I beg to move,
That the Committee has considered the draft Data Retention and Acquisition Regulations 2018.
I am delighted to serve under your chairmanship, Sir Graham. The retention of and access to communications data is crucial in enabling investigators to obtain intelligence and evidence that can prevent terrorist attacks, disrupt the activities of serious and organised crime groups, and establish culpability so that offenders can be brought to justice. It is used to investigate crime, keep children safe, locate missing persons, support or disprove alibis and link a suspect to a crime scene.
The regulations introduce additional safeguards to ensure that the UK’s regime complies with EU law. They also bring into force the code of practice of parts 3 and 4 of the Investigatory Powers Act 2016—IPA—the regime for communications data acquisition and retention. Between November 2017 and January 2018, we consulted publicly on the changes to the legislation and code of practice.
The regulations provide for the independent authorisation of communications data requests. The Investigatory Powers Commissioner, a senior judge, is given that power and will delegate the responsibility to a newly appointed body of staff, which will be known as the Office for Communications Data Authorisations.
OCDA will report directly to the Investigatory Powers Commissioner and will be responsible for considering the vast majority of requests made by public authorities to access communications data. The new body is expected to begin operating in April 2019 with independent authorisation being rolled out across public authorities during 2019. The internal authorisation of requests will continue to be permitted in urgent cases—for example, where there is a threat to life or where requests are made for national security matters, which are outside the scope of the European law.
The regulations restrict the crime purpose for which events data such as call histories and location information can be retained and acquired to serious crime. We have carefully considered how serious crime should be defined in the context of communications data—a decision that the European Court has rightly left to member states. We have worked with the operational community to focus on where communications data can be a valuable tool. Indeed, in some cases, it is the only investigative tool.
We have mirrored the definition that already exists in the IPA for the more intrusive interception and bulk powers, but we have adjusted the custodial threshold to one year, rather than three, to reflect the less intrusive nature of comms data. That will ensure that the power is not used in the investigation of low-level offences.
The definition also makes specific provision for offences that, as an integral part, involve the sending of a communication or a breach of a person’s privacy, which will ensure that communications data can be used to investigate all harassment and stalking offences. Similarly, the definition extends to offences committed by corporate bodies, such as corporate manslaughter, where custodial sentences are not available. In addition, in every case, even where the serious crime threshold is met, an application for communications data can be authorised only where it is necessary and proportionate to what is sought to be achieved.
To ensure that the serious crime restriction can be brought into force on 1 November, the regulations amend the Regulation of Investigatory Powers Act 2000—RIPA. Until part 3 of the IPA is brought into force early next year, RIPA remains the legal framework for accessing communications data.
The new code of practice provides comprehensive guidance on the data retention and acquisition regime and describes roles and responsibilities, considerations that must be given and detailed processes that must be followed. The code takes account of the changes made in the regulations, in particular the role of the Investigatory Powers Commissioner and OCDA. It also provides further guidance on factors to take into account when considering the seriousness of offences in deciding whether communications data should be acquired.
The changes support the important right to privacy and the right of citizens to be protected from crimes and terrorism. They ensure that public authorities can continue to access retained communications data in a way that is consistent with EU law and our responsibilities to protect the public. The additional safeguards, the clear requirements set out in the code of practice and the independent oversight provided by the Investigatory Powers Commissioner establish clear limits around the use of the powers and provide reassurance for the public that communications data is being used only where it is necessary and proportionate. I commend the regulations to the Committee.
I will first address the experienced points of the hon. Member for Wallasey. The balance between allowing our police forces to get on and do their job and bureaucracy is a challenge that the Home Office and Government have always faced. If there was a reason why we did not initially propose this type of independent authorisation, it was not some deep-state conspiracy theory, but the amount of bureaucracy we expect at a comms data level and whether that is proportionate to the police doing their job.
It is a difficult balance. Comms data is the norm. We are all wedded to our telephones—as I speak, some Members are wedded to theirs—and people conduct a serious amount of business, communication and crime on them, so that data will only increase. Comms data is not about the content, however; it is about the who, where and when, so it is at the lower level.
Subscription details—basically, which mobile telephone belongs to who and the billing address—are included in the regulations. The Court did not require us to do that, but we have put it into the independent authorisation, partly because law enforcement said, “Just get rid of the bureaucracy and hand it over to OCDA. We do not want to have it just for subscriptions and not others,” and partly because it now fits that all these authorisations, whether they are the more intrusive bulk data and content intercept communications or not, are dealt with and oversighted independently.
That leads me to the points of the hon. Members for Wallasey and for Paisley and Renfrewshire North. The oversight will be independent. It will be accountable through the Investigatory Powers Commissioner, Lord Justice Fulford. He is also involved in the independent authorisation of the more intrusive areas of intercept and has an oversight role to look back at how the powers were used and whether they were proportionate and necessary. Funnily enough, within that, he can order disclosure to individuals if he feels that their data has been used wrongly. That goes some way to our venture—we have said to the European Court that there is already a form of notification in the system, which is that there are several opportunities for someone to be notified.
At the same time, there will be other scrutiny, such as an annual report by the Investigatory Powers Commissioner. The Intelligence and Security Committee will also be able to look at some of the more sensitive capabilities in detail. There is the Home Affairs Committee and the investigatory powers tribunal that individuals can take cases to if they feel that their data has been wrongly collected, wrongly stored or abused.
Without wandering too far off the regulations, I entirely agree with the hon. Lady’s point about the private and public balance. We have a balance where if any of us in this room, or if I as a Minister, wants to do something, we need a warrant or authorisation with quite a lot of oversight, but if a private individual wants to park a car with a camera in it outside someone’s house on a public highway, there is very little that person can do to stop them. If a large company wants to buy and sell someone’s data or effectively surveil you and I, there is very little that we can do about it, Sir Graham. I worry that we go around in circles and that that goes pretty unchallenged by the law enforcement community. The General Data Protection Regulation is a good piece of work, which has sought to deal with that by bringing ownership of data back to individuals.
As the hon. Member for Paisley and Renfrewshire North said, we have drawn down the definition of “serious crime” to a crime with a sentence of one year or more. We have included some carve-outs below that, simply because most of those offences depend purely on comms data. For example, when investigating the persistent stalking or harassment of an individual, it is incredibly important to be able to use data about telephone behaviour, but the offence of stalking does not always meet that sentencing threshold—injunctions are often used, and so on. We therefore venture that that carve-out is important. Corporate manslaughter does not carry a custodial sentence, but I think we all believe comms data is really important in proving that a corporation or body failed in its duties or committed a criminal offence, which are often large in scale.
That is a pragmatic way of trying to keep people safe. The Court said it was up to the member state to define “serious crime”—it did not seek to do so itself. It is recognised that comms data is not as intrusive into our privacy as an intercept, which means that the serious crime threshold can be different from the three-year threshold that applies to the regime for more intrusive data collection.
On what the hon. Member for Torfaen said, we obviously told the Court that we would comply with its ruling about independent authorisation, but we have until April 2019 to set up independent authorisation on a scale that allows our police forces up and down the country to do their job. We have started recruiting and establishing a secure IT system—posts have been advertised and people are being interviewed for them. It is simply set-up time. We cannot immediately rustle up that type of body. The OCDA will be answerable to the Investigatory Powers Commissioner and based throughout the United Kingdom. It will obviously spend a lot of its time liaising with police forces, because it will make direct requests via the single point of contact—the expert—in each force.
The Court accepts that, and it is really important that we deliver to that timetable. I have asked for an update every two weeks on how we are progressing. The Court recognises that we actually have to deliver—it cannot just immediately rule everything illegal, because the system would in effect fall over. The Court gave us time, and it has recognised our ability to do that.
The Court ruling on which the draft regulations are based considered five arguments. In two cases—independent authorisation and the serious crime threshold—the Court found that our law was unlawful and needed to be changed. We have addressed that. In the other three cases, the Court did not find in the plaintiff’s favour or make a ruling. For example, it did not find that our retention was “general and indiscriminate”. That is why we are dealing with comms data. The hon. Member for Paisley and Renfrewshire North referred to bulk data. The draft regulations focus specifically on the comms data regime, as requested.
I hope I have answered hon. Members’ questions. We are in a good position. I am entirely comfortable that independence will be used in the authorisation process. We have not popped some conspiracy—this is a perfectly functional thing. At the moment, the Home Office is funding the set-up of OCDA, alongside the Investigatory Powers Commissioner. I recognise the pressure on resources for police forces. I have to do my best to ensure that that body is as minimally bureaucratic as possible but does the job of giving assurances that people’s data is dealt with independently and not abused.
Question put and agreed to.