That the Grand Committee do consider the Data Retention and Acquisition Regulations 2018.
My Lords, the retention of, and access to, communications data is crucial in enabling investigators to obtain intelligence and evidence that can prevent terrorist attacks, disrupt the activities of serious organised crime groups and establish culpability so that offenders can be brought to justice. It is used to investigate crime, keep children safe, locate missing persons, support or disprove alibis and link a suspect to a crime scene.
These regulations introduce additional safeguards in our communications data regime to ensure that it complies with EU law. They also bring into force the code of practice for communications data under the Investigatory Powers Act. We have consulted publicly on the changes to the legislation and the code between November 2017 and January 2018.
The regulations provide for the independent authorisations of communications data requests. Sir Adrian Fulford, the Investigatory Powers Commissioner, is given this power and will delegate this responsibility to a newly appointed body of staff, to be known as the Office for Communications Data Authorisation. The OCDA will report directly to the IPC and will be responsible for considering the vast majority of requests to access communications data made by public authorities. The new body is expected to begin operating in April 2019, with independent authorisation being rolled out across public authorities over the course of 2019. Internal authorisation of requests will continue to be permitted in urgent cases—for example, where there is a threat to life and where requests are made for national security matters which are outside the scope of EU law.
The regulations restrict to serious crime the crime purpose for which events data such as call histories and location information can be retained and acquired. The primary safeguard to ensure that communications data is not acquired for trivial offences is the important test of necessity and proportionality, which must be considered every time an application for communication data is made.
The code of practice provides detailed guidance on how a public authority should consider the seriousness of an offence, including taking into account important factors such as the impact on the victim. In addition to this test, the regulations create a new threshold of serious crime, below which data cannot be acquired. As intended by the European Court, we have carefully considered how serious crime should be defined in the UK in the context of communications data. We propose to use as a starting point the definition which already exists within the IPA for the more intrusive interception and bulk powers, then making some adjustments in relation to communications data while leaving the original definition in place for more intrusive powers.
For communications data, we propose an adjusted definition, which includes offences that attract a sentence of one year rather than referring to offences for which the expected custodial sentence is three years, as in the case for interception. This reflects the less intrusive nature of the communications data, but nevertheless prevents data being acquired in the investigation of trivial offences. We have worked closely with the operational community to consider the importance of obtaining communications data against a range of offences, with a particular focus on cases where it was anticipated that communications data will be an important—or indeed the only—investigative tool. One area highlighted by law enforcement agencies was stalking and harassment offences. These can attract low sentences or fines, but such activity can often escalate into more serious offences, and when the activity takes place online, the ability to obtain communications data is a vital tool. Our proposed definition of serious crime for communications data acquisition also includes offences which involve, as an integral part of the offence, the sending of a communication or breach of a person’s privacy to ensure that all offences related to stalking and harassment are in scope.
The final adjustment of the serious crime definition already existing in the Act is to enable communications data to be obtained for investigations of offences committed by corporate bodies. We consider offences such as corporate manslaughter to be sufficiently serious to warrant the use of communications data in their investigation despite being punishable by fines. The generally less intrusive entity data—such as the name of a subscriber to a service—can still be obtained in relation to the full range of crimes, where it is necessary and proportionate to do so. To ensure that the serious crime restriction can be brought into force on 1 November, the regulations amend the Regulation of Investigatory Powers Act 2000 until Part 3 of the IPA is brought into force early next year. RIPA remains the legal framework for accessing communications data.
The new code of practice provides comprehensive guidance on the data retention and acquisition regime. It is well over 100 pages long, and provides further detail on roles and responsibilities. The code takes account of the changes made in these regulations, particularly the role of the Investigatory Powers Commissioner and the OCDA.
These changes support the important right to privacy and the right of citizens to be protected from crime and terrorism. They ensure that public authorities can continue to access retained communications data in a way that is consistent with EU law and our responsibilities to protect the public. The additional safeguards, the clear requirements set out in the code of practice and the independent oversight provided by the Investigatory Powers Commissioner establish clear limits around the use of these powers, and provide reassurance that communications data is being used only where it is necessary and proportionate to do so. I beg to move.
My Lords, I remind the Committee that I was a police officer for over 30 years, rising to the rank of Deputy Assistant Commissioner in the Metropolitan Police, and—contrary to popular belief—my certificate of service states that my conduct was exemplary. I acknowledge the importance of communications data in the investigation of serious crime as the Minister has outlined. I also welcome, as far as they go, the independent authorisation provisions contained in these regulations.
I should like to give the Committee some background to discussions I have had with Ministers and officials on these regulations. Two weeks ago, at a meeting with the Minister of State for Security and Economic Crime, the Minister of State for Countering Extremism, the Minister for Equalities, and officials, I raised my concerns about the definition of serious crime in these regulations and one other issue. The Minister for Security and Economic Crime and his officials were unable to answer my concerns at that meeting but the Minister promised to find the answers and get back to me. Having heard nothing by yesterday afternoon, I alerted the Government to the fact that, in the absence of any explanation, I would seek to oppose the regulations when they reached the Floor of the House. At 8 pm last night, the Minister of State for Countering Extremism called me because she had been told that I was unhappy with the regulations. I repeated my main concern, as clearly expressed in the meeting with Ministers and officials on 10 October, and she undertook to provide me with a copy of the relevant part of the Minister’s opening speech this afternoon. I received this at 10 am today and I am grateful for the advance sight of the relevant part of the speech. Having reflected for some time on the Minister’s opening remarks, provided to me in advance in writing, I wish to explain to the Committee why I am still not satisfied with the Government’s response.
In the Investigatory Powers Act 2016—the Act of Parliament under which these regulations are being made—“serious crime” is defined as offences for which the expected custodial sentence is three years for a person over 18 with no previous convictions. In other legislation currently before the House—for example, the Counter-Terrorism and Border Security Bill—the definition of serious crime is the same as in the Investigatory Powers Act 2016. An expected custodial sentence of three years’ imprisonment for a person without any previous convictions is not, as I understand it, a maximum sentence of three years’ imprisonment. Taking shoplifting as an example, the maximum sentence for theft is 10 years in prison but someone stealing a can of beans from Tesco could not be expected to be sent to prison for three years for such an offence. Can the Minister explain exactly what “expected custodial sentence” means in practice? Can she give some examples of the types of offences that would fall within this category?
However, these regulations not only lower the bar to 12 months’ imprisonment or more, down from three years, but—the Minister will correct me if I have this wrong—defining serious crime as an offence that someone is capable of being sentenced for must mean that the maximum sentence is 12 months or more, which is a much lower threshold than the definition in the Act. Furthermore, it disregards any enactment prohibiting or restricting the imprisonment of individuals who have no previous convictions, as opposed to the Act, which has regard to such restrictions. If I am right, this shows that this is a much lower standard for defining serious crime than is contained in the Act itself.
The Minister talked in her introduction about preventing data being acquired in the investigation of trivial offences. The CJEU judgment on this matter, which has prompted these regulations, talks about the objective of fighting serious crime, not the prohibition on using communications data to investigate trivial crime. There is a significant difference between serious crime and trivial crime. My view is that the Government have stretched the definition of serious crime beyond credible limits, to an extent that is not compliant with the CJEU judgment in this matter.
However, the regulations go further still, to include any offence committed by a body corporate and any offence,
“which involves, as an integral part of it, the sending of a communication or a breach of a person’s privacy”.
Clearly, “any offence” does not differentiate between a serious offence and any other type of offence. The CJEU explicitly stated that the use of communications data must be restricted to the investigation of serious crime but these regulations define any crime as being serious if it is committed by a body corporate or involves the sending of a communication or a breach of privacy, when clearly some of these offences will not be serious by any reasonable definition. I am reminded of the Oxford undergraduate who tried to get around college by-laws prohibiting undergraduates from keeping dogs in their rooms by calling his dog “Cat”.
The Minister has explained how the Government arrived at such a position:
“We have worked closely with the operational community to consider the importance of communications data against a range of offences, with a particular focus on cases where it was anticipated that communications data will be an important—or indeed the only—investigative tool”.
My Lords, the noble Lord, Lord Paddick, has compared these regulations to a dog masquerading as a cat. My feeling about them is that they seem more like the plotline from a political thriller than a reality that we ought to be facing. The regulations are actually a barefaced attempt by the Government to expand their creepy surveillance powers deeper and deeper into our lives. We seem to be the last bulwark here against the Government adopting Henry VIII powers that are simply unacceptable in these areas. These changes are unacceptable and we are going to do as much as we can to stop them. The Data Retention and Investigatory Powers Act was already hugely controversial, and these regulations seek to extend those powers even further.
Big changes to legislation, such as this, should be done through an Act of Parliament, rather than sneaking it through, without full scrutiny, under secondary legislation. I think it is quite outrageous of the Government to try to do this. In particular, I too was at that meeting on 10 October—one of the two Peers who attended, out of 800—and I feel that at no point have our concerns raised at that meeting been looked at, discussed or taken into account. I also take great issue with the definition of “serious crime” which these regulations use to justify state intrusion into people’s communications. Serious crime, we are told, is any offence which is capable of leading to a prison sentence of more than 12 months. Such serious crimes would therefore include possession of small quantities of cannabis, the obscene performance of plays or petty theft. I personally would not indulge in any of those, obviously, but I imagine there are categories that I could fall into, in total innocence, and that offends me very deeply.
Detecting and preventing even these pettiest of crimes would be grounds for the state to collect communications data. There does not need to be reasonable suspicion that you have committed an offence, just a general intention to make sure that you have not done anything wrong. Using these powers for so-called serious crime, the police will be able to gather the location data transmitted by your phone and any other electronic device. So with very few legal safeguards, the state can track you at will. These ever more oppressive data collection laws make it ever easier to spy on each and every one of us, for even the vaguest of reasons.
These laws are going the wrong way. Of course we need proper powers to tackle terrorism and truly serious crime, but alienating a lot of the populace is not the way to go. These powers should not come at the expense of the rights and freedoms of the majority of people, who are innocent of any serious crime. I feel that the Government are turning into an ugly, greedy surveillance monster, willing to sacrifice civil liberties that are, or should be, at the heart of real democracy.
As the Minister said, the purpose of these regulations is to reflect a ruling of the European Court on communications data acquisition and retention that the Investigatory Powers Act 2016 is incompatible with European law. In the light of that ruling, these regulations have been brought forward, seeking to bring our legislation in line with European law, and of course what is before us also contains the code of practice to which the Minister referred.
The regulations and the code of practice provide for independent authorisation over the use of the relevant powers. The regulations also restrict the crime purpose for acquiring retained commissions to what is described as “serious crime”.
In the Commons, where this matter has already been discussed, we said that we did not oppose the changes made. We also said that we supported strong powers, but added that we supported strong safeguards. Although it is not entirely about safeguards, the issues that have been raised have also been about powers, but certainly much of the comment that has been made, although not exclusively, has been about the extent to which there are or are not appropriate safeguards in relation to these measures.
The noble Lord, Lord Paddick, raised issues about the definition of serious crime, which, as I understand it, is up to the member state to define. However, he also raised questions over the issue of whether the Government’s definition is too wide ranging, since it covers offences for which a penalty of 12 months’ imprisonment or more can be imposed, as opposed to what might realistically be expected to be imposed for the offence, and the fact that the definition covers, as the noble Lord said, any crime by a body corporate or any offence that involves as a key part of it,
“the sending of a communication or a breach of a person’s privacy”,
which it would appear could include minor transgressions as well as matters for which one would quite definitely expect these powers to be used.
On the issue of the custodial threshold, as the noble Lord, Lord Paddick, has said, it is in relation to offences which would, as I understand it—and as I think he understands it—carry a maximum of 12 months’ imprisonment. He has contrasted it to the present definitions, which can be found elsewhere, including under the Investigatory Powers Act, where the reference is to three years—I think the noble Lord said he expected it to be three years. That is of course, as he has already said, a very different issue to an offence having a potential maximum of 12 months, which it is now suggested it should be in this case.
Clearly, that having been said, and the decision having been made to lower the threshold—I think I know from what was said in the Commons what the Minister is likely to say in respect of that, and I will listen with great interest to her response—there is the issue of how, as far as the powers stand at the moment under these regulations, we will be able to stop them being abused by using them in respect of offences which could hardly be deemed to be serious. As the noble Lord, Lord Paddick, said, if you look at the kind of offences for which there can be a maximum of 12 months’ imprisonment, they can include—because you have a lower and a higher level of defence—types of offence which it would be difficult to describe as serious.
The Minister referred to the Office for Communications Data Authorisations. As I understand it, if there is a desire to use the powers under the Bill, it is to that office under the Investigatory Powers Commissioner that an application will be made. Reference has been made to using the powers in a way that is proportionate and necessary. Bearing in mind that we are talking about an offence being investigated and so do not know fully its level of severity or otherwise, an obvious question in the context of what the noble Lord, Lord Paddick, has raised is how those deciding whether to authorise the use of those powers will judge whether we are dealing with a serious crime.
I await with interest the Minister’s response to the points that have been raised not only by the noble Lord but by the noble Baroness, Lady Jones.
My Lords, I am glad that we have been able to have such a wide-ranging discussion, because this is a very important subject. All three noble Lords who have taken part in this debate have spoken of the vital role that communications data and investigatory powers generally have in protecting the public and bringing criminals to justice.
I assure the noble Lord, Lord Rosser, the noble Baroness, Lady Jones, and my noble friend Lord Paddick I all him my noble friend—that the Government take seriously the need for strong protections and safeguards. We want to ensure that the powers are still used appropriately and fairly.
I turn to the questions put to me; there were common elements in all of them. All three noble Lords raised the important issue of the serious crime threshold and suggested that it might be too low. UK law contains a variety of definitions of serious crime specifically designed to be relevant to the particular statute or power to which they relate. The existing serious crime threshold in Section 263 of the Investigatory Powers Act is a high threshold—conduct for which an adult could reasonably be expected to be sentenced to three years or more in prison or which involves violence, substantial financial gain or a large number of persons in pursuit of a common purpose. This relates to the much more intrusive interception of communications and bulk powers.
The Section 263 definition would exclude a wide range of offences where it would be appropriate to be able to acquire communications data; for example, child cruelty, stalking, harassment, some sexual offences and some offences relating to theft and fraud, as well as offences committed by a body corporate such as corporate manslaughter—I mentioned this in my opening comments. We have therefore proposed an adjusted version of the Section 263 definition for the purposes of acquiring events data to reflect its less intrusive nature and the importance of such data as a tool in investigating many serious online crimes.
An offence capable of attracting a year or more in prison is not a trivial matter. In addition to this serious crime threshold, a public authority will still need to show in every case that the data is necessary and proportionate for the specific investigation. The code of practice also provides detailed guidance on the factors that public authorities need to take into account when considering seriousness.
The noble Lord, Lord Paddick, referred to the European Court of Justice. The court acknowledges that the level of intrusion depends on the data being acquired. While the serious crime threshold prevents data below it being acquired, the important test of necessity and proportionality, combined with clear guidance on seriousness in the code of practice, will ensure that the level of seriousness is appropriate and that this appropriateness is taken into account. This is set out in a subsequent ECJ judgement.
The noble Lord, Lord Paddick, also asked about the carve-out related to communications. For this to apply, the communication must be integral to the offence. For example, it would ensure that if a person is being stalked or harassed online, this could be fully investigated, even if the specific offence being committed does not involve a sentence of 12 months or more. As I have said, such offences can quickly escalate, and it is important that such conduct can be investigated and action taken at the appropriate opportunity.
The noble Lord also asked about EU issues in terms of adequacy. As I have stated, the UK is already fully compliant with EU data protection legislation. We have implemented the new EU data protection framework, the GDPR and the law enforcement directive through the Data Protection Act 2018. We believe the changes we are proposing to our communication data, retention and acquisition regime will allow us to comply with EU law while continuing to keep the public safe, so there should be no impact on our ability to share data with the EU in the future. Although the European Commission can consider our national security arrangements as part of any adequacy decision, we do not feel it would conclude that the UK’s decision not to require independent authorisation in relation to national security requests makes the UK data protection framework inadequate. This is particularly the case in circumstances where we consider that no EU member state is required to put in place independent authorisation for its national security applications. Indeed, we know that other member states agree that national security is not within the scope of EU law, and therefore this judgment does not apply in national security cases. In any event, the regulations permit national security applications to be rooted through the OCDA, should that be considered appropriate or necessary, now or in the future.
A question was put about corporate offences, and why we are capturing them all. This relates to the question of the noble Lord, Lord Paddick, in terms of the carve-out. The carve-out ensures that communication data can be acquired in relation to serious offences such as corporate manslaughter, which are punishable only by fines. As with all applications for communications data, the necessity and proportionality test will prevent it being acquired in relation to more trivial matters, and I think that that is key.
As the noble Lord, Lord Rosser, indicated, the Commons approved these regulations on 15 October. If they are not approved by 1 November, we will be in breach of a court order. I understand the noble Lord, Lord Paddick, wishing to take this to the Floor of the House. I was not party to the meetings he had two weeks ago, and can only apologise that he did not receive the information he requested from those meetings until 10 am today. But I hope that he will reflect on the answers I have given.
There is nothing more I can add to what I have already said, but I remind noble Lords that there is still ongoing litigation in relation to domestic and EU courts on the investigatory powers. For example, the ECJ ruling raises the issue of notification. The Government’s position remains that our regime already provides for sufficient notification of individuals where appropriate and is consistent with the requirements of EU law and the European Convention on Human Rights. These regulations address the areas where the Government have acknowledged that changes are needed to comply with the requirements of EU law, and that is exactly what we are doing.
I hope that the noble Baroness, Lady Jones, feels that I have addressed the issues around the level or threshold of serious crime. She also asked whether we are extending the powers of the state. We are not extending our powers—rather, I understand that we are narrowing them. The current law permits communications data to be used for all crimes. This is about being fair and proportionate, being transparent, and having clear oversight of the data that is being requested and reviewed. This area has been greatly strengthened by that oversight.
The noble Baroness, Lady Jones, also raised the issue of using EU regulations as a way forward. I can only say that these regulations have been made under Section 2(2) of the European Communities Act 1972 which permits the Secretary of State to amend primary legislation by regulations to implement EU law obligations, as in this case. The regulations are of course subject to the affirmative resolution procedure which requires the formal approval of both Houses of Parliament, including a debate and vote in each House before they can become law, if noble Lords so wish.
The noble Lord, Lord Paddick, asked why we are not complying with all the elements of the judgment. We have accepted that there are aspects of our regime that do not meet the requirements of the ECJ judgment and it is those which the regulations address. Subject to the changes, we believe that our existing regime complies with the requirements set out in the ECJ judgment.
I have already addressed the issue of using the Section 263 definition for intrusive powers and I do not think that there is anything else I can add to that. The noble Lord and the noble Baroness both asked where such powers can be used. I have some examples before me that may help, but I hope that I will be forgiven if they are not fully inclusive. I will write to noble Lords. The examples include inciting a girl aged under 16 to have incestuous sexual intercourse, contempt of court, racially aggravated harassment, common assault, sexual communications with a child and child cruelty. Again, I will write to the noble Lord with further examples in order to provide greater clarity in this area and I will ensure that the information is distributed to all noble Lords.
I thank the Minister for her assurance that she will give the details in writing, which I am sure will be very helpful. I did ask how the Office for Communications Data Authorisations would make its judgment as regards whether to agree to authorise the use of powers under the Bill. As has been said, we are now in a situation where included in the definition of serious crime is a penalty which can be at its maximum a sentence of 12 months’ imprisonment. As I am sure the Minister knows, that covers an awful lot of offences where, in the normal course of events, you would not expect an individual found guilty of that offence, when you look at the nature of the offence, to get anything like 12 months.
I am still not too clear, and it would be very helpful if the Minister could address this, how the Office for Communications Data Authorisations would make its assessment when it relates to a crime for which the maximum penalty is 12 months. How will it be able to make the assessment of what the penalty is likely to be if the individual is found guilty of that offence? Presumably, if it were to end up going to court and a fine imposed, which can happen even for something that has a maximum penalty of 12 months, surely we would not expect them to agree to authorise a power under the Bill.
The noble Lord, Lord Rosser, makes a very important point. When I write, I will ensure that the issue of how it will be overseen by the oversight body and how it is dealt with is addressed very clearly. I will write to all noble Lords and I will also place a copy in the Library.
In that letter perhaps the Minister will expand further on harassment and stalking offences, which can quickly escalate, to use the expression she used. Of course, if stalking involves fear of violence, or serious alarm or distress—in other words, if it escalates—the maximum sentence is five years and therefore it would be covered anyway by the definition of serious crime as being something with a maximum sentence of 12 months. Therefore, an offence involving communications as an integral part would not be necessary. Perhaps she can clarify that as well when she writes.
Of course, I will be happy to do that. I shall address the points put by the noble Lord, Lord Rosser. He asked how we will prevent the powers being used for less serious offences, which is essentially the question on which I have been asked to write, but I shall try to give a brief view of our response. The Office for Communications Data Authorisations will receive a full case setting out the need for communications data. It will need to set out why the request is necessary, proportionate and sufficiently serious to warrant the intrusion. The IPA then provides for oversight of this.
The Investigatory Powers Act provides for an Investigatory Powers Commissioner, whose remit includes providing comprehensive oversight of the use of the powers contained within the Act and adherence to the practices and processes, which as noble Lords know are described in the code of practice. The IPC is a member of the senior judiciary and is entirely independent of Her Majesty’s Government or any of the public authorities authorised to use investigatory powers. That is very strong oversight. The IPC is supported by inspectors and others, such as technical experts and legal experts. The IPC and those who work under the authority of the IPC will ensure compliance with the law by inspecting public authorities and investigating any issue which they believe warrants further independent scrutiny. If there were any issue, they would be there in an independent capacity—it is not just somebody locally at the authorities making that decision.
The IPC must report annually on the findings of its audits, inspections and investigations. This report will be laid before Parliament and made available to the public, subject to any necessary redactions made in the public interest. Separately, the Investigatory Powers Act requires that the security, integrity and deletion of retained data by telecommunications operators is overseen by the Information Commissioner, who provides the UK’s data protection oversight function. Just to conclude on that, because the oversight is important, Section 260 of the IPA requires that the Secretary of State must publish a report reviewing the operation of the Act and lay it before Parliament after five years of its passing.
I hope that I have answered most of the questions that noble Lords have put to me. As I said, if there are any issues that I have missed or not grasped as fully as I could have done, I am happy to write to noble Lords and place a copy of the letter in the Library. I am aware that across from me there is greater expertise than I have, but I hope that I have been able to allay any fears and concerns and that noble Lords are assured that we are looking at safeguarding and protecting, as well as ensuring transparency, in this important area.