to preserve and it is of limited benefit without an existing retention scheme. Without data retention, data protection rules require that the data that are no longer needed for business purposes must be deleted. Without data retention, the data that are needed would not exist. Therefore, the regime of warrantry—the double lock, indeed the proposals put forward by Opposition Members—none of it would matter, because the material would not be there. That is particularly relevant when it comes to the increasing move of criminals and their ilk away from conventional telecommunications to the internet and internet connections.
A number of reports published by the EU Commission show the value of communications data and why the concept of data preservation, as envisaged in new clause 10, is not a viable alternative. In a Europe-wide investigation into online child sexual exploitation, of the 371 suspects identified here in the UK, 240 cases were investigated and 121 arrests or convictions were then possible. Of the 377 suspects in Germany, which does not have a data retention regime, only seven could be investigated and no arrests were made.
I have explained why the existing data retention regime that the Bill replicates is the appropriate model. May I deal with the change proposed by a set of amendments that involve changing the word “may” to “must” in clause 78(2)? That would require a data retention notice to cover certain issues. I am sympathetic to the aim of the amendment, because I am in favour of specific requirements, but the amendment is misconceived because subsection (7) already requires that a retention notice must specify the operator to whom it relates, the data which are to be retained, the period of retention, the requirements and restrictions imposed by the notice, and information on costs. Subsection (2) sets out the scope of what a notice may require and subsection (7) requires that the notice must make clear what is required. The two subsections are therefore aimed at different things.
The effect of this amendment would be to require a notice to cover issues that it might not have any reason to cover. For example, a retention notice may
“make different provision for different purposes”.
With respect, it therefore does not make sense to say it must make different provision for different purposes, because a notice may not relate to those different purposes. I would argue that there is therefore nothing to be gained by moving these amendments. That is all I wish to say, but for those reasons I urge hon. Members to withdraw the amendments.
I will not detain the Committee for too long; these issues have already largely been addressed. Amendments 304 and 305 seek to remove paragraphs (d) and (e) from clause 78(2). In a Bill replete with vagueness, those two subsections stand out as being particularly vague. The new clause that I will come to in a moment would require a data retention notice—or warrant, as we would wish—to be issued only for a specific investigative or operational purpose. The SNP has tabled amendments that will bring greater clarity to when and why a warrant would be issued.
As we know, communications data are defined as data that would be used to identify, or assist in identifying, the who, where and how. However, instead of allowing a blanket surveillance approach that treats everyone as a suspect, the amendments would allow the police to apply to a judicial commissioner for targeted retention warrants, in which data are required for the purposes of a specific investigation into serious crime, or for the purpose of preventing death or injury. I trust that these amendments are acceptable to the Government.
I rise to address the concerns of the hon. Gentleman. It is good to hear from him; I should have said that during the last group. He has made the point about his concerns of vagueness. However, I would argue that it is very important that a notice can have a degree of flexibility within it, because a single telecommunications operator may provide a number of different communications services, such as mobile telephony and internet access. However, there may be different complexities and sensitivities about the different types of communications data that are generated by those services. Considerable preliminary work is carried out between the Government and telecoms operators in advance of the service of a retention notice. That covers a number of issues, including the type of data that will be retained, the complexities of the operator’s systems, and the relevant security requirements. Flexibility is needed to ensure that the notice can appropriately reflect those issues, and that it imposes the minimum requirements necessary to meet the operational requirements.
What we are counter-intuitively getting at is to make sure that there is necessary give and take within the system to prevent what the hon. Gentleman and I would regard as an overweening approach from the Secretary of State, which would impede the ability of communications service providers to carry out their operations. For that reason, I respectfully urge him to withdraw the amendment.
I hear what the Solicitor General has said, but I do not wholly agree with him. I reserve the right to bring this back at a later stage. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Amendment 306 is tabled, quite properly, to tease out from the Government the more detailed reasoning behind the important statement made by the Home Secretary on Second Reading. The hon. and learned Lady is quite right to refer to that statement. I once again reiterate the Government’s position that we will not be requiring the retention of third party data through these provisions.
The question is how best to achieve that; therein lies the tension. Attractive though the approach advanced by the hon. and learned Lady might be, there are some drafting issues and problems about legal certainty, which mean that putting those provisions in the Bill with suitable detail is problematic.
One of the main functions of the Bill—and one of my desiderata—is to ensure that it is resilient and stands the test of time. My concern is that if we end up with a definition that is too technologically neutral, it will either fail the test of time in this place, or be subject to challenge. As a Law Officer, legal uncertainty is something I have to take very seriously when considering how legislation is presented. That is why I commend the detailed provisions within the draft code of practice on third party data—paragraphs 2.68 to 2.72—that the hon. and learned Lady referred to. That is not only an explicit reiteration of our commitment but the sort of detail needed for those operating the provisions, which could not be properly put in the Bill.
It is generally well understood what third party data are, but perhaps I should briefly explain the important areas of detail that could not be covered on Second Reading. Where one communications service provider is able to see the communications data in relation to applications or services that run over their network, but does not process that communications data in any way to route the communication across the network, then that is regarded as third party data. For example, an email provider, such as Yahoo or Gmail, knows that a certain internet access service, such as BT Internet, was used to send email, but that fact is not needed or used to send it. So it is in everybody’s interest, not least that of the service providers themselves, that there is sufficient clarity about the data that can be retained under the provisions. As I have said, I think the code of practice is the right vehicle for this. It is also the appropriate vehicle for ensuring that there can be a sufficiently detailed definition of third party data for the reasons I have outlined. In those circumstances, I respectfully ask the hon. Lady to consider withdrawing her amendment.
I am not happy about withdrawing the amendment in the absence of elaboration of what the Solicitor General means by drafting issues and problems of legal certainty. I am not clear at the moment why we cannot have both the amendment and the further elaboration that will be provided in the codes of practice.
Amendment proposed to amendment 306: (a), leave out “notice” and insert “warrant”.—(Gavin Newlands.)
Question put, That the amendment be made.
The SNP has tabled the amendments to provide for clear, appropriate and limited grounds on which data retention warrants may be issued. The amendments require that the data to be retained are specified and that organisations served with warrants to retain communications data should be identified rather than merely described.
Amendments 315 and 317 affirm that organisations that have been served a notice or warrant to retain the communications of their customers are properly and explicitly identified. The term “description of operators” is far too vague and we urge that it is changed to “or operators”. Amendment 328 ensures that those organisations are defined and named before a retention notice can be issued. Amendment 338 removes the possibility of the Home Secretary being able merely to describe the telecommunications operators that she wants to target. Amendments 361, 374 and 375 provide the basis for a concrete description to be included when there is any variation of a notice.
The amendments attempt to bring to the Bill some clarity, which is sadly lacking. It is not good enough that the Home Secretary can sign a notice that merely describes who is impinged on or directly affected by these intrusive powers, because that approach opens up the space for the powers to be abused. We need to act to ensure that, as much as possible, we operate a targeted approach.
I understand the purpose behind the amendment in that, in the opinion of the hon. Member for Paisley and Renfrewshire North, it would ensure greater specificity in the giving of notices. However, I shall give a brief example of what a “description of operators” might be. With this provision we would have been able to give the same retention notice to all wi-fi providers supplying wi-fi to the Olympic park in London during the 2012 Olympics. In these circumstances the operators are providing precisely the same kind of communications service and the data required to be retained are the same. Whether a notice relates to a description of operators or to a single operator, it can only contain what the Bill’s provisions allow and the Secretary of State must consult with the operators to which it relates. Operators also have the opportunity to refer the notice back to him or her in relation to any aspect of it. Therefore, on that basis, I invite the hon. Gentleman to withdraw his amendment.
I am content to withdraw the amendments at this stage. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
This is the first speech I have made in this place that has required an intermission. It has been suggested that I start from the beginning as I cannot remember where I had got to. I am nothing but a crowd pleaser, Ms Dorries, but I have found the place where I left off, so I shall continue.
I was saying that the question whether the Bill is in accordance with the law is up for debate. If this part is left unchanged, Liberty and others suggest that it will be in conflict with human rights law, including breaching the EU charter of fundamental rights and freedoms. In July 2015, the High Court upheld its challenge and struck down sections 1 and 2 of the Data Retention and Investigatory Powers Act 2014, finding them incompatible with the British public’s right to respect for private life and communications, and protection of personal data under articles 7 and 8 of the EU charter of fundamental rights.
In addition, we should be mindful that the challenge against DRIPA is ongoing and that the outcome will have an impact on whether this part of the Bill is lawful, although I suspect not. On that basis, I question whether ICRs will do the job the Government intend them to do. The Home Office has become entrenched with regard to ICRs and its fixation with them is clouding its ability not only to look at alternatives, but to assess whether ICRs are proportionate, necessary or in accordance with the law. The SNP believes that ICRs fail those three basic assessments.
I want to quote an unlikely ally, who, in 2009, said in Committee:
“Our consideration of the regulations comes against the backdrop of an increasingly interventionist approach by the Government into all of our lives, seemingly taking the maxim ‘need to know’ to mean that they need to know everything. Certainly, we need to know what the Government’s intentions are in relation to the creation of a new central database, which would create a central store of our electronic communications.”—[Official Report, Fourth Delegated Legislation Committee, 16 March 2009; c. 6.]
That ally was none other than the right hon. Member for Old Bexley and Sidcup (James Brokenshire), now Minister for Immigration at the Home Office, speaking in a Delegated Legislation Committee on an EC directive with very similar provisions to parts of this Bill. That statutory instrument was passed by the House, but notable opponents included Members who are now Scottish Secretary, Home Secretary and Minister for Security—the Minister in charge of this Bill.
We in the SNP are mindful of the evidence that has been presented and submitted to the Committee, but it is our opinion, backed up by case law, that the power to retain ICRs is incompatible with the right to privacy and the protection of personal data, and I urge hon. Members to amend the Bill and ask the Government to think again.
I am grateful to hon. Members for this important debate, which, although it relates to an amendment, inevitably strayed into what is, in effect, the stand part debate on communications data.
The hon. Member for Paisley and Renfrewshire North set out his case comprehensively, but his arguments relate to measures and proposals that are not before the Committee. We have moved a long way from 2009, and certainly from 2012, when the original draft Bill was considered by a predecessor Joint Committee. We are not in the situation where the Government will hold a centralised database. That sort of measure was rightly opposed by my right hon. Friend the Minister for Immigration and other of my hon. Friends at that time, because we are naturally suspicious of an organ of Government directly blanket-holding such data.
That is why this provision is not remotely like that. It does not contain anything like the provisions that the hon. Gentleman rightly cautions against, most importantly because the retention of that data is not in the hands of Government. That arm’s length approach is a key difference, which I am afraid undermines all the seeming quality of his argument.
Will the series of private databases under the Bill be any safer from hacking than a central Government database?
The hon. Gentleman makes a proper point about security. This, in respect of the code of practice and in collaboration with the industry, will be at the forefront of everybody’s mind. What is important is that the Government do not have a pick-and-mix or help yourself avenue within which they can mine data for their own capricious purposes.
The framework of the Bill quite properly severely circumscribes the circumstances within which the Government can seek access to that material. Most importantly, when it comes to content, the warrantry system—the world-leading double lock system we are proposing—will apply. An internet connection record is not content; it is a record of an event that will be held by that telecommunications operator. It relates to the fact of whether or not a customer has connected to the internet in a particular way. If it goes further into content, the warrantry provisions will apply. It is important to remember that framework when determining, and describing and putting into context, what we are talking about. The Committee deserves better than indiscriminate shroud-waving about prospects and concerns that simply do not arise from the measures in the Bill.
The hon. Gentleman quite properly raised the Danish experience. The Danish Government and authorities are in regular conversation with the United Kingdom Government. That dialogue goes on because they are naturally very interested to see how our model develops, although there are important differences that should be set out briefly. The Danish legislation was not technology neutral, unlike these proposals, because it specified two options that proved unworkable. We work with operators case by case so that the best option for their network at the appropriate time will be determined. The Bill builds on existing data retention requirements, such as the retention of data necessary to resolve IP addresses, which regime already exists under the Counter-Terrorism and Security Act 2015. The full cost recovery underpinning by the Government means that there is no incentive for communications service providers to cut corners, as I am afraid happened in Denmark. There are important differences between the two.
The hon. Gentleman rightly talks about IPV6. Although it is a great aim and something that all of us who have an interest in this area will have considered carefully, it still is, with the best will in the world, a way away, I am afraid. It will take a long time for all service providers to implement in full, and until then, there will be both types of system. Even with IPV6, CSPs may choose to implement address sharing or network address translation, meaning that it is not the guaranteed solution that perhaps has been suggested. Servers who host illegal material are much less likely to move to that system, meaning that, in practice, IPV4 may well remain with us. We therefore have to act in the interim, because, as has been said, the drift away from what I have called conventional telecommunications to the internet carries on whether we like it or not. We have to face up to the world as it is, rather than the world as we would love it to be, and therefore take into account the fact that we are in danger of being unable to detect criminality and terrorism.
The Solicitor General says we have to face up to the world as it is. Why is it, then, that no other democratic nation in the world is implementing legislation of this sort?
The hon. and learned Lady has asked that question before, and I have said to her before that somebody has to step up, try it and make that change. I am proud that the United Kingdom is prepared to do that, as we have done it in so many ways.
Is the Solicitor General aware that it is not that other countries have not looked at the problem? They have looked at the problem and decided that this is not the way to solve it.
I am afraid I do not agree with the hon. and learned Lady. What they have looked at is the sort of centralised, governmental-based database that all of us have quite properly rejected. They are looking with interest to see how this particular proposal develops, bearing in mind that it has now been refined through many Committees of the House. Accordingly, I think what we are doing is innovative, world leading and, with its technology-neutral approach to the definitions, striking the right balance.
The problem with the amendment as I see it is not only that it is technically deficient, but that, on close reading, it does not exclude the retention of internet connection records, because it talks about the sender and recipient of communications, which is either end of the communication we are talking about when it comes to ICRs. Let us assume that that is an error. Even if we consider its intention at face value, the problem with going back to the 2009 regulations is that we are returning to the language of dial-up—the sort of non-broadband, non-mobile internet access we were all used to 15 years ago, but which now belongs in a museum. If we imprison ourselves in that sort of language, the danger that I have outlined becomes very real.
What next? Are we going back to the telex or the marconigram? We have to make sure that the language of the Bill keeps pace with the breathtaking scale of technological change. In the words of the hon. Member for Paisley and Renfrewshire North, the amendment just does not cut the mustard and I urge that it be withdrawn.
I beg to move amendment 175, in clause 79, page 62, line 34, at end insert—
“() the public interest in the protection of privacy and the integrity of personal data; and
() the public interest in the integrity of communications systems and computer networks.”.
Clause 79 sets out those matters to be taken into account before giving a retention notice, as well as likely benefits and the likely number of users. Amendment 175 would add two public interest matters to that list. My argument is similar to the one I made on other provisions. Where matters are to be taken into account, it is important that the protection of privacy and the integrity of personal data and of communications systems are specifically listed. I have moved to a position of thinking that an overarching privacy clause is probably the way to achieve this end; this is therefore a probing amendment and I will not press it to a vote.
I am grateful for the way in which the hon. and learned Gentleman states his case. To put it extremely simply, we would argue that the public interest in the protection of privacy and in the integrity of personal data are already factored in by the provisions of the Bill.
First, proportionality must include consideration of the protection of privacy. Secondly, the integrity of personal data being such an important public interest is why clause 81 requires any retained communications data to be of at least the same integrity as the business data from which they are derived. A retention notice will therefore not be permitted to do anything that would undermine the integrity of the data that the operator already holds for business purposes. That is all I want to say about the matter, but I assure hon. and learned Gentleman that those important considerations are at the heart of the processes we have followed.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 79 ordered to stand part of the Bill.
Clause 80
Review by the Secretary of State
As the hon. and learned Gentleman says, the amendments would require that review under clause 80 be by a judicial commissioner rather than the Secretary of State. Will the Government tell us why the provision of such a route of review would not, in their opinion, give the telecommunications providers greater reassurance that notices are not only lawful, necessary and proportionate but stable and legally certain? It seems to me that a review by a judicial commissioner, or at the very least by the Investigatory Powers Commissioner, would provide that reassurance.
The hon. and learned Lady asks a perfectly proper question. I reiterate the position that we have taken in principle: the Secretary of State is the appropriate and accountable person to be responsible for reviewing retention notices. However, although the Secretary of State must be responsible for giving notices and must therefore be the person ultimately responsible for deciding on the outcome of the review, that does not mean that she or he can make the decision on the outcome of the review without consultation—far from it.
Clause 80(6) ensures that the Secretary of State must consult both the Investigatory Powers Commissioner and the technical advisory board. The commissioner must consider the proportionality of the notice; the board must consider the technical feasibility and financial consequences of it; and both must consult the operator concerned and report their conclusions to the operator and the Secretary of State. Only then can the Secretary of State can decide whether to vary, revoke or give effect to the notice. That system provides rigorous scrutiny of the notice and maintains the accountability of the final decision resting with the Secretary of State. We therefore believe it is the best mechanism for review. Accordingly, I commend the unamended clause to the Committee.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 80 ordered to stand part of the Bill.
Clause 81
Data integrity and security
Question proposed, That the clause stand part of the Bill.
I seek the Minister’s guidance. Throughout our considerations, I have spoken of my fears whether data held under this Act are held securely. I hope that clause 81 will address many of my fears; I seek the Minister’s advice on whether it lays responsibility on communications providers to maintain those data securely. I simply reiterate my concern that when theft does take place, there has to be a consideration of an offence of unlawful possession of stolen data, on the basis that the communications provider that has suffered the theft would also be legally responsible for that theft when the provider is in fact a victim of the theft itself. Bodies that seek to obtain illicitly a person’s private communications data may try to make financial gain as a result. Is the Minister confident that clause 81 gives me the kind of assurances that I have been looking for on internet security? Is there sufficient deterrent, in terms of possession of unlawfully obtained data, that might be included later in the Bill?
The hon. Gentleman has been consistent in stating his concerns. I assure him that clause 81 contains the sort of requirements that he would reasonably expect. It sets out the matter clearly. It should be read in conjunction not only with other legislation that I have mentioned, such as the Data Protection Act 1998 and the Privacy in Electronic Communications Regulations 2003, but with clause 210, which provides for the Information Commissioner to audit the security, integrity and destruction of retained data, and the codes of practice to which I referred earlier. The provisions in the communications data draft code of practice go into more detail about the security arrangements.
We had a discussion some days ago about the existence of adequate criminal legislation. The Bill has a number of provisions that relate to those who hold data, and we discussed whether existing legislation could cover those who come into possession of the data unlawfully. I say to the hon. Gentleman that I will take the matter away and consider it, and come up with a proper considered response to his query.
Question put and agreed to.
Clause 81 accordingly ordered to stand part of the Bill.
Clauses 82 and 83 ordered to stand part of the Bill.
Clause 84
Enforcement of notices and certain other requirements and restrictions
I beg to move amendment 225, in clause 84, page 65, line 20, after “not”, insert “, without reasonable excuse,”.
There are two points to make here. One is to state the principle that reasonable excuse defences are needed to protect those who are exposed in wrongdoing. We had that debate last week and I listened carefully to the response given. The practical reason is the inconsistencies may be intentional, or they may be unintentional. Clause 73(1), under which unlawful disclosure is made an offence under part 3, has a “without reasonable excuse” provision. Clause 84, which is in part 4, does not. There may be a very good reason for that, but it escapes me at the moment. That is either a point that the Solicitor General can deal with now, or I am happy for him to deal with it later on. It may be just one of those things when you draft a long, complicated Bill, but there is an inconsistency of approach here, because reasonable excuse is sometimes written in and other times not, for no apparent reason.
The hon. and learned Gentleman askes what the policy objective is of not having such a defence. The clear policy underlining this is the Government’s policy of not revealing the existence of data retention notices. They are kept secret because revealing their existence could damage national security and hamper the prevention and detection of crimes, because criminals may change how they communicate in order to use a provider that is not subject to data retention requirements. Clause 84 places a duty on providers not to reveal the existence of notices.
Just to be clear, I do not need to be persuaded about the policy objective of a clause that keeps a retention notice safe. It is the policy objective of not having a “reasonable excuse” defence to the provision, which operates as an exclusion to the prohibition, of which I need to be persuaded. I do not need persuading about the prohibition for safety.
I was coming to that. We are talking about a duty here; the earlier clause the hon. and learned Gentleman referred to is an offence. That will, I think, explain the importantly different context.
To deal with the question of “reasonable excuse”, the problem is that once the information is out in the public domain, it cannot be withdrawn—whether that information has been introduced with good or bad intentions does not matter. It cannot be right for the Bill to allow a person to release sensitive information in that way and then subsequently rely on a “reasonable excuse”.
May I deal with clause 84(4), which is relevant to this provision? It provides an exemption where the Secretary of State has given permission for the existence of the notice to be revealed. The Government intend that such permission would be given, for example, where a provider wishes to discuss the existence of their retention notice with another provider subject to similar requirements. Should the operator wish to reveal the existence of the notice, they should discuss the matter with the Secretary of State, and in such circumstances permission is likely to be given. There will be those sort of scenarios, as I am sure the hon. and learned Gentleman will understand, and they will help improve the operational model.
My concern about using the “reasonable excuse” provision in the context of a duty would be that it would undermine the important policy objective that I have set out. For that reason I would urge the hon. and learned Gentleman to withdraw the amendment.
I will withdraw the amendment. As to the difference between a duty and an offence, I understand that in principle, but I am pretty convinced that elsewhere in the Bill a breach of the duty becomes an offence, as otherwise it is an unenforceable provision, so I am not sure it is a distinction that withstands scrutiny. That being said, I am not going to press this to a vote. It would be helpful and reassuring if the Solicitor General would agree to set out the route by which a whistleblower brings this to attention. I think we have already agreed in general terms and it may come within the umbrella of the undertaking that has been given; if it does, all well and good. That would reassure those that have concerns about exposing wrongdoing. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
These amendments were consistent with earlier amendments that have now been withdrawn, the purpose of which was to put the decision-making power in the hands of the Investigatory Powers Commissioner or the judicial commissioner. The other amendments having been withdrawn, I will not press these to a vote; they do not make sense within the unamended Bill as it now stands.
We have already discussed the importance of protecting the identities of those companies subject to data retention notices, but there are circumstances where a telecommunications operator should be able to disclose the existence of a retention notice. Clause 84 allows the Secretary of State to give them permission to do so. The amendment would ensure that a telecommunications operator could disclose the existence or content of a retention notice to the IPC without the need for permission to be given. I would say the proposal is unnecessary, because it is absolutely the Government’s intention to give telecommunications operators permission to disclose the existence and content of the retention notice to both the relevant oversight bodies—the IPC and the Information Commissioner—at the point at which a notice is given. In any event, clause 203 as drafted would permit the telecommunications operator to disclose a retention notice to the IPC in relation to any of his functions.
Amendment 224 would mean that the IPC, not the Secretary of State, would be granting permission for a telecoms operator to disclose the existence of the notice. In practice the Secretary of State would consider, at the point that a retention notice was issued, to whom the telecommunications operator could disclose the existence of a notice. It would not make any sense for this issue to be considered separately by the commissioner following the issue of a notice by the Secretary of State.
Further requests by a telecommunications operator to disclose a retention notice are likely to cover administrative matters, such as disclosure to a new systems supplier. Such matters should appropriately be considered by the Secretary of State. I think that explanation not only justifies opposition to the amendments, which I know are being withdrawn, but supports clause 84.
I have nothing further to add, so I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 226, in clause 84, page 66, line 15, at end insert—
“(2B) No notice shall be served under subsection (1) where the relevant telecommunications operator outside the United Kingdom.
(a) is already subject to a comparable retention requirement in the country or territory where it is established, for the provision of services, or
(b) where there is no comparable retention requirement under its domestic law, any extraterritorial requirement is limited to the making of preservation requests to the telecommunications operator.”
Committee members will understand why this amendment has been tabled. It reflects the concerns of those who will be caught by these provisions in cases where a comparable retention requirement exists in the country in which they are working. The provisions in this part of the Bill are unnecessary in relation to them. That is the amendment’s intention and purpose.
I think we can deal with this briefly. I entirely agree with the hon. and learned Gentleman: where it was neither necessary nor proportionate to attempt to retain data in another place, we would not do so, so that is very straightforward. All data retention notices that are given to telecommunications companies, whether here or abroad, must pass the test of necessity and proportionality. Where they did not do so, it simply would not happen, because it would not be necessary, so for that purpose the amendment is unnecessary.
The second part of the amendment would remove the ability to serve data retention notices on telecommunications operators in countries that do not have a comparable data retention regime. Of course, the fact that they do not have a comparable data retention regime does not necessarily mean that there are no data to obtain, and I think that this part of the hon. and learned Gentleman’s proposal would add rigidity where flexibility is needed. I accept that there are not always comparable systems, but that does not mean that no system of any kind prevails. Again, with the caveat of proportionality and the proven need established, I think it would be unhelpful to limit our capacity to take action as necessary in the way that he suggests. The same could be said of the third element of his proposal, which is about the preservation of data. When there are no data to preserve, this does not really apply, but when there are, we need at least the capacity, born of the flexibilities provided by the Bill, to take action as is necessary and reasonable.
I am grateful to the Minister. I am sure that those who have the primary concern here will take some comfort from what is said about necessity and proportionality but, in practice, where there are comparable retention requirements in the country, it will rarely, if ever, be necessary or proportionate. Obviously, that will have to be determined case by case, or authorisation by authorisation, but I note what he has said on the record. I therefore beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 84 ordered to stand part of the Bill.
Clause 85 ordered to stand part of the Bill.
Clause 86
Extra-territorial application of Part 4
Question proposed, That the clause stand part of the Bill.
I intervene merely because I know that the hon. and learned Gentleman is as much a stickler for accuracy as I am and is perhaps even less prone to hyperbole than me. He will therefore want the Committee to consider the draft code of practice, particularly where it deals with exactly the matters to which he is referring. I will discuss this at greater length than an intervention will allow in a moment, but he will see in the draft code of practice a comprehensive list of qualifications to the breadth that he is outlining.
I am grateful for that intervention. I have been referring throughout to the code of practice and its role. Consistent with the in-principle argument I have been making, the Bill and the code serve different functions. I understand the argument that a code is one way not only to give more detail to the provisions in the Bill, but to future-proof it. In other words, a code allows an approach that can be changed without amending the legislation.
As a matter of principle, though, I argue that where limits are to be put on the exercise of the power, and thus important safeguards are in place, they should be in the Bill. What should be resisted is a wide and generalised power in the Bill that finds constraint and limitation only in the code of practice. The extent of these powers should be set out in the Bill. The code of practice is the place for more detailed provision—provision that may change over time—and other obvious future-proofing techniques; it is not the right place for the limitations themselves.
Moving on, consistent with the earlier clauses on warrants, subsection (5) allows conduct in addition to the interference itself in order to do what is expressly authorised or required and any conduct that facilitates or gives effect to the warrant. I now want to take a bit of time on subsection (6).
I am grateful for that intervention. It is helpful to have such matters on the record so that others can follow how the clauses are intended to operate.
Returning to subsection (6), one of the welcome measures in the Bill is that clause 3(4) makes it clear that, when a communication is intercepted, interception includes the communication at
“any time when the communication is stored in or by the system”.
I know that sounds very technical, but it became a real issue in a number of cases in which the question was whether a voicemail that was accessed once it was on a voicemail machine was in the course of its transmission. If the answer to that was no, there was nothing unlawful about retrieving it, listening to it and publishing it. A lot of time and energy went into the interpretation of the relevant clause. One of the advantages of the Bill is that clause 3 spells out in no uncertain terms that communications are protected if they are intercepted in the course of transmission, including if stored either before or after transmission. That protects any communication, sent to us or anybody else, which is either listened to at the time or not, but is later stored either in a voicemail, on a computer or in any way. We all store communications all the time; it is very rare that they exist only in real time. That is a step in the right direction.
We then get to clause 88(6):
“A targeted equipment interference warrant may not, by virtue of subsection (3), authorise or require a person to engage in conduct, in relation to a communication other than a stored communication”.
It protects the communication and excludes its content from this part—I think that is the idea—but only half does the job and leaves quite a gap, in my view. We get back to the same problem. If there is equipment interference to obtain a communication, that communication would be protected from one of these warrants as long as it is in the course of its transmission. If it has arrived, it is not. If I am wrong about this I will stand corrected, but all of the good that was done by amending clause 3 will be undone by clause 88; the same ends could be achieved by using an equipment interference warrant, namely obtaining by interference a communication that is in the course of its transmission, either before or after it is sent.
I am grateful to the hon. and learned Gentleman for his humility in suggesting that he would stand corrected; I now stand to correct him. An equipment interference warrant would not allow interception of real-time information of the kind that he describes. He is right that to intercept that kind of information would require a different process, as we discussed earlier in our considerations. If further explanatory notes need to be made available to provide greater clarity about that I am more than happy to do so. I will talk more when I respond, before you rightly chide me for going on for too long, Ms Dorries.
I am grateful to the Minister. If he could point to the provision that makes good the submission he has just made, then that will deal with this particular point. Just to be clear, subsection (6) is intended to ring-fence and exclude from one of these warrants communications the interception of which would
“constitute an offence under section 2(1)”,
but only in relation to communications in the course of their transmission in the real sense of the term, not including those that are “stored”. I put on the record—if this is capable of being answered, so be it—that “stored” in subsection (6) has the same meaning as in clause 3, which is intended to include stored communications within the prohibition. I will not take it any further; the Minister has my point, which is that one would expect subsection (6) to protect the same content that is expressly protected by clause 3(4), but it does not—unless he or somebody else can point to another provision that adds to subsection (6), though that would be an odd way of doing it.
I will move on. Subsection (9) defines targeted examination warrants. This is important because subsections (1) to (8) deal with targeted equipment interference warrants—warrants issued in a targeted way; the targeted examination warrant deals with examining material obtained by way of a bulk warrant. It therefore serves a different purpose. Subsection (9) is an extremely wide provision:
“A targeted examination warrant is a warrant which authorises the person to whom it is addressed to carry out the selection of protected material…in breach of the prohibition in section 170(4)”.
To understand that, we need to turn to section 170(4), which raises questions that relate to an argument I made earlier on another, not dissimilar, provision. It states:
“The prohibition…is that the protected material may not…be selected for examination if (a) any criteria used for the selection of the material for examination are referable to an individual known to be in the British Islands at that time, and (b) the purpose of using those criteria is to identify protected material consisting of communications sent by, or intended for, that individual or private information relating to that individual.”
That is intended to give protection to individuals known to be in the British islands, by placing limits on the examination of their material: in relation to their material or their communications one needs a targeted examination warrant to get around the prohibition in clause 170(4). The point I make here is similar to the point that I made before: this is temporal. Whether a person is in the British islands or not depends on where they are physically. I am protected so long as I am in the British islands, but I fall out of protection—as would everybody else—the moment I leave them, whether I am leaving for a day, a week, a month or a year. That is a real cause for concern, as is the wide definition of protected material that immediately follows in clause 88(9); amendment 382 would limit the extent of that definition by stopping the clause after the words “Part 6”, which are on page 67, line 40, of the draft Bill.
In conclusion, this is a very wide-ranging clause, and it contains insufficient safeguards—if there are safeguards, they should be in the Bill. There are questions on subsections (6) in (9), taken in conjunction with clause 170(4), that the Minister will have to deal with.
As the shadow Minister said, part 5 of the Bill is very important. It deals with equipment interference. He is right to say that equipment interference is, by its nature, quite a radical technique—I will explain that in a few moments—but of course it is for a purpose. It fulfils a proper function and allows those missioned to keep us safe to do so by means of the exercise of that power.
Let me deal with the hon. and learned Lady first. I thought that her contribution—I say this kindly because, despite all of my instincts, I cannot help liking her—[Interruption.] Someone said “saintly instincts”. I would not go as far as to say “saintly”; I would say “wholesome instincts”. I thought that her speech exemplified the curious cocktail at the heart of Scottish nationalism: a mix of paranoia and assertiveness.
I have two things to say in response to her. First, these powers are not new; they already exist in the Intelligence Services Act 1994 and the Police Act 1997. Secondly, the exercise of those existing powers has been scrutinised. They are particularly used by GCHQ.
Order. There is a Division in the House. We will suspend for 15 minutes, or 25 if there are two. Be back as quickly as you can if there are three.
Having characterised the Scottish National party in a vivid and, in some people’s view, slightly too generous way, I will move on to the specifics of what the hon. and learned Lady said. She is right that there need to be important safeguards in respect of equipment interference. I do not think that there is any difference between us on that. She is right that GCHQ’s use of equipment interference powers—although they are more widely available, it is GCHQ that uses them particularly—are central to its purpose and of course must be lawful. She will be pleased to know that the Investigatory Powers Tribunal found them to be just that when it looked at the matter as recently as February of this year. Of course it is right, given the radical character of those powers, that we put in place all the right checks and balances. One might say that transparency and stronger safeguards are part of what the Bill is defined by.
It is important to emphasise in that context the draft codes of practice, which I drew attention to in a brief intervention on the hon. and learned Member for Holborn and St Pancras. They are clear in two respects. I draw attention first, in general terms, to part 8 of the draft code of practice on equipment interference, which deals with handling information, general safeguards and so on, and secondly to the specific areas covered in part 4.10, which lists an extensive series of requirements for the information that a targeted equipment interference warrant should contain. I will not go through them exhaustively, Ms Dorries, because that would please neither you nor other Committee members. Suffice it to say that such a warrant should contain details of the purpose and background of the application, be descriptive and clearly identify individuals where that can be done. Those requirements also necessitate an explanation of why equipment interference is regarded as essential and refer to conduct in respect of the exercise of such powers, collateral intrusion, and so on. They are pertinent to the consideration of the clause.
There is always, as I predicted there would be in this case, a debate in Committee about what is put in the Bill and what is put in the supporting material. As you will be familiar with, Ms Dorries, having been involved in all kinds of Committees over time, Oppositions usually want more in Bills and Governments usually want more flexibility. Perhaps that is the nature of the tension between government and opposition. I have no doubt that were the Labour party ever to return to Government, the roles would be reversed; we would be the ones saying, “More in the Bill,” and that Labour Government would probably be arguing for more flexibility. The truth lies somewhere between the two: of course it is important to ensure that there is sufficient in the Bill both to ensure straightforward legal interpretation and to cement the safeguards and protections for which the hon. and learned Gentleman rightly calls, but in achieving those ends one must always be careful that specificity does not metamorphose into rigidity. Where we are dealing with highly dynamic circumstances, changing technology and, therefore, changing needs on the part of the agencies and others, rigidity is a particular worry.
In the Bill as a whole, and in this part of the Bill, we have tried to provide sufficient detail to provide transparency, navigability and a degree of resilience to legal challenge while simultaneously providing the flexibility that is necessary in the changing landscape. That is why the codes of practice matter so much, particularly in respect of this clause and these amendments, and it is why the codes of practice have changed in the light of the consideration of the Joint Committee of both Houses, and others. It is also why I predict—I put it no less strongly than that—that the codes of practice will change again as a result of the commentary that we have already enjoyed in Committee and will continue to provide over the coming days.
The need for equipment interference could not be more significant, and I will explain what it comprises. Equipment interference is a set of techniques used to obtain a variety of data from equipment that includes traditional computers, computer-like devices—such as tablets, smartphones, cables, wires—and static storage devices. Interference can be carried out remotely or by physically interacting with the equipment. Although equipment interference is increasingly important for the security, intelligence and law enforcement agencies, it is not new. Law enforcement agencies have been conducting equipment interference for many years, and I described the legislative basis for that in response to the hon. and learned Member for Edinburgh South West. It is probably fair to say that equipment interference is likely to become still more important as a result of the effect that changes in technology are having on other capabilities. I do not want to overstate this, but encryption, for example, is likely to make equipment interference more significant over time.
I will amplify the clarity with which I delivered my advice to the hon. and learned Member for Holborn and St Pancras. Warrants cannot be issued without specifying what information is being sought, and on that basis it is hard to see why clause 88 should be amended. Chapter 4 of the code of practice states:
“An application for a targeted equipment interference warrant should contain… A general description of any communications, equipment data or other information that is to be (or may be) obtained”.
Together, the provisions provide the issuing authority with the information it needs to assess an application and with the power to constrain the authorised interference as it sees fit on a case-by-case basis. Amendment 382 would extend the requirement to obtain a targeted examination warrant to circumstances where the agencies need to select for examination the equipment data and non-private information of an individual who is known to be in the British islands. I tend to agree with the argument made by the hon. Member for City of Chester in an earlier sitting of the Committee that it is right that there are particular provisions for UK citizens in what we do in this Bill, rather than with the argument made by the hon. and learned Member for Edinburgh South West.
I just want to clarify my concern, because I think the Minister just said, “UK citizens”. I understand that the distinction is made between UK citizens and others. My concern about this provision is that, whether someone is a citizen or not, if they are physically outside of the British Isles they fall outside the protection. That has been my driving concern, or one of my driving concerns, here. There may be a good reason for this and there may be a longer explanation for it, but I was surprised to see in the Bill that the protection was not to British citizens or to some other description of people with the right of residence in this country, but in fact depends on whether someone is physically in the country or not. On my understanding, I lose the protection that is provided by this Bill in this and other provisions if I go to France for a short period of time.
To be fair to the hon. and learned Gentleman, the Bill refers to people within “the British Islands”, so he is right, and there are very good reasons why enhanced safeguards should apply for the content of people in the UK. As he implied, we explored these issues in an earlier part of the debate.
I will conclude, but I want to do so on the basis of clarifying this matter, too. The subsection that the hon. and learned Gentleman described earlier makes it clear that when a warrant for equipment interference is used to examine a phone, the police can look at all data on the phone, including text messages, but not in real time. I wonder whether there has been a misunderstanding or misapprehension about this issue—either a mis- understanding about the meaning or misapprehension about the purpose.
I repeat this solely for the sake of convincing the hon. and learned Gentleman and others that we are doing the right thing. These are important powers with stronger safeguards with absolute determination to be clear about legal purpose; they can only be used when necessary and can only be used lawfully. They are fundamentally not new but a confirmation of what is already vital to our national interest and to the common good.
I am grateful to the Minister for taking us through in some detail how the clause is intended to work with the code of practice. I reiterate my point that the essential safeguards should be in the Bill. Amendments 381 and 382 would not delete the provisions in clause 88; they would tighten the provisions in clause 88, and I intend to push both of them to a vote.
Question put, That the amendment be made.
I rise to add my support to amendment 384 on behalf of the Scottish National party. Historically, communications data were considered much less revealing than the content of the communication, and consequently the protections offered to communications data under RIPA were weaker than those existing in the interception regime. However, as communications have become increasingly digital, the data generated are much more revealing and copious than before, allowing the state to put together a complete and rich picture of what a person does and thinks, who they do it with, when they do it and where they do it.
As the Bill stands, clause 88(9) would allow for the examination of potentially vast amounts of data on people in Britain obtained under bulk equipment interference warrants, as vague categories of “data” in 88(9)(a) and (b) are asserted to have no meaning. Data relating to the fact of a communication or the existence of information do have meaning and must not be exempt from the privacy protections afforded to other categories of data.
I urge the Committee to ensure that the Bill does not treat data relating to the fact of a communication or the existence of information relating to that fact as unimportant. In fact, there is extraordinarily high value to such material, precisely because it is highly revealing. It therefore demands equal protection.
All these disruptions and delays are adding interest and variety to our affairs. There is a straightforward argument for why the amendment is unnecessary, which I will make. If that is insufficient to persuade the Committee, I will add further thoughts.
The straightforward reason why the amendment is unnecessary is that it would undermine the principle that the most robust privacy protections should apply to the most intrusive kinds of data. I simply do not agree with the hon. and learned Lady that, for example, systems data—the highly technical data that will be separated out as a result of the endeavours in this part of the Bill—are better excluded from those extra protections. The unintended consequence of the amendment—at least, I hope it is unintended—is that it would lead to disproportionate access requirements for less intrusive data. That would be unhelpful and could, through confusion, hamper the work of the services.
I want to be clear as to how clause 89 operates, because subsection (2) suggests it is an attempt to identify data associated with a communication that can be separated from the communication, but which, if separated, would not touch on the meaning of the communication, thereby protecting it. That is all good. That is a safeguard, which is supported and welcome, but after the comma, as I read it, disregarded from that protection is everything that follows on. At the moment, I do not follow how the amendment removes protection, because the last bit of clause 89(2)(c) after the comma disregards from the protection and thus leaves unprotected from the scheme of clause 89
“the fact of the communication or the existence of the item of information or from any data relating to that fact.”
If I am wrong about that, there is a problem with the amendment, but I understand that part of clause 89(2)(c) to detract from the protection that the subsection is otherwise intending to put in place.
Let me see if I can deal with that question specifically. Equipment data include identifying data. Most communications and items of information will contain information that identifies individuals, apparatus, systems and services, or events and sometimes the location of those individuals or events. Those data are operationally critical to the agencies, as the hon. and learned Gentleman understands. In most cases that information will form part of the systems data, but there will be cases where it does not.
The work that has been done to separate out and define data has been carefully designed to categorise logically the range of data generated by modern communications. Identifying data are operationally critical. It is important to be able to classify data correctly and coherently throughout the Bill. My assertion, therefore, drawing on the hon. and learned Gentleman’s question, is that the amendment would inhibit though not prevent that by making the distinction less clear.
We can talk at length if necessary, although I suspect that at this juncture it is not necessary, about inferred meaning and its importance and relevance here. Misunderstanding frequently arises on inference, but I do not think that that is critical to this particular part of our discussion. My case is that the work we have done in better categorising the difference between the kinds of data assists the application of this part of the Bill, and assists the agencies accordingly. As I said, the amendment, perversely, would afford to those bits of technical data, for example, the same protection that is deliberately granted to more sensitive data under the Bill.
I do not like to do this on every amendment, or we would drown in a sea of paper, but as I write to the Committee regularly, if it would be helpful to cement that point in my next letter, I will happily do so. I am, however, confident that what I have said to the Committee is an accurate reflection of the work that I have described and of the content of the Bill.
I am grateful to the Minister, first for spelling out in detail the intended operation of the clause and, secondly, for indicating his willingness to write on the matter. This is something that ought to be in the Bill. My clear reading is that the amendment would not ring-fence anything from examination; it would simply require a warrant under clause 88 if equipment data, having satisfied all the other provisions under subsection (2)(a) to (c), included anything where there was a meaning arising from fact communication and so on. I will therefore press the amendment to a vote.
I want to add my voice in support of the hon. and learned Gentleman’s suspicions—sorry, submissions! We share suspicions about this clause. The clause unamended permits thematic, suspicion less warrants and these shade into general warrants. General warrants are anathema to the common law of England and Scotland and fall foul of international human rights law.
I am pleased that the hon. and learned Gentleman prayed in aid what David Anderson QC said about clause 90. If Members have read his supplementary written evidence to the Committee, they will have seen that at paragraph 5a he expressed grave concern about clause 90, describing it as “extremely broad” and continuing:
“The ISC noted this in relation to the EI power in February 2016…The Operational Case lodged with the Bill also acknowledged…that a targeted thematic EI”—
equipment interference—
“warrant may ‘cover a large geographical area or involve the collection of a large volume of data’. This matters, because as the Operational Case also acknowledged…the protections inherent in a thematic warrant are in some respects less than those inherent in a bulk warrant. The very broad clause 90 definition effectively imports an alternative means of performing bulk EI, with fewer safeguards. The Government’s explanation for this–that it will opt for a bulk warrant where extra safeguards are deemed necessary–may be argued to place excessive weight on the discretion of decision-makers.”
That concern—that it gives excessive discretion to decision makers—is one that the Scottish National party has as a thread running through the Bill. David Anderson goes on to say:
“If bulk EI warrants are judged necessary, then it should be possible to reduce the scope of clause 90 so as to permit only such warrants as could safely be issued without the extra safeguards associated with bulk.”
Even if the Minister does not consider the SNP’s and the Labour party’s concerns valid, what does he have to say about the lengthy passage that David Anderson has devoted to the matter in his supplementary written evidence?
Will the Minister tell us the legal basis of the existing powers?
I have done so already, but I will repeat it for the sake of the record. The powers are contained in the Intelligence Services Act 1994 and the Police Act 1997. I am more than happy to provide more information to the hon. and learned Lady on that detail, should she want me to do so.
I am looking at the 1994 Act and it seems to me that it contains broad and vague enabling powers, which bear no resemblance to the powers in the Bill. Can the Minister contradict that?
One of the stated purposes of the Bill is to bring together those powers—to cement them and to put in place extra clarification and further safeguards. I have argued throughout that the essence of the Bill is delivering clarity and certainty. I would accept the hon. and learned Lady’s point if she was arguing that, at the moment, the agencies draw on a range of legal bases for what they do, for that is a simple statement of fact. We are all engaged in the business of perfecting the Bill, because we know it is right that these powers are contained in one place, creating greater transparency and greater navigability, and making legislation more comprehensible and more resistant to challenge. That is at the heart of our mission.
I said I would talk about breadth. The breadth of the circumstances in which equipment interference could be used reflects the fact that, at the time of making an application for a warrant, the information initially known about a subject of interest may vary considerably. Last week, we spoke about the kind of case in which there may be an unfolding series of events, such as a kidnapping, where a limited amount might be known at the outset when a warrant is applied for. The warrant’s purpose will be to gather sufficient information as to build up a picture of a network of people involved in a gang or an organised crime. That is very common and I intend to offer some worked examples in a number of areas.
Identifying members of such a gang can often come from interception arising from a thematic warrant. That might apply to interception, but frankly it might also apply to equipment interference where that is a more appropriate and more effective means of finding the information. Another example may be a group of people involved in child sexual exploitation. Frequently, partial information will allow for further exploration of a network of people who are communicating over a wide area, and who are careful about how they communicate, mindful of the activity that they are involved in. They will not be easy to discover or find, as they will very often disguise their identity. For that reason, it may be necessary to start by looking at sites commonly used to share indecent images of children and from there uncover information that leads, through the use of equipment interference, to those who are driving that unhappy practice. Those examples are not merely matters of theory; they are matters of fact. I know that in cases of kidnapping and in cases of child sexual exploitation, those techniques have been used and continue to be used.
I understand the point the Minister is making and the need for these powers to be practical and effective in real time. He says that they are not theoretical but real, and I absolutely accept that, but David Anderson is someone who will have appreciated that more than many others. He has been working in this field and dealing with those issues for many years. He is hardly likely to make the mistake of theorising about something that he knows about in great detail in the practical examination, so is he just plain wrong when he raises this concern? He has raised it not just once, but on a number of occasions, in detail, and he knows how these things work.
I will return to that point because it is important and fair, and I will return to the Anderson critique in a moment, but before I do so, I want to be clear about the second thing that I said I would speak about—speed.
The kind of cases that I have outlined can move rapidly. The information that becomes available from the kind of initial inquiries that I have described, when the character or names of individual actors may not be known but will become known through these techniques, may require law enforcement agencies to act very quickly to avert further serious crime. Owing to the need for speed, it is vital that those missioned to protect us are able to exercise all the powers when they need to, with confidence and lawfully. The Anderson critique is why the codes of practice limit specifically how thematic warrants can be used. I draw the Committee’s attention to page 25 of the draft code of practice, which deals with such warrants and defines again, in some detail, exactly how they should be as specific as possible, given the breadth and speed requirements that I have set out.
I hear what is said about the David Anderson criticism. I think that we have gone further in being specific in the code of practice than we might have been expected to by our critics, but, rather as I said in relation to our consideration of an earlier group of amendments on warranting, I do not want to inhibit what is currently done; I do not want the Bill to leave the agencies and law enforcement with fewer powers; I do not want to leave them emasculated as a result of our consideration. It is right that we should have safeguards, definition, constraints and, where necessary, specificity, but these powers are vital to protect us from those who want to exploit our children and do us harm. Criminals are increasingly adaptable and sophisticated, rather like terrorists. We must outmatch them at every turn and I believe that those powers are vital for us to be able to do so. So I am unapologetic about making the case for them to the Committee and to Parliament.
I am grateful to the Minister for setting out his case in that way. To be clear, particularly in relation to his last point, I do not think that anyone is suggesting that those powers should not be available. The discussion is about whether they are rightly described as thematic warrants or whether they are, in truth, bulk warrants, which operate in different ways and have different safeguards, procedures and processes to go through. I do not want our challenging and probing to be portrayed as somehow to undermine the work that has to be done by law enforcement and others in real time, often in difficult circumstances.
That said, this is an important issue. I have listened to what has been said and I want to preserve the position. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ms Dorries, you have been indulgent in allowing me to trespass on the territory of some of these amendments in my general remarks on the clause. That probably applies to the Minister in reply as well. In those circumstances, it is not necessary for me to say any more about this group.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 90 ordered to stand part of the Bill.
Clause 91
Power to issue warrants to intelligence services: the Secretary of State