House of Commons (23) - Commons Chamber (9) / Written Statements (9) / Westminster Hall (3) / Public Bill Committees (2)
(9 months, 2 weeks ago)
Public Bill CommitteesBefore we begin line-by-line consideration, I have a couple of announcements. Hansard colleagues will be immensely grateful if Members email their speaking notes to hansardnotes@parliament.uk. Please switch off electronic devices or turn them to silent. Tea and coffee are not allowed during sittings. Today, we will first consider the programme motion on the amendment paper. We will then consider a motion to enable the reporting of written evidence for publication. I hope we can take these matters formally without debate. I call the Minister to move the programme motion standing in his name, which was discussed yesterday by the Programming Sub-Committee for this Bill.
Ordered,
That—
1. the Committee shall (in addition to its first meeting at 11.30 am on Thursday 7 March) meet—
(a) at 2.00 pm on Thursday 7 March;
(b) at 9.25 am and 2.00 pm on Tuesday 12 March;
2. the proceedings shall be taken in the following order: Clauses 1 to 14; the Schedule; Clauses 15 to 33; new Clauses; new Schedules; remaining proceedings on the Bill;
3. the proceedings shall (so far as not previously concluded) be brought to a conclusion at 5.00 pm on Tuesday 12 March.—(Tom Tugendhat.)
Resolved,
That, subject to the discretion of the Chair, any written evidence received by the Committee shall be reported to the House for publication.—(Tom Tugendhat.)
Copies of written evidence received by the Committee will be made available in the Committee Room, and will be circulated to Members by email.
We now begin line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room; this shows how the selected amendments have been grouped together for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order they are debated, but in the order they appear on the amendment paper. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when they come to the clause to which the amendment relates. Decisions on new clauses will be taken once we have completed consideration of the existing clauses of that Bill. Members wishing to press a grouped amendment or new clause to a Division should indicate when speaking to it that they wish to do so.
Clause 1
Requirement for authorisation
Question proposed, That the clause stand part of the Bill.
It is a pleasure to be here under your chairship, Mrs Cummins. The exceptional growth in volume and types of data across society globally since 2016 has affected the intelligence services’ ability to work and collaborate at the necessary operational pace. The existing bulk personal dataset safeguards do not account for the way that data and its availability have evolved since the Investigatory Powers Act 2016 was passed. This creates a negative impact on operational agility, while making it increasingly difficult for the intelligence services to develop the necessary capabilities.
Clauses 1 and 2 introduce an alternative regime for bulk personal datasets where there is low or no reasonable expectation of privacy—the so-called low/no regime. Clause 1 specifically provides a mechanism for the intelligence agencies to determine whether bulk personal datasets should be authorised under part 7 of the 2016 Act for sensitive datasets, or proposed new part 7A for low/no datasets.
It is a pleasure to serve under your chairship, Mrs Cummins. I rise to speak very briefly to clause 1, and to thank the Minister for his opening remarks.
At the outset of our consideration, we should all take the opportunity to pay tribute to the exceptional men and women who have served in our law enforcement and security services. We owe them a deep debt of gratitude. Let me say that the Opposition support the Bill, which updates aspects of the Investigatory Powers Act 2016. It is imperative that legal frameworks are updated to ensure that our security and law enforcement services keep up with the challenges to communications technology in an increasingly challenging and complex landscape of threats to our safety and national security. None the less, the important provisions proposed in this Bill need to be scrutinised carefully. The shadow Home Secretary and I made it clear on Second Reading that we will work with the Government to improve it in places, following the example of the constructive cross-party work that was done in the other place.
It is good to see you in the Chair, Mrs Cummins.
I echo what the shadow Minister says. We are all here to assist the brave personnel in our security and intelligence services, but that does not mean that we will not closely scrutinise this legislation. We did not oppose the Bill on Second Reading. Some parts are good, but we have indicated our serious concerns about other parts because we think the powers go too far. They have not been shown to be necessary and proportionate; rather, they are more for the convenience of the security and intelligence services. How these powers are drafted also causes us concern, because they seem to allow behaviours beyond what we were told the powers were going to be used for. At other times, it is the nature of the oversight that is a concern, as the Bill introduces potentially intrusive powers.
I have one other brief point to make, which I indicated I would make at last night’s meeting of the Programming Sub-Committee. I had hoped that this morning we could perhaps have had some witnesses to guide us through this process. I think that would have been very helpful. It was very helpful in 2016, when we were looking at the original legislation, and I regret that we do not have such an opportunity this morning.
The provisions on bulk personal datasets and so-called low/no datasets are an area where we fear that the legislation is rather more a matter of inconvenience than something that has been shown to be a necessity. That will emerge in the debate about clause 2, which contains quite a lot of the detail about how the regime is supposed to work. Basically, we have been told that there will be a significant increase in the use of bulk personal datasets. We have been told that scrutiny is too slow, so we will either have to remove it or, perhaps more accurately, water it down in relation to these so-called low/no datasets. Fundamentally, I do not like that argument. The Minister will need to make a compelling case.
When we discuss clause 2, it would be useful if the Minister told us how many bulk datasets are retained and examined each year currently; how many datasets it is envisaged will be retained and examined after these powers come into force; what percentage of the datasets he thinks would be considered low/no datasets; how long authorisation processes take currently and why they take that length of time; and why cannot we improve or accelerate that process in some way, rather than having to water it down in the way that this Bill suggests. We will ask the Minister for that sort of evidence, because he is asking us to do away with parts of the oversight system that were put in place in 2016, and we want to understand how that oversight system is causing a problem at the moment. If he cannot explain that, we cannot support this new regime.
It is a pleasure to serve on this Committee with you in the Chair, Mrs Cummins.
My hon. Friend the Member for Barnsley Central said very clearly that there is general support for the Bill. The need for it is self-evident: things have moved on since the passage of the 2016 Act—indeed, they have moved on very quickly in terms of the amount of data there is, not only data that the security services have to deal with but data in general life.
Bringing the legislation up to date is important, but if we look at the Hansard reports of the debates in 2016, when the right hon. Member for South Holland and The Deepings took the original legislation through the House, we see that there was then, quite rightly, concern that the state acquiring bulk data was intrusive into people’s private lives.
Having read those Hansard reports a couple of days ago, I accept that some of the concerns expressed in 2016 were overblown, as are some of the concerns expressed about this Bill. Frankly, if the accusations regarding what our security services are able to do were true, they would be 10 times, if not 100 times bigger than the actual security services we have today. Nevertheless, it is important in a democracy to ensure that the security services act proportionately—I am confident that they do—and that there is the necessary oversight of their actions and how they deal with the data they have. It is not just parliamentarians who need reassurance in that regard, but the public. The public need reassurance about the data that the state is holding.
Examples have been given, but frankly, they are a bit silly, because things such as the electoral register, which you, Mrs Cummins, I and everybody else can access, fall under the existing regime. The expectation that the data will not be made public is ridiculous, and the same is true of some of the other examples that have been given. For instance, some datasets for machine learning are open on the internet for everybody to see. I do not have any problem with that and I do not think that anybody else does.
Oversight, which we will discuss later, is important. We are giving the security services the powers to determine what is low and what is no. Do I trust that they will have the protocols in place to ensure that that process is done fairly? Yes I do, but I have been on the Intelligence and Security Committee for the last seven years; I know exactly how the protocols work internally in those organisations. To reassure the general public, we need a definition of how this process will take place. I will not touch on that now, but later I will raise the question of how we will have independent oversight of that process.
Neither I nor anyone else is saying that we distrust how the security services will handle those datasets, but one thing the ISC has been very clear on is that if we are going to extend the security services’ powers, there needs to be a corresponding extension of oversight to balance that. I do not want to put in place oversight that prevents operational effectiveness; it would be silly to give the security services powers and then make it impossible or too onerous for them to operate in practice, but striking a balance is important in a democracy.
We broadly got that balance right in the 2016 Act. Looking at international comparisons, we are way ahead of many other democracies in how we deal with oversight of those potentially very delicate issues.
I will not detain the Committee unduly, my Whip will be pleased to know. However, I feel it is important at this juncture—in part because, as the right hon. Member for North Durham says, I was responsible for taking the 2016 legislation through the House, and in part because of my current role on the ISC—to make some comment on the first part of this Bill, which deals with bulk powers. There are misassumptions about bulk powers. The Minister will be aware of how vital they are to the security and intelligence services and to the police. These powers are used in almost all investigations —95% of them—and they are critical if we are to deal with the changing character of the threat we face.
Contextually it is important to note that when the 2016 Act was passed, the nature of the threat was metamorphosising, and that is even more the case now. The scale and character of the threats are altering all the time, so the legal powers available to those we mission to keep us safe need to be fit for purpose and up to date. We knew that when we passed the 2016 Act; we knew that the legislation was dynamic and that it would be supplemented over time to take account of that metamorphosis, which takes two forms. First, the threat now is probably greater from state actors, and secondly, it is greater from those inspired to do harm via the internet in particular. That situation makes an implicit case for the kind of measures the Minister has brought before us today.
Furthermore, there is a paradoxical change in the methodology used by those who seek to do us harm. Because of the nature of technology, those people are now able to do things that they were not able to do when we debated the original Act that this Bill amends. I describe the change as paradoxical because those people have simultaneously learned that they can do immense harm with a vehicle and crude weapon; we know that from some tragic cases in recent years. Those inspired people do not need a sophisticated organisation with all kinds of capabilities; they simply need the perverse, indeed perverted, will to do damage. All of those factors legitimise the case for the measures in the Bill, which we will consider over the coming hours and days—but not weeks I am pleased to say, unless something goes badly wrong.
What can I say? We have got a little further on clause 1 than I anticipated. I am grateful to my right hon. Friend the Member for South Holland and The Deepings, the right hon. Member for North Durham and other hon. Members who have spoken. Bulk personal dataset authorisation is clearly an important change, as my shadow, the hon. Member for Barnsley Central, has set out; I was interested to hear the suggestion from my right hon. Friend the Member for South Holland and The Deepings that this was the shadow Minister’s first step on the path to greatness and to leading the Opposition. I am grateful for the points that hon. Members have made.
The type of data that may fall into part 7A is indeed covered—things like news articles, academic papers, public and official records, and the sort of bulk personal data that many people would have access to routinely. The changing nature of the need to hold data has meant that bulk personal data must be authorised in a different way than was previously thought. Paragraphs 4.14 and 4.20 of the draft code of practice set out further details of the datasets that would fall under the section 22A test, of which the hon. Member for Barnsley Central is no doubt aware.
The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East touched on various aspects of data that might fall within this approach. He will remember that Lord Anderson noted in his independent review that MI5 and MI6 estimate that roughly 20% of their bulk personal data holdings would fall into the category of “low and no”; for GCHQ, the figure would be nearer to 8%. Clearly, these things will evolve. To answer the point made by the right hon. Member for North Durham, the simple fact is that our world is producing incomparably greater volumes of data than ever before. The need to understand, handle and triage that data is therefore essential.
It is worth making the point, right at the beginning, that creating and storing huge volumes of data is to nobody’s advantage, and particularly not that of the intelligence services. The only purpose of having or examining data is to enable investigatory operations to get to targets of interest. It is not about anything other than ensuring that investigations can be properly targeted against those who threaten the interests of the British people, under various existing laws. This measure does not change those laws; it merely assists the targeting.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2
Low or no reasonable expectation of privacy
I beg to move amendment 14, in clause 2, page 3, line 18, at end insert—
“(1A) This section does not apply to a bulk personal dataset unless it has been published in accordance with the Data Protection Act 2018.”
This amendment would ensure bulk personal datasets with low or no expectation of privacy have been published lawfully and in accordance with General Data Protection Regulation (GDPR) set out in the Data Protection Act 2018.
With this it will be convenient to discuss amendment 21, in clause 2, page 3, line 34, at end insert—
“(4) By way of example, bulk datasets of images obtained by CCTV and bulk datasets of Facebook posts are not to be considered datasets where the individuals to whom the data relates could have no, or only a low, reasonable expectation of privacy.”
Probing amendment regarding the scope of “low or no reasonable expectation of privacy”.
May I reflect on my gentle amusement at hearing the Minister’s remarks about a former shadow Security Minister and his onward passage to becoming Leader of the Opposition? I know that these are matters on which he speaks with great authority.
We have already had very helpful contributions from two senior Intelligence and Security Committee members. Questions about the meaning of “low or no reasonable expectation of privacy” in relation to BPDs have been raised throughout the Bill’s progress in the other place and on Second Reading in this House, including by members of this Committee. The amendment seeks to probe the meaning of the phrase, but I should be clear at the outset that I do not intend to divide the Committee on this or any other amendment on which I intend to speak.
I will set out two scenarios. It would be genuinely helpful if the Minister could clarify the limits to the factors relating to the Data Protection Act 2018. The first scenario is where the data can be attributed to a leak that, although unintentional, resulted in the unconsented publication of personal information in the public domain. Would a leak of the personal details and working patterns of the staff of Members of this House—a number of hon. Members will remember the one that happened in March 2017—be subject to a low or no reasonable expectation of privacy?
The second scenario is the deliberate and unlawful publication of personal information into the public domain. If there were a hack resulting in the unlawful publication of personal information into the public domain, would that information also be subject to a low or no reasonable expectation of privacy? Data breaches of that nature occur regularly: the personal information of more than 2 million Duolingo users was compromised last year. A user’s mastery of French verb conjugation is unlikely to be of interest to anyone, with the possible exception of our friends over the channel, but other personal information could be. The Duolingo data was put up for sale on the dark web, so it might be regarded as third party BPDs. It is important that the Minister clarifies the meaning of “low or no reasonable expectation of privacy” in relation to those two scenarios.
Labour Members are not opposed to the concept of “low or no reasonable expectation of privacy” in relation to BPDs. We want to ensure that the police and security services are not unnecessarily limited in their intelligence gathering, but there need to be parameters for what is considered fair game. There must be clarity on important definitions relating to personal data. I hope that the Minister will respond in the constructive spirit in which the amendment was intended.
Clause 2 will remove the need for further judicial authorisation for personal dataset retention and examination if the datasets are deemed to fit into the low or no category, for which there is already authorisation, or if there is urgency. Many personal datasets can be contained within one warrant, so we have lots of questions about how proposed new part 7A will work. Amendment 14 demands an explanation of how the regime fits alongside data protection standards and how it applies to leaked and hacked datasets, as opposed to those that are lawfully obtained.
Our amendment 21 simply seeks to push the Minister to give examples of personal datasets that would be considered to have a low or no reasonable expectation of privacy. I refer hon. Members to a letter from the Chair of the Joint Committee on Human Rights, my hon. and learned Friend the Member for Edinburgh South West (Joanna Cherry), which has been shared with us all:
“There is perhaps some ambiguity or confusion as to what data is envisaged to be caught by these provisions. For example, is it merely online encyclopaedias, Companies House registers or news articles; or would it also cover, for example, quite extensive discussions over the internet or mass voice or face images, as has been mentioned in evidence?”
That is the question that we are getting at here.
The whole concept of a reasonable expectation of privacy seems to have been borrowed from the US, where it has been criticised for permitting fairly intrusive surveillance at quite a considerable scale. To my mind, it difficult to grasp the concept or even understand how the test to be applied. It is bad not just for citizens in general, but for people who are having to make these decisions who are not absolutely clear whether or not they can consider a set of data to have a low or no expectation of privacy.
Would bulk datasets of CCTV images or Facebook posts be no/low? How can someone assess whether a bulk personal dataset falls into the category if they do not know all the information within it because they cannot see it until they have a warrant? If the dataset contains information about many thousands or millions of people, with different types of information about different people, how can there be one single level of expectation? People with a low expectation of complete privacy might reasonably have a high expectation that their data will not be retained and processed by the intelligence services.
Why is the sensitivity of the data not expressly mentioned in the Bill? That should surely be pivotal, particularly if the Government want to operate within our human rights obligations. There is no clarity in the Bill to reassure us that sensitive information such as health data would absolutely not be captured by these provisions. Why could that not be on the face of the Bill? Why is publication the important factor instead? Publication in the context of small Facebook groups, for example, does not mean that there are no expectations that security services would not hold that information.
My hon. Friend the Member for Barnsley Central has been trying to put a definition around this. That needs to happen. If it is not to be in the Bill, the Minister needs to put on the record exactly what his expectations are, because I can see this being challenged in court. Courts are very good at looking back at what is said and what is actually meant in Parliament, so it is quite important.
There are certain categories that no one has any problems with: open Companies House registers are available to anybody, for example, and so is the open electoral register. But how will the closed electoral register be dealt with? I would argue that people who want to be on the closed register would think that there was a reasonable expectation that that data would not be shared. We know that it is, but somebody might challenge that.
Likewise, there are telephone directories. I am not sure whether they are produced any more. Perhaps I am old-fashioned—I am showing my age now. [Interruption.] Well, I am sure they still exist in a digital format. Those who are old enough to remember will know that there was an ex-directory option for people who did not want their name published; someone could make a conscious decision that they did not want their private phone number to be in the public record. Now it must be all online, but how will that be dealt with? With a directory on which everyone’s number is publicly available, I would think that there was a reasonable expectation that that was public data; I think everyone would assume that. Where they are ex-directory, however, I think most people would reasonably expect their data not to be shared with anybody.
“No expectation of privacy” is very clear—it means things that are publicly available—but “no reasonable expectation” is a dance on the head of a pin. People’s interpretations of what is reasonable will be different. I am reassured that the agencies have protocols for dealing with that, and I am not suggesting for one minute that they will be on fishing expeditions, but we need some clarity on what it all means.
The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East made a point about Facebook and other types of social media. For those who are interested, my “North Durham morning” posts are on Instagram, Facebook and Twitter, or X. I have been doing them for many years.
I have no reasonable expectation that those posts are private. I am not suggesting that the security services will want to look at North Durham mornings, but those posts are something that I have put in the public domain. That is fine, but it is different from what the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East was talking about. We might share a photograph or information on a small Facebook group, but do we expect everyone to have access to it? I am not sure that we do. Where does that fit into the definition of “reasonable expectation”? Would the individual think that it was available? That is the point.
The right hon. Gentleman is making a persuasive argument about public expectations of what is reasonable versus what the Bill says and what the agencies do. He is right that there are good operational validations through the agencies’ protocols, but perhaps the best way of explaining the marriage between expectation and what is real would be by example. It would be helpful to hear some examples from the Minister of how the powers that are currently used, and those that will be used under the Bill, are necessary and proportionate; for all these things are about necessity and proportionality. By example, we can probably put this matter to bed.
Yes. A point was also raised about leaked data. If something is leaked on the internet or any other portal and everyone has access to it, do we then assume that the security services think that it comes under “reasonable expectation”, even though the individual whose data it was perhaps did not want it out there?
I accept that under proposed new section 226B(4)(b),
“the authorisation is necessary for the purpose of the exercise of any function of the intelligence service”,
which is fine. I do not think that people will go on fishing expeditions—we will come on to that issue later— but I note that the phrase “economic well-being” appears later in the Bill, but not in this part. When I have raised the point before, the Government have argued that the phrase is used in other legislation and that they want to be consistent.
If nothing is to be changed in the Bill today or on Report, the Minister needs to put something on the record so that it when somebody challenges this provision in future, which they will, the Government’s intention is clear now and can be interpreted later.
I will be brief. I back up the comments of the right hon. Member for North Durham: much more needs to be done to define clearly what we mean by “low or no”. In many ways, separating the two out would make everything clearer. Everybody can tell what “no expectation of privacy” means. It is when we get to low expectation of privacy that we have debates: “Is it this or is it that?”
The factors considered in determining whether something qualifies as low or no include
“the extent to which…the data has been made public”.
If there is no expectation of privacy, that is obvious, so I do not understand why we cannot have more clarity and say, “This is what we mean by no expectation of privacy, and this is what we mean by low.” It might be fine for us in this room to have an understanding of what we mean, but there needs to be public understanding.
We all know that every time we go on any website, we are asked to click to accept the cookies, and sometimes we cannot progress any further unless we do. Data is being gathered left, right and centre. With the best will in the world, not everyone reads every single line of the terms and conditions. We need to be absolutely clear about exactly what we mean so that legal challenges do not occur down the line.
Before I address those points, I want to address the shadow Minister’s somewhat contentious argument that learning French is not a security issue —that was a bold innovation from him.
The points that have been raised are essential to understanding exactly why the Bill is so important. I will cover the “no” and “low” areas separately, for the reason that the hon. Member for Midlothian touched on. We all know what no expectation is; that has been largely covered, and the reality is that even the slightly more restricted version of the electoral register is shared with political parties, as the right hon. Member for North Durham knows.
That is what I was going to say. Although the register is not publicly available and therefore would not fit in this category, that is where we get to the line. The “no” is for publicly available data, and that is relatively clear.
The “low” comes in areas such as the idea of leaked papers, which somebody raised—forgive me, I cannot remember who. That is where the Bill sets out terms under which datasets should be considered, because of course it is impossible for me to give an answer that applies to every single dataset into the future. One example that came up recently, as right hon. and hon. Members will remember, is the Panama papers. One would not argue for a second that the people listed in those papers had an expectation of openness initially. However, after those papers had been published and republished over many years, at what stage do we really think the expectation of privacy is maintained?
That is where the dataset becomes low expectation. We have set out the oversight regime in another area of the Bill, but I will touch on it. The Investigatory Powers Commissioner has a range of responsibilities, the judicial commissioners have other responsibilities for approving warrants and IPCO has responsibility for overseeing the regime. That is where that is addressed—in slightly ways at each moment of influence and each moment of power, but everything is covered.
I am interested in the Minister’s example of the Panama papers. As he rightly says, when those papers were originally held by a bank or a financial institution, there would be an expectation of privacy. However, he is alluding to where they are sourced from. Those papers have been freely circulating on the open internet and anyone can download them, and it is at that point that the low or no expectation would come in. Rather than the nature of the document itself, it is the fact that it is easily available online that matters.
My hon. Friend is absolutely right. The reality is that once papers are effectively public, the argument for privacy somewhat falls away. That is exactly where we are getting to in this area, which is why we have looked at how to oversee it and the different elements within it. Part 7A explains the oversight regime clearly and section 226A really gets to the nub of it.
It is important that we focus there, where the argument comes back to the essential element: when considering whether intelligence services have applied the test correctly, the judicial commissioner will apply the same principles that a court would apply on application for judicial review. We therefore have an internal legal process overseeing this before it would even get to any legal challenge. That is why it is more robust than some voices have gently suggested, and covers many of those internal challenges.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 22, in clause 2, page 4, leave out lines 27 to 30.
This amendment is consequential on Amendment 23.
With this it will be convenient to discuss the following:
Amendment 23, in clause 2, page 5, leave out lines 1 to 14.
This amendment would remove proposed new section 226BA, thereby removing the ability to grant “category authorisations”.
Amendment 24, in clause 2, page 5, line 17, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 25, in clause 2, page 5, leave out lines 23 to 25.
This amendment is consequential on Amendment 23.
Amendment 26, in clause 2, page 5, line 34, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 27, in clause 2, page 5, line 39, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 28, in clause 2, page 7, line 3, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 29, in clause 2, page 7, line 27, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 30, in clause 2, page 8, leave out lines 6 to 15.
This amendment is consequential on Amendment 23.
Amendment 31, in clause 2, page 8, leave out lines 19 to 23.
This amendment is consequential on Amendment 23.
Amendment 32, in clause 2, page 8, line 37, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 33, in clause 2, page 8, line 41, leave out from “authorisation” to “they” on page 9, line 1.
This amendment is consequential on Amendment 23.
Amendment 34, in clause 2, page 9, leave out lines 14 to 16.
This amendment is consequential on Amendment 23.
Amendment 35, in clause 2, page 9, leave out from the beginning of line 38 to the end of line 13 on page 10.
This amendment is consequential on Amendment 23.
Amendment 36, in clause 2, page 11, leave out lines 17 to 29.
This amendment is consequential on Amendment 23.
Amendment 37, in clause 2, page 11, leave out lines 32 and 33.
This amendment is consequential on Amendment 23.
First, unless I was distracted, I do not think I got a specific answer on the types of data mentioned in the amendment—for example a Facebook post, CCTV footage or anything else.
Those are covered under sensitive data areas; they would not be covered under bulk personal data. The hon. Gentleman also mentioned health data, and he is absolutely right that I did not answer that. I should be absolutely clear: it is hard to envision a case in which health data would be considered “low or no”, unless it was of very ancient historical standing, or there were other exceptional reasons.
I am grateful for that. Could the Minister perhaps follow up on that in writing? That is useful to have on the record.
This discussion is mainly about amendment 23; the other amendments are all consequential. Basically, the amendments would remove the concept of category authorisations from the Bill. Again, I take the same approach as the shadow Minister; I will not be pushing any of these amendments to a vote, but they are designed to probe and allow for debate on some of the important concepts in the Bill.
It is this clause, and the notion of category authorisations, that leads to the restricted judicial oversight of the “low or no” categories that are being retained. It would be useful for the Minister to give us an example here of what a category authorisation might look like. I am not on the ISC, so it is hard for me to understand exactly how broadly they might be drafted. I absolutely appreciate that there are operational reasons why the Government might have to be careful about the examples they give. However, to provide some reassurance, I am sure it would be possible to put on record what one of these authorisations might look like, just so we know how broadly they will be drafted, or indeed how focused they will be.
The Minister spoke a little about oversight at the end of his previous contribution, but it is the oversight of category authorisations that causes me some concern. The tests for a category authorisation set out in proposed new section 226BA of the Investigatory Powers Act 2016 are simply that it must be classed as “low or no” and that the decision has been approved by a judicial commissioner. There are none of the other tests that are set out for the individual authorisation, such as it being necessary for the
“exercise of any function of the intelligence service,”
that it
“is proportionate to what is sought to be achieved,”
or that there are various arrangements in place.
It seems to me that the degree of oversight at the stage of granting a category authorisation is far more restricted. That has a knock-on consequence: when the judicial commissioner comes to review the granting of a category authorisation, they are only then considering whether it applies to a “low or no” group of datasets. The judicial commissioner, even on the low-level judicial review criteria, does not look at whether the category authorisation will be necessary or proportionate, or any of the other tests for the other authorisation.
I do not want to do the Minister’s job for him, because I am sure he will say this anyway, but when an application is made by an agency for the acquisition and retention of bulk personal datasets, a specific case needs to be made in the warrant application, and a particular case has to be made where that application applies to exceptional material. That case is considered through the double-lock mechanism by both the judicial commissioner and the Minister. That case needs to specify the reason that it is necessary for operational purposes.
It is useful to have that explanation. I understand that is the existing process, as the 2016 Act applies just now. However, my simple question concerns the fact that that does not seem to be what is set out here.
I will just answer that directly, as the hon. Gentleman seems to be running away with this issue slightly. The test set out in proposed new section 226A still applies to all datasets. It is not removed; it goes through the whole thing.
That is useful to know. I will pray in aid the fact that we did not have any witnesses; anything I say that is daft, and anywhere that I do not understand how the Bill operates, I will blame on the lack of witnesses.
That is useful to know. I will go away and look at that and make sure that that all makes sense to me. That just leaves me with my earlier request: can we have some examples of what a category authorisation looks like? I can imagine that they could be incredibly broadly drafted, but they could also be very narrow. It would be useful to get a better understanding of how they will operate.
My final point is that the Government’s case appears to centre quite largely on using the material for machine learning. We have heard about language, online encyclopaedias and whatever else. If nothing else, why not use this streamlined process on that category of information and keep the existing processes in place for everything else?
I welcome the spirit in which the hon. Gentleman approaches this issue. He is asking important questions, and I do not challenge at all the validity of the way he has approached the issue; in fact, I should put on record that I am grateful for the way the whole House, and this Committee in particular, have approached it. It is important that any questions that any Member has, particularly the questions honourably and reasonably raised by the hon. Gentleman, are addressed.
The hon. Gentleman’s question on category authorisation is important, because the individual authorisation authorises the retention or retention and examination of a bulk personal dataset, to which part 7A applies. In other words, for every individual dataset there will be an individual authorisation. The normal rule is that each individual authorisation must be approved in advance by a traditional commissioner, as my right hon. Friend the Member for South Holland and The Deepings quite rightly addressed.
A category authorisation does not itself authorise the retention or retention and examination of a dataset; rather, the category itself is the means by which the normal rule of prior judicial approval may be disapplied in respect of the individual authorisation of datasets that fall within the description approved by the category authorisation. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East knows, that allows for the internal authorisation of an individual dataset that falls within an existing category. By definition, those categories are narrow enough to be identifiable but large enough to be useful. The reality is that that must be done on a case-by-case basis, but under the watchful eye of not just the unit within the intelligence service that requests it, but a senior officer in that service and a judicial commissioner.
That oversight means that we have an effective way of ensuring that we are able to use bulk personal data as categorised in different areas in a speedy fashion to enable the detection and prevention of harm, but with the oversight regime that the hon. Gentleman quite rightly expects of any apparatus of the state. The intelligence services in particular, for reasons of operational necessity, operate in the shadows, and therefore require an extra guarantee of reliance.
I will go away and consider what the Minister said. Our basic issue here is that a process is in place whereby every single individual dataset must be approved and have the approval and authorisation of a judicial commissioner. Under this scheme, if there is a category authorisation and then an individual authorisation under it, there will not necessarily be any involvement from a judicial commissioner. That is the bit that we have an issue with.
May I come back straightaway on that? To be clear, category authorisations are reviewed by IPCO at the very latest a year—12 months—after the authorisation, but they could actually be reviewed at any point. I am afraid the idea that a category authorisation stands forever just because it has been allowed is not accurate—I know that is not what the hon. Gentleman is suggesting. The judicial commissioner would have oversight of the wider category authorisation, and the IPCO review means that the whole thing is checked at the very latest every 12 months, and probably more frequently than that.
Again, I get all that, and I do not think that we are really at cross-purposes. However, we are talking about 12 months of access to datasets without necessarily having them before a judicial commissioner.
I do not think that anyone disputes that this is a slightly weaker form of oversight, which is because the services want to access this material at scale and regard the existing oversight mechanisms as cumbersome, slow and whatever else. We still ask the question of whether there is another way to do that that would still involve judicial commissioners but happen much more randomly and at scale. However, we will go away and consider that. I repeat my request—I know it is not easy—for some examples to reassure members of the public on how exactly this will work. That would be useful. In the meantime, I do not intend to push the amendment to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 15, in clause 2, page 5, line 14, at end insert—
“(4) The head of an intelligence service, or a person acting on their behalf, must notify the Investigatory Powers Commissioner as soon as is reasonably practical after a decision has been taken to include a bulk personal dataset within a category authorisation in effect under this section.”
This amendment would require that the Investigatory Powers Commissioner is notified when a new bulk personal dataset is added by an intelligence agency to an existing category authorisation.
With this it will be convenient to discuss amendment 38, in clause 2, page 11, line 21, at end insert—
“(1A) The report provided under subsection (1) must include an annex listing the bulk datasets retained or retained and examined under each category authorisation granted during the relevant period.”
This amendment would require information about the scale and nature of use of category authorisations to be provided to the Intelligence and Security Committee.
The issue of closing the gap between adding a bulk personal dataset to an existing category authorisation was raised on Second Reading by my right hon. Friend the Member for North Durham, who has a long-standing interest in these matters. I agree with the argument he made on Second Reading and the simple solution he proposed to close the gap: a one-line email to the Investigatory Powers Commissioner as soon as reasonably practical.
Any such email would not be seeking real-time approval and would not necessarily be reviewed by the Investigatory Powers Commissioner in isolation, but rather as part of a wider trend of what is being added to existing category authorisations. Labour does not seek to create additional work for the men and women who serve in our police and security services. On the contrary, a simple arrangement —to send a single-line email—would enhance wider oversight arrangements, while keeping extra requirements for the police and security services to an absolute minimum. In response to my right hon. Friend on the matter on Second Reading, the Minister said the IPA 2016
“allows the collection… with prior authorisation”
and that
“This is intended to speed the process up.”—[Official Report, 19 February 2024; Vol. 745, c. 556.]
We do not intend to slow the process down through the amendment, as any such notification would be made after it had happened. I therefore ask the Minister whether the problem is the act of notifying the Investigatory Powers Commissioner as soon as reasonably practical, or the potential volume of notifications, that mean he deems it an unworkable arrangement. I would appreciate if he could be as open as possible in answering those questions. If the Government do not accept the amendment, perhaps a conversation could take place between my right hon. Friend the Member for North Durham, the Minister and myself to agree a practicable solution.
As my hon. Friend the Member for Barnsley Central said, I raised the matter on Second Reading. In no way do I or other members of the ISC want to slow down the process or give more work to the hard-working men and women of our security services. However, as I understand it, the only reason put forward by the Government was that it would impair operational agility.
The amendment proposes, and what I proposed, is not for the security services to go through an authorisation, as my hon. Friend just said; it is literally an email saying, “This is what we are doing.” Members might ask why that is important. It is important because we are giving the security services new powers in the Bill and for IPCO to be informed in real time. I accept the retrospective look at them, but at least if there was a trend, we could see it.
The Government have also tried to argue that there is no need for more oversight because it is a low or no dataset, much lower than those governed by the existing section 7 of the IPA. We have just had the argument about the definition of “low” and “no”, but it means that we are giving the security services additional powers here. I am not for one minute suggesting that the internal protocols within those security services will lead to things that are just a free-for-all, as some might suggest, but it gives that assurance that there is oversight of what is happening in real time.
If we were asking for authorisation of each one, I would accept that it would be too burdensome and would slow down the process, but this is literally a one-line email so the IPCO knows what is needed. I do not understand why the Government are resisting that, except that—let us be honest, Minister—we have form on this. With the National Security Bill, there was an idea that it would be a weakness on the Government’s part to accept any amendments from the ISC. However, there was one slight change made with Lord West’s amendment, so there is possibly a change of attitude. I accept that the Minister respects the ISC—I am not sure it is the same for many people higher up in Government. But that should not be a reason not to accept this very simple amendment, which I think would give people reassurance that there is some real-time oversight of this. If an election was called in the next few weeks, this Bill—
I endorse what the right hon. Gentleman said. It is a straightforward matter. The Government could give way on this—because they already have the power to ask for it under existing arrangements—by making it a routine, light-touch process. I take the point that we do not want to impair the alacrity that is necessary for the agency. However, I think a simple change would satisfy the right hon. Gentleman, me, and many others.
I agree entirely with the right hon. Gentleman. If the amendment goes into the wash-up of the Bill, things like that will have to be included anyway. I do not understand why the Government are dying in a ditch on quite a small amendment that would make no practical difference at all to the operation of this Bill. There are certain people—not including the Minister, who is quite a reasonable individual—who want to make sure that the ISC cannot claim credit for doing anything, which I think is quite sad. If the Minister cannot agree to the amendment as drafted, I echo the suggestion of my hon. Friend the Member for Barnsley Central that we draft an amendment that the Government are happy with on Report that fulfils our ambitions on oversight, but that is also practically and technically correct. [Interruption.]
I remind members of the public to please turn their electronic devices to silent as well.
I will be very brief, because I fully support what the shadow Minister and the right hon. Member for North Durham have said. If we are going to go down the route of somewhat watering down the oversight of certain bulk personal datasets, we need greater transparency and accountability. Our amendment 38 has very similar motivations. It requires complete transparency with the ISC by listing all the bulk personal datasets that would be retained under a category authorisation in the report the Bill requires to be sent to the ISC. It answers the question of how we are supposed to know how these new powers will be and are being used unless we have one of these methods of transparency.
If I may, I will come to the last point first. The information going to the ISC on this basis would be, as far as possible, the same as that going to the Secretary of State. Obviously, the operational data may not be included, depending on the relevant operational case. I hope that will reassure this Committee and, indeed, the ISC that the intention is to make sure that the ISC is as fully informed as possible.
On the point made by the right hon. Member for North Durham, he will know that the Bill, in many ways, has been a joint project between the Government and the ISC. I have spent many hours with members of the ISC, including the Chair, my right hon. Friend the Member for New Forest East (Sir Julian Lewis), and with various members of the Committee. Their input has been exceptionally important to me and has been included in many areas of drafting on this.
Turning to amendment 15, the right hon. Member for North Durham and the hon. Member for Barnsley Central, in many ways, have both been the Occam’s razor of the Bill process, not just here, but in other areas. They have been rightly keen that we should not include powers or requirements that would otherwise constrain or block processes or confuse the law. I understand the argument that hon. Members are making about a one-line email, but the reason that I am not convinced—though I am very happy to have the conversation suggested—is that the reality is that it is possible for IPCO to investigate at any point, and it must investigate at 12 months. Therefore, if we ask for a legal requirement on the services, that would force an extra legal duty into the various elements and it will be an extra change.
I disagree with the Minister. Yes, IPCO can look back and can go in at any time to look at things, but if it does not know where the needle in the haystack is, how is it going to actually find it in the first place? This is not an onerous proposal, and I do not understand why the Minister is resisting it, to be honest. This measure would just send another reassurance to the public that, again, the extra powers being given to the security services, which I fully support, at least have some oversight. We need to address the Bill in detail and in such a way that we cannot be accused of handing over powers without also providing very light-touch reassurance that there is outside oversight. I accept that, in most cases, IPCO would not actually look at any of these.
In the spirit with which the right hon. Gentleman has approached this, may I commit to meeting him and the hon. Member for Barnsley Central to discuss this?
Well, the right hon. Gentleman could make a virtue of a necessity if he wishes. I certainly will. I shall enjoy meeting him to discuss this, and I hope that he will take that commitment in the spirit with which it is made.
I think that this has been a useful debate. There have been a number of sensible and constructive contributions from both sides of the Committee. The Minister has made a commitment to sit down and discuss this further, and I am grateful for that undertaking. As I have said, we do not intend to push this amendment to a vote.
This is as good a time as any to raise this point. If we are going to give the powers to the security services, which nobody objects to with the appropriate oversight, and ask them to do more assessments, more dataset investigations and so on, does my hon. Friend agree that the Minister should give us assurances on resources? Given that we are asking the services to take on additional tasks in one fashion or another, does he agree that we have to set aside the resources? Perhaps, during his meeting with the Minister, he could tease that out a little bit more, because I do not want these powers and responsibilities to be given to the services without them having the appropriate resources— financial and staffing—to do their job.
I am grateful to my hon. Friend the Member for Bootle. I am happy to give way to the Minister if he wants to respond directly to that point.
The point about these powers is indeed to make better use of resources. One challenge is that many intelligence officers are tied up doing things that are no longer genuinely necessary for the protection of personal privacy, but they are following processes that, were they to be working for a private organisation —a company or whatever—would no longer be necessary because bulk personal data could simply be bought. Therefore, what we are actually looking at doing is using resources much more efficiently and therefore helping the protection of the British people, from a better financial position. However, the point made by the hon. Member for Bootle on resources is always one that I welcome.
I have nothing further to add, other than to beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 2 ordered to stand part of the Bill.
Clause 3
Duration of bulk personal dataset warrants
Question proposed, That the clause stand part of the Bill.
We are making sufficient progress, which perhaps permits me to say a word about why, as we have now dealt with those publicly contentious matters around bulk powers, we can move to the next part of the Bill with greater confidence. The Minister has been crystal clear that he—like me, the right hon. Member for North Durham and other members of this Committee—understands fully the important role of oversight and checks and balances. Those checks and balances are multidimensional because of the role of both those elected to this House and the judiciary. I know he will want to expand on that a little as we come to the next part of the Bill.
I thank my right hon. Friend. Clause 3 amends the duration of bulk personal dataset warrants under section 213 of the IPA from six to 12 months. BPDs tend to be used to support long-term strategic intelligence activities, and a longer warrant duration will enable the value of the BPD to be better demonstrated, which will provide the relevant Secretary of State with a more accurate picture of the necessity and proportionality when an application for renewal is made. The existing part 7 safeguards will remain in place, including the double lock by the judicial commissioner.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4 ordered to stand part of the Bill.
Clause 5
Third party bulk personal datasets
I beg to move amendment 16, in clause 5, page 14, line 34, at end insert—
“(4) A third party BPD warrant may not authorise the examination of a dataset consisting of the contents of the marked electoral register.”
This amendment would prevent a third-party bulk personal dataset consisting of the electoral register, which sets out whether people have voted, from being examined by the intelligence services.
Amendment 16 relates to third-party BPDs, specifically the use of the marked electoral register, which is a copy of the electoral register usually arranged by a polling station area or ward with names crossed off to indicate who has voted. Copies are available for political parties to buy from local authorities and add to their records, which aid with canvassing and voter engagement on the basis that a person who has previously voted has a higher propensity to vote again, and for that purpose alone.
Compared with the electoral register, the marked electoral register contains a record of individuals who have exercised their democratic right at the ballot box. The Opposition understand entirely that it would be appropriate for copies of the marked electoral register to be examined in an investigation into electoral fraud. Any attempts to undermine our democratic process must be dealt with with the utmost seriousness. However, we do not believe that it is appropriate or proportionate for information relating to voting records, contained in such documents, to be authorised as a third-party BPD. That could establish links between individuals or better understand a subject of interest’s behaviour.
More widely, we have concerns about records of democratic activity, such as any relating to trade union membership, being examined as a third-party BPD. Does the Minister agree that copies of the marked electoral register should be used to defend and strengthen our democratic processes, and for those purposes alone, and that safeguards should be in place to protect other data relating to democratic activity from being examined as a third-party BPD?
I fully understand the questions that have been proposed by the shadow Minister, and it will be interesting to hear the answers that he gets.
On clause 5, it makes sense to ensure that access to third-party bulk personal datasets is subject to the general Investigative Powers Act scheme and oversight regime, including the double lock. Of course, we had extensive debates back in 2016 on whether that double lock was strong enough. My party argued that the judicial review standard was not tough enough and that we should be asking judicial commissioners to look at the positions again on their merits. But we lost that battle, and we are where we are.
Some of these datasets will include hugely personal information on internet searches and shopping history. These profiles can build up a pretty intrusive picture of how we go about our lives, and sometimes not very accurately. We are also talking expressly about personal datasets, which could include health data. That is on the face of the Bill. Does the Minister envisage that such access will be used only to make inquiries on subjects of particular interest, or will it be used for broader trawls of information?
As set out in the letter from the Chair of the Joint Committee on Human Rights, there is also concern about how this provision will apply to datasets that have been obtained unlawfully. Should there be additional safeguards on the use of illegally obtained data? What is the Government’s thinking on that?
I thank hon. Members for their points. The examination of third-party bulk personal datasets by the intelligence services is vital to their role of protecting the national security and economic wellbeing of the United Kingdom and preventing and detecting serious crime.
Clause 5 places an explicit statutory regime around the intelligence services’ examination, in situ, of bulk datasets held by third parties. The regime would apply only to the intelligence services, in line with the wider part 7 BPD powers in the IPA. The clause puts in place robust oversight and safeguards. For example, third-part dataset warrants are to be subject to a double lock, and the decision to authorise the warrant will need to be approved by both the Secretary of State and an independent judicial commissioner. The Investigatory Powers Commissioner and his office will oversee the regime to ensure the intelligence services’ examination of third-party datasets is both necessary and proportionate. That relates to the point made by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East about proportionality and need.
To answer the point made by the hon. Member for Barnsley Central, we do not consider it appropriate to exclude specific types of dataset from those for which a third-party dataset warrant can be sought. The reason is, as he knows, that we can begin to go down very tricky routes on this area, as the intelligence services have a requirement to keep safe not just our democracy but our wider nation. Therefore, limiting those different arguments can be problematic. What we are aiming to do is ensure the proportionality requirement is the test applied by both judicial commissioners and the Investigatory Powers Commissioner.
The Secretary of State may issue a warrant authorising the examination of a third-party dataset only where it is necessary and proportionate—that is going to be quite a high bar in some of the areas asked about—for the intelligence service to examine the dataset to which the warrant relates. That decision will be double-locked by an independent judicial commissioner who, among other things, is required expressly to review the Secretary of State’s conclusions in respect of necessity and proportionality when deciding whether to approve the decision to issue a warrant. That is already in the Bill. Each decision will be made on a case-by-case basis and will be subject to prior judicial approval.
I am grateful for the Minister’s response. I have to say, I am struggling to think of a scenario in which it might be necessary and proportionate to examine the marked electoral register. This is something we will reflect on.
I broadly support the Minister’s view of this, but the easiest way to establish the case for this is to be clear about its operational purposes. Clearly, one would not expect the Minister or the agencies to speak about the specifics of operations, but dealing with the operational purposes would help the shadow Minister and the Committee. I am sure the Minister would be happy to do that in broad terms, either now or in writing. It would be really helpful to go through the kinds of operational purposes associated with this inquiry. I do not know what the Minister and the shadow Minister think, but that is how I see it.
That is a helpful and useful suggestion. I am happy to proceed on that basis, if the Minister is.
On that basis, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 5 ordered to stand part of the Bill.
Clause 6
Minor and consequential amendments
Question proposed, That the clause stand part of the Bill.
Clause 6 makes minor amendments to the 2016 Act to reflect the introduction of parts 7A and 7B, including making it clear that the Investigatory Powers Commissioner is responsible for oversight of the part 7B regime.
Question put and agreed to.
Clause 6 accordingly ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned. —(Scott Mann.)
(9 months, 2 weeks ago)
Public Bill CommitteesThe Investigatory Powers Act 2016 contains world-leading oversight arrangements, which have strengthened the safeguards that apply to the use of investigatory powers. The clauses will enhance this oversight regime, including the role of the Investigatory Powers Commissioner, to ensure it is resilient and that the IPC can continue to effectively carry out their functions. This includes creating a statutory basis for appointing deputy IPCs to whom certain functions can be delegated and, in exceptional circumstances, the appointment of temporary judicial commissioners. The clauses also place certain existing oversight functions on a statutory footing and provide clarity to public authorities in their error reporting obligations. These are important and targeted amendments to ensure the oversight regime remains robust and the IPC can continue to carry out their role effectively.
Question put and agreed to.
Clause 7 accordingly ordered to stand part of the Bill.
Clauses 8 to 10 ordered to stand part of the Bill.
Clause 11
Personal data breaches
I beg to move amendment 1, in clause 11, page 31, line 36, leave out “a court or tribunal” and insert “the Investigatory Powers Tribunal”.
This amendment is consequential on amendment 2.
With this it will be convenient to discuss the following:
Government amendment 2.
Clause stand part.
Clause 11 will ensure that there is clarity for telecommunications operators operating within the IPA framework about which regulatory body certain personal data breaches should be notified to. It also provides a statutory basis for the Investigatory Powers Commissioner being notified of such breaches. Without this change, there will be confusion about personal data reporting obligations and a regulatory gap in respect of certain personal data breaches by telecommunications operators not being dealt with by the appropriate regulatory body. The clause also ensures that an individual affected by a personal data breach can be notified of the breach by the Investigatory Powers Commissioner, if the IPC deems to it to be in the public interest to do so. This will enable them to seek remedy from the Investigatory Powers Tribunal.
Government amendments 1 and 2 build upon the provisions already contained in clause 11 by providing a clear route to redress for those affected by personal data breaches committed by telecommunications operators. They ensure that the Investigatory Powers Tribunal has the jurisdiction to consider and determine complaints about personal data breaches committed by TOs and grant a remedy. The IPT already has significant experience of considering complaints from individuals who believe they have been the victim of unlawful interference by public authorities. It is therefore the appropriate forum to consider complaints regarding certain personal data breaches.
Amendment 1 agreed to.
Amendment made: 2, in clause 11, page 32, line 19, at end insert—
‘(1A) In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—
(a) in subsection (2), after paragraph (b) insert—
“(ba) to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;”
(b) after subsection (4) insert—
“(4AA) The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.
(4AB) In subsection (4AA) “relevant personal data breach” means a personal data breach that the individual is informed of under section 235A(5) of the Investigatory Powers Act 2016 (serious personal data breaches).”
(1B) In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—
(a) in subsection (1)(b), after “65(2)(b)” insert “, (ba)”;
(b) in subsection (5)—
(i) the words from “section” to the end become paragraph (a), and
(ii) after that paragraph insert “, or
(b) section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.”
(c) in subsection (6), for “reference” substitute “complaint or reference has been”.
(1C) In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—
“(8) In this section “relevant Commissioner” means—
(a) the Investigatory Powers Commissioner or any other Judicial Commissioner,
(b) the Investigatory Powers Commissioner for Northern Ireland, or
(c) the Information Commissioner.”’—(Tom Tugendhat.)
This amendment provides for the Investigatory Powers Tribunal to be the appropriate forum for complaints by individuals about certain personal data breaches reported to the Investigatory Powers Commissioner under section 235A of the Investigatory Powers Act 2016 (personal data breaches).
Clause 11, as amended, ordered to stand part of the Bill.
Clause 12
Offence of unlawfully obtaining communications data
I beg to move amendment 39, clause 12, page 33, leave out lines 16 and 17.
This amendment would remove one of the examples cases where a relevant person has lawful authority to obtain communications data from a telecommunications operator or postal operator, being where the data has been “published”.
With this it will be convenient to discuss the following:
Clause stand part.
Clauses 13 and 14 stand part.
The schedule.
The clause relates to section 11 of the Investigatory Powers Act 2016, which created an offence where a relevant public authority knowingly or recklessly obtained communications data from a telecoms or postal operator without lawful authority. That is an extra protection against unlawful invasions of privacy by public authorities. Comms data can of course be vital to prevent serious crime or to assist in missing persons investigations, but it can also be seriously invasive if not monitored, as such data can reveal all sorts of details about our lives and the people that we are linked with. The clause makes changes to that offence.
It is said that there is a lack of clarity around the concept of lawful authority, so the clause includes some examples of what lawful authority is. Most are uncontroversial—for example, where there is a statutory basis for gathering the data, where there is a relevant court order or an authorisation, or where it is obtained to respond to a call to the emergency services. However, we contest the assertion that new subsection (3A)(e) is a proper example of lawful authority, referring to:
“where the communications data had been published before the relevant person obtained it”.
We are concerned that that is not a correct expression of the law as it stands.
The simple fact of data being published is not in and of itself lawful authority for it to be obtained and subject to surveillance. The fact that I publish a Facebook post at such and such a time in such and such a place does not give public authorities the right to seek it from Facebook. In fact, on a Zoom meeting about a controversial political campaign, it cannot be the case that Zoom can then be ordered by the police to obtain the relevant communications data simply because the data was published and available to those who attended the meeting.
We need a very careful explanation from the Minister about what precisely is intended by the example in paragraph (e) because as drafted—again, it depends on how we interpret these things—it seems to be open to an interpretation that anything even semi-publicly available can be obtained by public authorities without anything more.
I will speak more widely to clause 12 before addressing the amendment. The clause does not create new routes to obtain communications data outside the Investigatory Powers Act. Rather, it provides examples of existing routes to acquire communications data in order to put the existing position, as set out in the communications data code of practice, on to a statutory footing. This will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in section 11 of the IPA. It makes it clear that sharing of communications data between public bodies is lawful. It is not the intention of section 11 to discourage public sector sharing of data when administering public services for purposes such as fraud prevention. Clause 12 puts that beyond doubt.
While discussing clause 12, I will take the opportunity to set out that a communications data authorisation can amount to lawful authority to require a telecommunications operator to carry out any necessary activity on their systems to enable or facilitate the obtaining of the relevant communications data. The list of examples of what will amount to lawful authority in clause 12 will provide additional clarity to the existing drafting of section 60A(5) in the Investigatory Powers Act, which sets out what can be authorised under part 3 for the purposes of acquiring communications data.
I would also like to address an inconsistency with paragraph 176 of the explanatory notes for the 2016 Act and the conduct that the Act permits. To be clear, a communications data authorisation may authorise interference with equipment by a person where that is done to enable or facilitate the acquisition of communications data for the purposes of identifying an entity as well as information about their previous or current location.
The Government do not support amendment 39, moved by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East. Additional authority for published material should not be required for its disclosure by a telecommunications operator to a public authority when that data has been disclosed with the consent of that operator. The consent of the operator provides the lawful authority for the obtaining of the previously published communications data, which public authorities can rely on. It places the existing position, set out in paragraph 15.11 of the communications data code of practice, on a primary legislative footing. It does not create new acquisition routes.
Clause 13 amends the definition of communications data to include subscriber and account data, ensuring that this communications data is available to investigators with an IPA part 3, even if it is transmitted as the content of the message. That is not a broadening of the definition but a clarification of scope. “Subscriber data”, or “account data”, includes the details provided when someone completes an online registration form for a telecommunications service or system. This change overcomes the current uncertainty for investigators about the data types that will be “communications data” and therefore available to them.
Clause 14 restores the general information gathering powers to regulatory or supervisory bodies, which were repealed by section 12 of the 2016 Act. It will ensure that public authorities will be able to utilise their own pre-existing statutory powers to acquire communications data for civil purposes. These are existing statutory powers that have been conferred on public authorities by Parliament—for example, in the regulation of the financial markets to ensure market stability.
Since 2016, the data sought has increasingly moved online and is now being caught by the definition of “communications data” in the 2016 Act. For example, His Majesty’s Treasury is responsible for the civil enforcement of financial sanctions regulations. Some information that is essential in carrying out its civil enforcement functions, such as the timestamp of an online banking transaction, is now communications data, and His Majesty’s Treasury cannot currently use its powers to compel that information to be provided by a telecommunications operator. Communications data is available under the IPA only if the matter under investigation is a serious crime, and so is out of reach for public authorities exercising civil enforcement functions.
I thank the Minister for his response and his explanation. We will of course take that away and give it consideration again. He has referred to codes of practice being put into statute, so we will go away and look at those codes of practice. Of course, codes of practice can sometimes be inconsistent with various laws as well, so this is not necessarily the end of the matter. It would be helpful if the Minister could perhaps—in writing, or perhaps we will have to revisit it on Report—look at the specific examples that I gave and just explain whether or not those amount to prior publications of comms data.
I very much appreciate that, and that will hopefully help to clear things up before we get to the next stage of proceedings. I will withdraw the amendment.
Before you move to the vote, Mrs Cummins—forgive me for not rising with greater speed—I just wanted to test the Minister on clause 14 in particular. Clause 14 deals with the other public authorities that will enjoy the powers that the Bill affords. That was debated at length when the 2016 Act, which this Bill amends, was considered, and the Minister will recall that I also raised it on Second Reading.
It is of course true that a number of public bodies have lawful powers to intervene in a regulatory function where a malicious activity could have dire consequences. The Minister will have many examples to hand, but I will take just one for the purpose of illustrating my argument. The Environment Agency could intervene in the case of a watercourse that had been poisoned intentionally; that would be a criminal act resulting in an investigation and prosecution. One can imagine a circumstance where it would be necessary for that body to obtain communications data to discover how that occurred.
To be clear—the Minister will no doubt tell us—this is not the “what” being communicated, but the who, the when and the where. That is what we mean when we speak of the powers in the 2016 Act and this new Bill. We are not talking about the “what”; we know the telecommunications operator will be obliged to make available the content of communications data. The endeavour that the agency concerned will be involved in is finding out why something has happened. The “why” will of course be closely associated with the investigation and the possible subsequent prosecution.
As always, my right hon. Friend asks a pertinent question. I hope he will forgive me for saying that I very much hope that the letter I asked to be sent arrived in his inbox this morning. He may not have seen it, which I completely understand, as there are many pressing issues on his time. I have also attached it into the packet for the Bill and indeed copied it to the ISC secretariat, which has done such an important job in ensuring that we are all as one on this. I hope very much that that will answer my right hon. Friend’s questions. If it does not, he knows where I am—I would be delighted to clarify it further. As my right hon. Friend has very kindly asked, I shall give that list now, for the record: HM Revenue and Customs, the Financial Conduct Authority, the Department for Work and Pensions, the Treasury, the National Crime Agency, the Department for Business and Trade, and the Competition and Markets Authority.
My right hon. Friend reminds me of that famous scene in “Yes, Prime Minister”—thank God defence is held at central authority, or we would not have to worry about the Russians; we would have a civil war in two weeks. His point about local authorities having intelligence powers is valid. They do not have the same intelligence powers as MI5—let us be absolutely clear about that. That is not what we are offering.
It does the Minister great credit that he has made that list available during the course of our consideration. That is very important. What I had feared might happen was that we might not get it while we were in Committee. In fact, I have not actually seen it, but I am grateful to him for making it available, at least, during our consideration.
This is an area that concerns me. I am quite certain the security services have protocols on how to deal with such things, but it worries me that the DWP is on that list. Having been involved in work on the Horizon Post Office scandal for many years, I know the DWP did not cover itself in glory on some of those cases. Can the Minister reassure the Committee that there are protocols governing when and how it will use those powers? That, I think, would give the public some assurance that there is a standard for how they will be used.
The right hon. Gentleman tempts me towards an area that the Bill does not cover, so I hope he will forgive me for focusing on what it does cover, such as the safeguards. Clause 14 will limit communications data acquisition to the purpose of a body required to meet its civil functions and duties, such as a regulatory body providing oversight of financial markets, or indeed the DWP overseeing different elements of its responsibilities. Where disclosure is in support of a criminal prosecution and IPA part 3 authorisations for communications data must continue to be sought, using the existing safeguards and oversight provided for by the Investigatory Powers Commissioner’s office, the courts will oversee the use of those powers by public authorities in the same way as the acquisition of non-communications data under the existing powers. He has asked me specifically about a connected area, so—I hope he will forgive me—I will have a look at it and write to him very specifically about that.
May I suggest that the Minister does write to the Committee? I accept the safeguards in place, but for organisations other than the security services, I want to know what internal mechanisms they have to ensure that use of those powers is proportionate in terms of investigations and so on, and what training and protocols they are using. If the Minister could write to us on that, that would be helpful.
Forgive me, but the right hon. Gentleman is asking for a very large piece of work there. I am setting out the legal authority under which those organisations can act. Their internal processes may be different in different circumstances and be answerable to different Ministers.
I am sorry, but I do not agree with the Minister. He is giving those other public bodies additional powers, and I think it is quite reasonable for this Committee and the public to be assured of how those powers are actually going to be used. As I say, I have no problem with the security services, because I am well aware that they have very clear, strong protocols and safeguards governing the use of their powers internally, with authorisations and so on. I think he just needs to ask those other Departments how they are going to do this, and what the internal mechanisms are.
I am very happy to ask them; I am just stating clearly that they are not under the responsibility that I have as a Minister. The legal powers that they are given are not additional powers; they are repetitions of the IPA 2016, so they are not additional powers—[Interruption.] Forgive me, but they are not additional powers. Their existing codes of practice under the different organisations have their own responsibilities within them.
I beg to differ. In the next clause, we will come on to the breadth and depth of the new powers, but that is a different argument—I will save that until then. However, he is the Minister and, in my experience, the Minister leads the Bill. I would have thought it would be quite simple to ask those other Departments what those protocols are. If he does not ask, he does not get.
I will happily ask. The right hon. Gentleman is asking for internal management structures, though.
I am grateful to the Minister for offering me a second bite of the cherry. Perhaps I can offer a Hegelian synthesis between him and the right hon. Member for North Durham. We talked earlier about operational purposes, but we have to be careful about that: in the case of the agents of the police, one cannot publish purposes in fine detail, because that would be unhelpful. However, in broad terms, perhaps the way forward on this is to illustrate the kind of purposes that the bodies the Minister described might employ, within the legal constraints that he just set out. Perhaps that is the way forward; it would certainly satisfy me, and I cannot think that would not help to satisfy the right hon. Member for North Durham, who is a reasonable man—not my right hon. Friend, but a right hon. Gentleman and a personal friend, which is better than being a right hon. Friend.
As always, I welcome my right hon. Friend’s contribution. That is covered in many areas in the letter I wrote to him.
In an earlier response to comments by the right hon. Member for South Holland and The Deepings, the Minister helpfully mentioned the letter that I think has been sent to the right hon. Member and possibly other members of the Committee. Can the Minister confirm that that letter will also be sent to the Opposition?
To be absolutely clear, the letter was in response to my right hon. Friend the Member for South Holland and The Deepings, so it was sent to him, it was copied to the secretariat of the ISC and it is in the Bill pack. The hon. Member for Barnsley Central therefore has access to it.
May I ask the Minister to look at his internal process again? We also had this problem with the National Security Bill. I do not know whether he should change the pigeon post he is using to ensure people have it. May I also point out that the ISC is not constantly in session? Therefore, if he has to send it to the ISC, we do not automatically get it until our next meeting or when we do the next reading.
I am delighted to clarify that the letter was emailed to my right hon. Friend the Member for South Holland and The Deepings. He is a traditionalist in many ways, but I believe he has entered the electronic age.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 12 ordered to stand part of the Bill.
Clauses 13 and 14 ordered to stand part of the Bill.
Schedule agreed to.
Clause 15
Internet connection records
Question proposed, That the clause stand part of the Bill.
The changes made by clause 15 should transform the intelligence services and the National Crime Agency’s ability to detect serious criminals and those seeking to undermine national security. Current internet connection record conditions only enable identification of individuals involved in known events. That means an investigator must know the date, time and service being used, preventing identification of offenders where they cannot be linked to a specific time of access. For example, where analysis of a seized device identifies a site serving images of child sexual exploitation, it would not currently be possible to search ICRs for subjects accessing that site beyond a specific known event. New condition D would help to identify other subjects accessing those sites. This will not be a fishing exercise. As with all investigatory powers, the case for requesting ICR data must be necessary, proportionate and intelligence-led. As Committee members will have heard this week, the benefit to the agencies is in being more, not less, specific.
The new condition will be subject to robust safeguards, including limiting the statutory purposes available, stringent necessity and proportionality requirements and independent oversight, including regular inspections by the Investigatory Powers Commissioner’s Office. Where internal authorisation takes place for urgent and national security-related applications, authorising officers must be independent of the operation and not in the line management chain of the applicant. If an investigator knowingly or recklessly obtained ICRs—for example, if the request was clearly not proportionate—they would be at risk of having committed a section 11 offence of unlawfully obtaining communications data, which can result in a fine or imprisonment.
We are now looking at internet connection records. Whether we are for or against the provisions, the requirement in 2016 for companies to generate and provide internet connection records was a radical departure and makes the UK something of an outlier: as I understand it, there is no other European or Five Eyes country that allows the same sort of requirements to be made, certainly in relation to its own citizens.
As the Minister explained, there are various conditions on who can access the records. At present, the investigating bodies need to know which personal device they are looking for ICRs in relation to or know a specific time when a website was accessed to identify who was responsible for the events of interest to them. There is some judicial oversight, but not always. We are being asked to move a little further from that already fairly radical starting point and remove the need for a particular time to be identified, so as to have a general look at who uses certain internet sites and services over broader grades of time. That risks moving us step by step away from suspicion-based surveillance towards broader mass surveillance. People become targets of surveillance because of websites they have visited that are not only of questionable ethics, but potentially in breach of article 18 of the European convention on human rights. Various examples of how that might work are given in the explanatory notes, particularly in paragraph 120.
The Minister also gave some examples in relation to access to sites that are clearly illegal. I was quite surprised to learn that there are not already other powers that can be used to investigate who is engaging with such sites. If that is not the case, why not confine the power to sites that are clearly illegal in and of themselves, rather than enabling a trawling of data in relation to other sites that are not? I am not a tech geek, as will become more and more apparent the more that we debate the Bill, but the explanatory notes themselves confirm that there is a danger of and huge susceptibility to error here. Paragraph 123 says:
“Whilst clearly having the potential to provide significant operational utility it is recognised that such queries are highly susceptible to imprecise construction. As a result, additional safeguards are proposed in this Bill with the intention of managing access to this new Condition and mitigating public concerns.”
I am not absolutely convinced by the additional safeguards that follow in paragraph 124, which seem to revolve around training and various other requirements.
At the very least, I would prefer to see us go for independent judicial oversight in all cases, including authorisations under condition D2. As I understand it, under condition D1 a judicial commissioner would need to authorise what has been sought, but under condition D2 it could be internal. If the Minister wants us to expand the powers without the need for judicial authorisation in all cases, he needs to explain how often he expects the powers to be used and why judicial commissioner involvement in all such cases would not be realistic. Are there not other ways in which we can make this work while still retaining judicial oversight in all cases under the new provisions? I understand what the goals are here, but this is an example where it could be framed more narrowly and oversight could be strengthened.
I agree with the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East, and the ISC feels strongly on this issue. We are clearly speaking English and the Minister is speaking Japanese, because this is about understanding what is actually being given to the agencies without any judicial oversight, which is being dismissed as if these powers are no greater or more intrusive.
As the Committee will know, under the IPA an internet connection record is a form of communications data. It contains data on who has accessed something: it does not actually provide the content of what they have seen or been in contact with. However, under the IPA information can be sought to develop knowledge of who is speaking to who. I think the ISC see the value of this for not only security services but issues around child protection and organised crime, as has already been argued. We are giving the security services and agencies a degree of authorisation here, which I would argue they have not had up until now.
We then come to the argument made by the Minister and the Government that these regulations are not any more intrusive than what we have at the moment. I would argue differently because the power is broad. Previously, targeted discovery condition A, under section 62 of the IPA, required that the agency and officer know the service and precise time of use to discover the identity of an individual, so that they actually know what they are targeting. The Minister used the words “fishing expedition”—this regulation will be a fishing expedition. By default, it will bring in a broader range of individuals who have nothing to do with the target the agencies are looking at the time and connection records for, and are of no interest to the agencies or anybody else.
The Government are arguing that this regulation is no more intrusive—but it is, if we are dragging in a large number of people in that way. Actually, by not having any judicial oversight, they are allowing the agencies to agree that internally. Although the intrusion is not deeper, it is certainly a lot broader than what we have at the moment. The Bill says that the new powers can only be used for “national security” and the catch-all phrase
“economic well-being of the United Kingdom”.
I am still yet to be convinced of that terminology, but I understand that the Minister and the civil service like consistency across Bills, and that is why it is in this Bill.
Under sections 60A and 61 of the IPA, requests to obtain an ICR are like requests to obtain other communication data: they have to be “necessary and proportionate”, which runs through all of this. Again, the Government are allowing the agencies to decide what is necessary and proportionate. I am not suggesting for one minute that they are going to go on a fishing expedition, but again there is a problem with the Government’s approach to the Bill, and certainly with the agencies’ approach. They want these powers, and I do not personally have an objection, but we have to look at how other people, who are not drowned in the detail of this Bill, will perceive them. Some opponents would say, “Why should I be dragged into this?” It is really about giving public confidence; as the right hon. Member for South Holland and The Deepings said this morning, when the IPA was passed, it was about trying to reassure people.
It would be very simple to ensure that this regulation has independent judicial oversight, as the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East has just said. I know the catch-all phrase that the Minister will come back with, because I am a quick learner: he will say, “The IPC has the ability to look back at anything.” Again, that is the haystack—where is the needle? It would be better and more reassuring if they were to have some judicial approval in advance. I will give the Committee one example. Let us suppose that we are looking at train records and patterns of behaviour on WhatsApp or a train-ticketing website. There is possibly a valid reason to do that—to see someone’s patterns of travel, and so on—but it will scoop up a lot of innocent internet users. The assurance here is that they will not be of interest and therefore they will not be part of it, but their information is being dragged into the system. Then a decision has to be made as to which ones people are interested in and which ones they are not.
That is a big change. I accept that it would not be the exact content that somebody accessed, but the connections would be there. It does not sit comfortably with me to leave such a big change to the security services. Knowing them as well as I do, I do not suspect that they will use the provision illegally or for alternative motives, but we have to reassure the public, and I do not think this does that. Would that be onerous? I am not sure that it would be. This comes back to the point that we have made about the ISC all the way through. If we are giving the security services extra powers, we need the counterbalance of a safeguard.
As the right hon. Member for South Holland and The Deepings said this morning, that was exactly how the IPA was approached. Clearly, he was a very good Minister, because he accepted amendments and suggestions, whereas only one has been accepted for this Bill so far. The Minister spoke this morning about working with the ISC. The Minister speaks to us, but he does not necessarily listen to what we say or take a great deal of interest in what we propose. This is an important point. It comes back to the fundamental point that if extra powers are going to be given, it is only right that they come with responsibilities and safeguards.
New condition D removes the existing requirement for the exact service and the precise time of use to be known. Basically, it will now be possible to do a sweep, which will mean dragging people in. Therefore, I cannot see the problem in having some oversight of these powers. I would like to know why the Minister thinks that condition D is not more intrusive. It is more intrusive, because a lot more people will be affected by it. I think the Government are hiding behind the idea that because it is not possible to identify what the individuals have actually seen, it is not really interesting. If that is the case, why have it in the first place? I know the reason for that, but it would be interesting to know what thought has gone into this and how many people will be dragged in. It obviously depends on how the provision would be used in practice. If we went down the street and said to people that we are giving these powers without any judicial oversight—the Minister will say that IPCO can always look at it, and I understand all that—I think that most people would be quite worried. We would give reassurance by providing that important oversight.
This provision certainly needs to be looked at. Is it of benefit and am I convinced that this is a new power that the agencies need? I am, and I think it is right, but coming back to the previous point, we have to ensure that we do not do anything that undermines what is done or that gives ammunition to those people who want to cast aspersions on what is actually done.
I think I know the arguments that the Minister will put forward. We will no doubt come back to this matter on Report, when there will, I think, be amendments from members of the Committee; and if we have an election wash-up, this is one proposal that I think will be pressed by the Opposition.
To supplement what the right hon. Gentleman has said, this was part of the original legislation and it is and always has been a controversial aspect of it. There are two things that I would emphasise here. First, it is really important to understand that the kinds of inquiries that would necessitate the use of this power are exceptional. When we considered the original Bill in Committee, one of the arguments was around a criminal threshold: in what circumstances would the public bodies that we are talking about need to avail themselves of the powers? I am on the record as saying at that time that I entirely agreed with the then shadow Minister’s argument that it should not be permitted for minor crimes. In other words, the bodies that the Minister listed earlier would not be using the powers on a routine, daily basis for all kinds of things that they are lawfully entitled to do; they would take advantage of the powers in exceptional cases in which very serious matters were at hand. That would be a helpful way of assuaging some of the doubts raised by the right hon. Member for North Durham.
Or we could have what was suggested earlier: when the power is used, that is reported to the Investigatory Powers Commissioner, so that it is aware of what is going on and can do something if it has concerns. At the moment, it is presented with a haystack and has to look for the needle.
Exactly. That point was made when we debated the original Act, and I think that I committed at the time to those kinds of things being detailed in the annual report. To clarify a point that was made earlier, David Anderson was clear at the time, and has been since, that we cannot detail the operational purposes of the agencies if doing so would compromise them. The techniques and approaches that they necessarily use in the performance of their duties could be compromised if we were to talk in detailed terms about the character of their operational activities. However, we can speak in broader terms about the kinds of circumstances in which powers might be used—and all the more so for the other public bodies, in a sense, because even if a serious criminal investigation is taking place, those investigations are not typically as secret as they might necessarily be in respect of the security and intelligence community.
Perhaps those two grounds—greater sight of the processes in those bodies and clarity about the circumstances in which the powers can be used; in other words, exceptionally and for very serious matters—would be helpful ways of dealing with some of the points raised by my colleague on the ISC, the right hon. Member for North Durham.
As usual, right hon. and hon. Members have raised some excellent points. Let me be clear: it is not true to say that there is no judicial oversight. To say that there is no judicial oversight would be correct if the IPC were not in place. I know what the right hon. Member for North Durham is going to say, but that is a form of judicial oversight.
As to the way in which the authorisations work, I hope that I have been clear—I will repeat it to ensure that I am—that an investigating officer would have to make an application to use the powers. That would have to go to a senior officer in their service who is not in their chain of command: someone who is not overseeing the operation or in their management chain—a separate element. Any abuse of that system could mean that that individual, or those individuals, are in violation of section 11. I know that the right hon. Member for North Durham takes his responsibilities on the ISC exceptionally seriously and is fully aware that sometimes there can be a pressing need for operational action at pace. That is what this is also designed to help. It is important that officers have the ability to act under a regulatory framework that means that abuses are, at worst, extremely limited due to various constraints.
I accept that and I have confidence in the internal protocols—do not get me wrong on that—but the Minister does not have to convince me or members of this Committee; it is about the public perception. What is the problem? If we are not going to have judicial oversight in terms of judicial authorisation, what is to stop us having another system whereby, when it is used, the IPC is informed? We could send a simple email so that it would at least have ongoing oversight when these powers are being used.
The right hon. Gentleman is creating his own haystack here. Although I hope as ever that this power will be used only exceptionally rarely, sadly the nature of serious and organised crime and terror in this country means that it will be used more often. There is a slight misunderstanding as to how this will be used. Targeting a train website or a single authority would not be proportionate or meet the necessity provisions within the Bill. It would be neither necessary nor proportionate. In fact, it would be unnecessary and would be vastly disproportionate, because it would be a mass collection exercise that would neither be targeted in a way that would satisfy the proportionality requirement, and nor would it give a useful answer—it would give such bulk data as to be useless—and therefore it would not be necessary.
The whole point of this is that it sets out a series of conditions in which these powers could be used—perhaps against a certain website, that is true—but on the basis of intelligence. It would have to have a particular cause and a particular time. This is not a Venn diagram with a single circle, but a Venn diagram with four or five circles; it must be in the centre of those for it to be necessary and proportionate.
I would be reassured if there was independent advanced judicial oversight. The Minister has said a couple of times that the powers will be used “exceptionally”. What is the difficulty in making sure that there is an exception for urgent cases of advanced judicial authorisation for use of these powers?
“Exceptional” does not mean that there is necessarily huge amounts of time to act; exceptional means that the seriousness of the offence is extremely grave. These powers are for things such as child sexual exploitation. I wish it were not so, but even in this country, the police very often have to act extremely speedily to prevent harm to a child and sometimes, very sadly, multiple children. They have also to act extremely speedily to prevent terrorist plots or other forms of very serious organised violence or criminal activity.
That is why “exceptional” does not necessarily mean that it can be dealt with in a procedural way over a number of weeks; exceptional may mean absolutely pressing as well, and that is what this is designed for. The right hon. Member for North Durham may have been aware from briefings that I believe he has received that, in some circumstances, this Bill will reduce the time taken to interrupt serious abuse of children, from months and occasionally years down to days and weeks. That is surely an absolutely essential thing to do, but that will not work unless these powers are used according to the Act, with the important words being “proportionate” and “necessary”. The reason I repeat those words is that were the intelligence services to go on some sort of fishing expedition—and I know that the right hon. Gentleman is not suggesting that they would—that would not be legally permissible under this Act and nor would it achieve the required results, because it would turn up so much data that it would simply be an unusable, vast collection of fluff. Effectively, instead of targeting the needle, they would have merely collected another haystack.
It is not about a fishing expedition, but they will get into a fishing expedition anyway. He says that train lines would not be affected, but they would. If someone wants to see an individual’s travel pattern, that is what they may do. Therefore, a lot of people’s data will be dragged in, not because it has been looked for but because it will come in anyway.
The problem is that if the argument is about speed—which I do not necessarily think is the case in some cases—the Minister has to do two things to reassure people that the powers are going to be used in the right way. First, he must provide pre-authorisation judicial oversight, and secondly, the IPC should be told, perhaps via a simple email, when the powers are used. That would at least allow it to look at the trends and uncover any concerns. I accept the protocols in place and am 100% sure that they are being followed, but it is possible that some people will not follow them and that is what we have to guard against.
This is a somewhat odd argument, because the right hon. Gentleman and I are slightly together but also arguing at cross purposes. Both of us have a very high regard for the intelligence services and are confident in their integrity, but we are slightly at cross purposes because he believes that we are not satisfying the oversight element, but I believe we are.
Let me be clear. I am not being a stick in the mud about this for any political reason. I actually happen to believe that this is the right way to approach this. There is a constant balance in all forms of oversight between the ability to act quickly and the ability to be controlled from outside. I believe that this sets in place a very significant, burdensome requirement on those who are taking these responsibilities to act according to certain principles. To repeat, the principles are necessity and proportionality. I do not think anybody in here would argue against those. What this requires them to do is make sure that the principles are met by effectively targeting in advance.
The right hon. Gentleman’s comment about train line use would, I am afraid, not satisfy that proportional need. The individual would have to be specifically identified in advance. The pattern of use of the website from the single point and to the point of contact—from a phone to an internet server or whatever it might happen to be—would have to be clarified. These ICRs are Venn diagram circles that are getting narrower and narrower. The idea that this would end up with some sort of week-long or month-long trawl of a train line website is, I am afraid, not permissible under the 2016 Act. Were any intelligence officers to do it—though I do not believe that they would—they would fall foul of section 11 and would not be acting necessarily and proportionately. Therefore, it would not be permissible.
It is pretty clear that existing conditions B and C already enable public authorities to make an application for a known individual’s internet connections. New condition D only enables a request for details to identify individuals who have used one or more specified internet services in a specified time.
I think that is the point. I do not think anyone is arguing against the fact that there will sometimes be exceptional circumstances that require haste. Everybody accepts that, but the issue with condition D is that it is explicit in removing the targeted nature of the other conditions. It is where they do not know the time or person and do not have the data available that they are using condition D. There is nothing in the Bill to make clear that it can only be used in exceptional circumstances. How can we square that circle? I do not think that anyone would disagree with the fact that there needs to be an ability to move at pace at times, but there is nothing here that says that power could only be used in those sorts of circumstances. Condition D creates a situation where we are going to hoover up data on a huge number of people, but there is nothing to say how long we are going to hold on to that data for, or what would be done with it.
To answer the last part of the question first, the holding on to data and what is to be done with it is the same as under the IPA generally. Information can be held or not held according to those provisions. This Bill does not change any of that, which is why that is not covered here, and I know the hon. Gentleman would not expect it to be.
It is worth pointing out that condition D is not only no more intrusive than conditions A, B or C, in terms of data—
Let me just finish the point; I know the hon. Member will come back to me.
Condition D is no more intrusive, and it does require the serious crime threshold, which does add an extra layer before it can be used. I hear the hon. Member’s point; the condition still requires proportionality and necessity, so it could not be simply anybody who is using Facebook, because clearly that is not proportionate. It still requires that targeting; it still requires those Venn diagrams, if he likes, to close over a target; and, even then, it requires the serious crime threshold.
The key thing to understand here is that the agencies have always had the ability to intercept communications data. Communications data is one’s letters. Communications data is one’s phone calls. We speak about communications data now, mindful of the way that people communicate now, and we think of the internet and telephones, but the process of intercepting communications has been a core part of the work of the agencies since the agencies began, so we need to put this in context.
The difference here is the nature of how people communicate. It is right to say that—I rise to be helpful to the Minister—the character of encryption, in particular, is making it harder, even in the kind of serious cases that have been described, for those who are missioned to keep us safe to do so by accessing the information they need. So it is right that the law needs to be updated. The critical thing for me, therefore, is this matter of the threshold, which was debated when we debated the original Act.
As far as I understand, this Bill does not change the threshold; it reinforces the threshold. If that is the case and, as has been said, exceptionality is a measure of significance and not complexity—some cases will be complicated, but it is about significance—then the only outstanding difference, as the Minister has said, is oversight. I think the reporting in the annual report matters—the right hon. Member for North Durham made that point—and that would be a small concession to make, if I can describe it as such. I take the point about alacrity, too. What we cannot do is slow down the process by making it bureaucratic.
I think there is an easy way out of this. Being very clear about thresholds, as the Minister very helpfully has been today, is perhaps the way out of it. To clarify that in writing might be helpful.
I do not think anyone could describe the right hon. Member for South Holland and The Deepings or myself as woolly liberals, but I do have a concern with this. Where we are giving an extra power—which is what this is, although the Minister disagrees about the breadth—I want to ensure somehow that, in a democracy, we have oversight of it. I do not want to make it difficult for the agencies to implement their powers, but there are simple ways of doing so. That could mean telling the IPC when it occurs.
I have faith in the internal mechanisms that the Minister refers to, but I was also on the Intelligence and Security Committee in 2017, when we did our rendition and detention inquiry. All the safeguards were in there then, and they were ignored. That led to some fundamental changes, including the Fulford principles. There are occasions when the best things in legislation are not followed through, and that can lead to some very serious consequences.
I take the right hon. Gentleman’s point and the spirit in which it was made. I reiterate that requests for communications data must be approved by the Investigatory Powers Commissioner’s Office, as he knows, unless they are urgent or for the purposes of national security. That is where this is being focused. Condition D, which we have spoken about, will be restricted to only the intelligence services and the National Crime Agency when it is pursuing a national security element within its remit—that is a separate area, as he knows. Those organisations have the necessary expertise to raise compliant and proportionate restrictions.
Again and again, the principle in the Bill is that the least intrusive power must be used. The oversight starts internally, but very rapidly goes externally, whether it is to IPCO or a judicial commissioner. The ability to review is always there, and the penalties under section 11 of the 2016 Act, which we all hope will never be needed or used, are pretty onerous on anybody who abuses their power or in any way exploits their ability in order to conduct themselves in a way that we would all agree is unsatisfactory in a democracy. It is really important to say that.
Going back to the question raised by the hon. Member for Midlothian, the reality is that condition D applications will limit collateral intrusion as much as is reasonably practical. The returned data may only provide an indication of involvement in an investigation, and further analysis will likely be necessary to allow fuller determination. That is the nature of handling intelligence data and then conducting an analysis on the back of it. In all cases, that activity will have to be justified, and will be no more than is necessary to achieve the desired outcome.
To be absolutely clear, that has to be targeted. This is a series of circles in a Venn diagram to target as narrowly as possible. Were others to be captured in that narrowest possible target, that data could not be held, or a separate application would have to be made in order to hold it. For example, one can imagine a circumstance in which an intelligence agency is targeting a paedophile on a particular street. Using different forms of communication technique, it narrows it down from a handset to an operator, a particular website, a particular time, and so on, so the Venn diagram narrows—it is very focused. If it turns out that there is another paedophile operating in exactly the same area at that time, that would require a separate application, because it is a separate target. The data could not just be held. Nor would it be ignored—I am sure the hon. Gentleman would not suggest it should be. But the judicial oversight needs to be gone through and the application needs to be made. It is a separate warrant, and so on.
In the example the Minister gives, at the same time the agency targets that individual, it will have a lot of other people who communicated with that individual. How long will that information be kept? That is the concern people have. It is not the depth, but this is broad. Most of those people would be completely innocent of anything. There is then the issue of how long that information is kept and who makes the decision about how long to keep it.
Forgive me, but I disagree with the right hon. Member on this. It is unlikely that there would be a large number of people at a specific geographic location, using a specific cell site, from a specific handset, viewing a specific website at a specific time. Once it is narrowed down like that, the numbers are very small. That does not mean that any intrusion that is not legally authorised is acceptable—that is absolutely not what I am saying. But we are getting down to very small numbers of people, and quite deliberately so, in order to achieve an intelligence outcome.
As I understand it, the Minister is describing the powers that already exist under the 2016 Act. If we are down to that level of knowledge of where, when and who, then what in the Bill goes beyond that? I do not follow.
In the existing Act, one would have to be entirely specific about a particular time. It could not be 5.30 pm to 6.30 pm; an internet connection record could be done only at 5.30 pm exactly. The Bill extends that a bit, but it still has to be very targeted. This is a proportionate change in the law to allow the intelligence services to collect information that would enable the targeting of serious and organised crime.
Let me go back to the Trainline example. Suppose it is not child exploitation—the Minister is possibly right that it is specific, and hopefully there are not many people in one street—and someone is trying to look for a person’s travel plans, so they want to know how many people in an area have contacted Trainline. It will be more than one person, so there will be a lot of other people they are not looking for in there. That is the problem, and that is all that the ISC, the hon. Members for Midlothian and for Glasgow South and the Labour Front Benchers are saying.
Earlier the Minister used the words “control from outside”. I am sorry if he sees oversight as control, but I certainly do not. It is about giving confidence to the public that there is independent oversight over these powers, whether that is informing the IPCO when they are used or having pre-authorisation, as was suggested earlier. I do not see the problem with keeping people informed. The Minister is hiding behind IPCO, but it was introduced in the first place to give the public confidence.
I suspect we are not going to come to an agreement on this, so I will probably leave it after this point. The IPCO oversight means that IPCO can look at a request at any point. The maximum period it can go without looking at it is 12 months, but it can look at any point. We have said that requests for communications data must be approved by the Investigatory Powers Commissioner’s Office
“except where they are urgent or are for the purpose of national security”.
That interaction, which the right hon. Gentleman rightly supports, is already there, so I do not accept it is lacking.
On the question of proportionality, the amount of information that one may need to investigate a paedophile network, for example, may mean being slightly vaguer about the specific time, whereas following a known individual may require different forms of flexibility and proportionality. I am afraid I am going to be very cautious about setting out what each one means, because these principles will have to adapt and be applied as appropriate.
We are going to have to close this down and move on because we have other things to do. Perhaps the way through is, as was suggested a few moments ago, that this be reviewed over time. If in the annual report we have a really thorough examination of how the measure has been applied and in what circumstances—in broad terms, of course, because we do not need the details of the crimes—that would give us the assurance we need. Our Committee has made that point emphatically. That would be a terribly good way out of this and it would not be a huge step. If the Minister agrees to that, I would certainly be satisfied.
It is not for me to tell the ISC what it should look into, but I would be surprised if it did not want to look into this in great depth.
I think the Minister might have misunderstood. Forgive me; I did not mean that. I meant that this could be reviewed in the IPCO annual report. That would obviously be considered by the ISC in the way he describes. I think we need a summary of how this will work in practice and a commitment that we do that now. He sort of talked about a retrospective review. Rather than debate this further now, that would be a very good way forward.
I am entirely supportive of the idea that IPCO should update the ISC and the Secretary of State about how it is working and provide information so that a proper view can be taken. I think that is entirely appropriate.
Well, that would be fine if the Government did not redact things in IPCO reports and try to stop us getting access to—[Interruption.] I am sorry, but the Government are doing that. They have done it over the past few years. That is the problem. The Government are paying lip service to the ISC. We are not trying to thwart the work of our security services; we are an important part of the democratic oversight of them. That is why we were set up under the Justice and Security Act 2013. I am sorry to say that the Government are trying to drive a coach and horses through it, including by preventing information from IPCO from being given to us.
I think we have covered the area, and I have said all I am going to about the matter.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16
Powers to require retention of certain data
Question proposed, That the clause stand part of the Bill.
Section 87(4) of the IPA provides that a data retention notice cannot require the operator to retain so-called “third party data”. There is no intention to revisit the principle of this important provision, but technological advancements have highlighted some discrete and unintended consequences. For example, the Secretary of State is prevented from placing communications data retention obligations on a UK telecommunications operator in relation to data associated with users of a foreign SIM card within the UK.
Clause 16 addresses those unintended consequences and makes an exception for that data within Section 87(4), so that data in relation to roamers using a foreign SIM in the UK would be treated in an equivalent way to the data that could be retained in relation to users of UK SIM cards. Clause 16 also clarifies that communication data required for an internet connection record can be subject to a data retention notice. All existing safeguards will continue to apply.
Continuing to clause 17, the IPA already has extraterritorial effect. Data retention notices—or DRNs—and interception technical capability notices—or TCNs—can be given to a person overseas where there is an operational requirement, and it is necessary and proportionate to do so. However, only TCNs are currently enforceable in relation to a person overseas.
Clause 17 amends section 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs, if required, for UK security purposes when addressing emerging technology and the increasing volume of data being held overseas, bringing them in line with interception TCNs. It is vital to have this further legal lever, if needed, to maintain the capabilities that the intelligence and law enforcement agencies need to access the communications data that they need to in the interests of national security and to tackle serious crime.
I have some comments to make about extraterritoriality, but I will do so in the next debate.
Question put and agreed to.
Clause 16 accordingly ordered to stand part of the Bill.
Clause 17 ordered to stand part of the Bill.
Clause 18
Review of notices by the Secretary of State
Question proposed, That the clause stand part of the Bill.
The notice review mechanism is an important safeguard. If operators are dissatisfied with a notice that they are given, or with any part of it, they have a statutory right to refer it to the Secretary of State for a review. Clause 18 is essential to ensure that operators do not make any technical changes during the review period that would have a negative impact on existing lawful access capabilities.
Operators will not be required to make changes to specifically comply with the notice. However, they will be required to maintain the status quo. If there was lawful access at the point at which a notice was given, access to data must be maintained by the operator while the notice is being comprehensively reviewed. This will ensure that law enforcement and intelligence agencies continue to have access to vital data during that period in order to keep people safe.
To be clear, companies can continue to make technical changes or roll out new services during the review period, so long as lawful access remains unaffected. The status quo will apply only to services or systems specified within the notice; anything outside the scope of the notice will be unaffected. If, at the conclusion of a review, the Secretary of State confirms the effect or varies the notice, maintaining the status quo will be vital to ensure that law enforcement and intelligence communities do not lose access to data during the review period that they would otherwise have been able lawfully to obtain. In the Lords, the Government amended the Bill to introduce a timeline for the review of a notice.
I will be very brief. I am grateful for the Minister’s remarks, but I want to raise the concerns of some telecommunications operators and of organisations representing the sector about clauses 18 and 19. These include a view that the role of the proposed new notices regime would hinder and even veto product development.
I know that the Minister and his Department have engaged with stakeholders about those concerns, as have Labour Members. I would be grateful if the Minister briefly set out whether recent engagement has taken place with stakeholders with regard to these matters, and whether he has any further plans to address the concerns that they have expressed about clauses 18 and 19.
I want to make a similar case. We are now getting into territory where I struggle to understand exactly what is going on, because I am not a tech geek. We are speeding past this measure almost as if it were inconsequential, but the language in some of the briefings that we have received about it is pretty dramatic.
The bundle that was emailed to Committee members this morning includes evidence from Apple that I think needs to be addressed:
“At present, the SoS must navigate important oversight mechanisms before they can block the offering of a new product or service they believe will impact…ability to access private user data.”
Apple summarises the suite of clauses that the Committee is considering, including the requirement in clause 18 to maintain the status quo during the review process, as allowing the Secretary of State
“to block, in secret, the release of a product or service even before the legality of a Technical Capability Notice can be reviewed by independent oversight bodies. The effect of this amendment will be to, extraordinarily, hand the SoS the power to block new products or services prior to their legality being ascertained. This result upends the balance of authority and independent oversight Parliament struck in the IPA.”
Given the new definition of “telecommunications operator” in clause 19, Apple has also warned that there will be serious implications for conflicts with other laws, including the EU GDPR and with US legislation.
As well as Apple, we have heard from various other organisations. TechUK has highlighted problems with broadening the definition of “telecommunications provider” before control of provision of a telecoms service, including to UK users, is established overseas. It also highlights the potential conflict of laws. What if the domestic law in the country in which a company is based does not allow for compliance with the notice that the Home Secretary has delivered? That company might not even be able to raise the issue of a conflict of laws, because it would be sworn to secrecy under the Bill.
According to TechUK, the proposed changes mark a departure in the way that the UK approaches the extraterritorial reach of the UK or UK laws and the consequential conflicts of laws. That was all recognised in the 2016 Act, in which a partial solution was found in the form of a UK-US agreement. Currently, however, the Government have not set out any plans to work towards equivalent solutions.
In relation to clause 21, I will raise similar concerns from other experts, but it is clear that some very serious companies and organisations have significant concerns about what the combination of these notices may end up delivering. Those concerns need addressed.
I thank hon. Members for the spirit in which they have engaged. To be clear, it is absolutely right that we listen to representations from companies around the world, as I am absolutely sure all Members across the House would expect. We are still engaged in conversations: the Home Secretary was on the west coast of the United States only last week, I think, and I maintain regular communication with many different companies, including many of the same companies to which the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East referred.
Let me be quite clear about one aspect. There is a real challenge here, and it is absolutely worth getting to the heart of it. The way in which communications data has evolved means that there are now jurisdictions in which the UK cannot protect its citizens without the co-operation of certain companies overseas. That was always bound to happen to a certain degree, but it is now very much the case: I do not know whether the hon. Gentleman has children, but he will know that many children use tablets and internet-connected devices in their bedroom.
The reach of these companies into the personal life of children in our country has to be a matter of concern to the British Government—it just has to be. The question is who governs these spaces. Are they governed by the association agreements and terms and conditions of the companies, or are they governed by the laws of the United Kingdom passed by Members of this House, of whichever party? That is the fundamental question.
The jurisdiction of this House must be sovereign. If sovereignty is to mean anything, it must mean the ability to protect our children from serious harm. That is basic. Under the IPA and previous legislation going back to the 1980s, this House has always exercised a certain element of influence. Yes, the Bill is extraterritorial, but so are many other Bills that this House passes in relation to the protection of our citizens and our interests. We can have operational reach further than the UK border in order to protect our citizens. That is what we are doing here, and that is what makes it proportional.
It is true that there are conflicts of interest that we have to resolve. I must be honest with the hon. Gentleman: this has come up before. It has even come up in my time. It is something that we have to look at in order to ensure that we address those conflicts and see where the balance of proportionality lies.
It is our very good fortune that many of the conflicts arise between jurisdictions with which we are extremely close. The United States, for example, is an extremely close ally. We regularly—in fact, I regularly—have conversations with the US Justice Department and others to make sure that we manage those conflicts of interest in the best interests of all our citizens. It is unusual for us not to find a resolution, but there are means of dispute resolution when we do not. Although I take the hon. Gentleman’s point, it is not exceptional for companies rightly and understandably to defend their interests where they feel that they have a commercial advantage. That is, of course, reasonable.
The reality is that we are not stopping companies doing anything; we are asking them not to change our ability to protect our citizens, until we have found a fix. If they want to introduce a new product or service or change the way they operate, that is fine: it is nothing to do with us. All we ask is that they maintain our ability to protect our citizens during that translation and into the future.
I will come on later to another line of argument that relates to the unintended consequences of these permissions, but for now I have a specific question. The Minister has spoken about how conflicts of law can be resolved. Is there not an added complication? If we put a notification notice—if we are calling it that—on a company, it cannot share the fact of that notification with anybody at all. Does that not make it well-nigh impossible to resolve the issue with conflicts of law?
Without going into details that it would be inappropriate to share: no, it does not. I can assure the hon. Member that this is a long-standing practice that has been tested, and it does operate.
On clause 19, I wish to put one further point on the record. The clause will amend the definition of a telecommunications operator, out of an abundance of caution, to ensure that the IPA continues to apply to those to whom it was intended to apply, building on the work that my right hon. Friend the Member for South Holland and The Deepings has laid out. There are circumstances in which a telecommunications system that is used to provide a telecommunications service to persons in the United Kingdom is not itself controlled from the United Kingdom; we have talked about some of those services. The clause will ensure that multinational companies are covered in their totality in the context of the IPA, rather than just specific entities.
Clause 19 does not seek to bring additional companies within the scope of the definition, nor does it seek to constrain how a company structures itself. It is a clarificatory amendment that will improve the effectiveness and efficiency of the regime and the process of giving notices.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clause 19 ordered to stand part of the Bill.
Clause 20
Renewal of notices
Question proposed, That the clause stand part of the Bill.
Currently, a notice must be kept under regular review by the Secretary of State, but it does not cease to have effect unless the Secretary of State revokes it. The clause will introduce a notices renewal process such that if two years have passed since a notice was given, varied or renewed, it must go through the double lock process to obtain the approval of a judicial commissioner, in addition to a full necessity and proportionality assessment by the Secretary of State. This change will provide reassurance to operators that their notice remains necessary and proportionate.
Question put and agreed to.
Clause 20 accordingly ordered to stand part of the Bill.
Clause 21
Notification of proposed changes to telecommunications services etc
I beg to move amendment 6, in clause 21, page 45, line 7, leave out first “person” and insert “relevant operator”.
This amendment and amendments 7, 8, 10, 11, 12 and 13 provide that the expression “relevant operator” is used consistently in inserted sections 258A and 258B of the Investigatory Powers Act 2016.
With this it will be convenient to discuss the following:
Government amendments 7 to 13.
Clause stand part.
Clause 21 is required to safeguard lawful access to critical data, which is needed by law enforcement and intelligence agencies to keep the public safe from serious threats such as terrorism and child sexual exploitation.
Technology has advanced rapidly since 2016, presenting a risk to lawful access capabilities. Notification notices have been introduced in response to technological advancements and will require relevant operators who provide, or are expected to provide, lawful access to data of significant operational value to inform the Secretary of State of any technical changes that they intend to make that will have an impact on existing lawful access capabilities.
The requirement will apply only to relevant services or systems specified within the notice, which will be agreed in consultation with the operator, prior to the notice being given, and will not necessarily apply to all elements of their business. It should be noted that technical capability notices already contain a notification requirement; this is not a new concept to the IPA. The clause replicates the power as a standalone obligation within notification notices.
To be clear, there is no ability within the notification process for the Secretary of State to delay, prevent or alter the roll-out of the operator’s intended change. The requirement is needed to provide the Secretary of State—and, by extension, operational partners—with time to identify and evaluate any potential impact that the change may have on lawful access capabilities. It will also be important in giving operational partners time to adjust their ways of working to ensure that lawful access is maintained. The primary objective of the obligation is to create an opportunity for collaborative working between operators and Government to protect the crucial capabilities required to keep people safe.
Amendments 6 to 13 are minor and technical amendments to ensure consistency of language throughout the clause and the IPA.
I want to pursue another line of argument that has been put to members of the Committee. I spoke earlier about the principles of the notification regime; I now want to probe the Government on the extent to which they have considered the possible unintended consequences of setting it up.
The evidence circulated this morning includes a letter from academics and experts from the United Kingdom and across North America, who express considerable concern about the outcome of the proposal. During the last debate, the Minister explained that the justification is that companies from across the world have a reach into children’s homes in the United Kingdom, and it is the duty of this Parliament and legislators to keep them safe. I do not think anyone would dispute that at all.
The experts argue that an unintended consequence of being as radical as the proposal in the Bill is that citizens in the United Kingdom could be less safe. Although the Government are trying to restrict the scope of the regime to what happens in the United Kingdom, in reality it will mean that certain updates and security features will not be rolled out to the United Kingdom. In fact, certain organisations may think twice about developing products for the UK market at all.
I am way outside my comfort zone, so I will go straight to what the experts argue in their evidence:
“If enacted, these proposals would have disastrous consequences for the security of users of services operating in the UK, by introducing bureaucratic hurdles that slow the development and deployment of security updates. They would orchestrate a situation in which the UK Government effectively directs how technology is built and maintained, significantly undermining user trust in the safety and security of services and products.”
They argue that this contains a significant risk of increased cyber-crime, as well as of endangering the encryption of important services. They conclude that
“these proposals are anathema to the best interests of UK citizens and businesses and internet users everywhere, and contradict universally accepted security best practices.”
I want to probe the Government on the extent to which they have considered the possible unintended consequences of how these companies may react to their proposals.
I thank the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East for the way in which he has approached the issue, and I am grateful to him for raising it, but I simply disagree. I disagree on the basis of advice that I have received from intelligence services, from UK-based companies, from the National Cyber Security Centre and indeed from many others.
Let us be quite clear. A notification notice does not create any conflicts of law, prevent any updates or prevent the application of any security patches. The only thing that it does is ask a company to keep the UK Government informed if it is going to change the way the UK Government will be able to protect British people. That has led to somewhat more caution in the reading than is necessary in reality; I have had many conversations with companies about that.
This is a difficult area, but as I understand it, the argument is not that the notification notices themselves have that issue, but that the combination of notices, together with the technical capability notice, the new provisions in relation to review and the status quo, could give the Government that sort of power. That is the argument.
I hear the hon. Gentleman’s point. I will just say that many of these powers have been in place for a significant period. The situation that he describes is not one that we have found or noticed in any way at all. I believe that this is a case of people gilding a lily to turn it into lead.
Amendment 6 agreed to.
Amendments made: 7, in clause 21, page 45, line 8, leave out “person’s” and insert “relevant operator’s”.
See amendment 6.
Amendment 8, in clause 21, page 45, line 29, at end insert—
“‘relevant operator’ has the same meaning as in that section.”
See amendment 6.
Amendment 9, in clause 21, page 45, line 35, leave out “notice, as varied,” and insert “variation”.
This amendment provides that references to the variation of a notice are used consistently in Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
Amendment 10, in clause 21, page 46, line 2, leave out first “person” and insert “relevant operator”.
See amendment 6.
Amendment 11, in clause 21, page 46, line 2, leave out second “person” and insert “relevant operator”.
See amendment 6.
Amendment 12, in clause 21, page 46, line 5, leave out “person” and insert “relevant operator”.
See amendment 6.
Amendment 13, in clause 21, page 46, line 6, leave out “person” and insert “relevant operator”—(Tom Tugendhat.)
See amendment 6.
Clause 21, as amended, ordered to stand part of the Bill.
Clause 22
Interception and examination of communications: Members of Parliament etc
I beg to move amendment 3, in clause 22, page 47, line 17, leave out from “and” to end of line 19 and insert—
“(b) has the necessary operational awareness to decide whether to give approvals under subsection (2).”
This amendment replaces the reference to an individual being required in their routine duties to issue warrants under the Investigatory Powers Act 2016 with a reference to an individual being required to have the necessary operational awareness to decide whether to give approvals under section 26 of that Act.
Government amendments 3 and 4 require that any Secretary of State to be designated by the Prime Minister as an alternative approver must have the necessary operational awareness of the warrantry process to undertake the role. This change will replace the current drafting inserted in the House of Lords relating to “routine duties”, which is over-restrictive and will undermine the resilience of the triple-lock process that the clauses seek to safeguard.
Requiring relevant operational awareness will ensure the necessary flexibility and resilience while maintaining a proportionate scope for delegation. It will allow scope to include those who may be new to their role and do not yet carry out such duties routinely, or who no longer carry them out routinely due to machinery-of-government changes but have valuable pre-existing knowledge that makes them a suitable alternative approver.
I am grateful to the Minister for the fact that his amendment goes some way to dealing with the issues that I and others raised in relation to the change from existing practice. At the moment, the Prime Minister provides the element of what has been described as the triple lock. The Government proposal is that other Secretaries of State should perform the role when the Prime Minister is unable to for a number of reasons. My anxiety, reflected by the Intelligence and Security Committee, is that those Secretaries of State who act for the Prime Minister in such circumstances should be people with operational experience. Typically, that would mean people with warranting powers—people accustomed to the business of issuing warrants, with all that that suggests.
The Government amendment speaks of operational awareness. I think “operational experience” is a better turn of phrase, although I accept the Government’s point that if there was a new Secretary of State—a new Home Secretary would be a good example—they would not necessarily have experience. By definition, they would be new in the job, whether that was the Home Secretary or Foreign Secretary and so on. It might be possible to speak of experience and responsibilities, so it could be either responsibilities or experience. Of course, the Government rightly say that a former Home Secretary, Foreign Secretary or Northern Ireland Secretary who was then doing a different job in Government could be one of the people designated, so I take that point.
The issue here is ensuring that the people who perform the role are competent to do so, and I know that is something on which we agree. It is really a matter of the semantics, but semantics are not always insignificant. I am aware of bolshevism and liberalism, but I would not want anything to do with either of them. I am aware of the separatist case on the United Kingdom, but awareness is as far as I want to go with that—I say that without contention or, indeed, acrimony of any kind. I am not sure that “awareness” is quite the right word, and I simply offer that semantic but not insignificant point to the Minister for his consideration.
I rise to speak briefly to Government amendments 3 and 4, which Labour welcomes. The principle of the appropriate Secretary of State giving approvals under section 26 of the Act was raised in the amendments proposed by Lord Coaker and Lord West in Committee in the other place. The amendments are an important further clarification regarding which Secretaries of States are eligible to be delegated the prime ministerial authority on investigatory powers relating to members. Necessary operational awareness demonstrated by the right people is, of course, crucial to ensure that the right decisions are made on what are, after all, very sensitive matters. I am mindful of the remarks made by the right hon. Member for South Holland and The Deepings, so it would perhaps be helpful if the Minister could say something about how recent—mindful of the debate about whether “recent” is the right word—this operational awareness should be.
I think so, because the original wording talked about being able to nominate basically anybody. It was then defined, but the amendment widens it again. It says, “necessary operational awareness”; is that, for example, that any Secretary of State is aware that it is a voluntary process? For example, the Foreign Secretary and the Home Secretary sign warrants, and another Secretary of State could say, “Yes, I’m aware of that.” As the right hon. Member for South Holland and The Deepings said, “operational experience” would be better wording, because “necessary operational awareness” is too broad. What does it actually mean in practice? For example, must they have any experience of having signed a warrant before? Or do they just need to know that the warrantry system exists?
First, I place on the record my gratitude to the ISC, to which I have listened extremely carefully on this matter; indeed, the Bill has been changed because of it. Let me be clear that although many people are aware of things, to be operationally aware is not the same as to be just aware. Many people were aware of the conflict in Helmand, but I argue that only the hon. Member for Barnsley Central and I were operationally aware of the conflict in Helmand. It is rather a different requirement. It does not mean that one knows about the operation; it means one is aware in an operational sense of it. It is not just an observation of the challenge.
I have to say that from my experience as a former Minister in the Ministry of Defence—I said I was never a Secretary of State—I was not only aware of what was going on but operationally aware. Could an Under-Secretary of State at the Ministry of Defence therefore be designated as one of these people? On Tuesday mornings every week, I was very operationally aware of what was going on in Helmand, for example.
First, this goes alongside the code of practice, which challenges the right hon. Gentleman’s point. It would need to be people who were briefed into the warrantry process. It needs to be somebody who understands what a warrant is, so it is not somebody who is merely observing it, such as a Secretary of State for Culture, Media and Sport.
On the point that my right hon. Friend the Member for South Holland and The Deepings made about experience, I understand the debate. There is a possibility—I know that he and I will do everything we can to prevent it—that there will be a change of Government soon. In that case, there will be an awful lot of people who have absolutely no experience at all of these matters. It would therefore be wise not to set up a provision that would immediately require amendment. Disappointed though we would be at that outcome, my right hon. Friend would agree that he would not want a law to be amended in its first year, if we could possibly avoid it.
To be clear, the Government view the four alternative approvers as being likely to be the Home Secretary, the Foreign Secretary, the Defence Secretary and the Northern Ireland Secretary. Only three would be able to act as the triple-locking Secretaries of State, because of course we would have already used up two of them to do the first two functions. That is why the numbers are required, and why I am incredibly grateful to the ISC for pointing it out and being very cautious on it.
If what the Minister has just said is the case, why do the Government push back on a suggestion that I think they actually made earlier on? The Minister is now pushing back on it. Although I understand the need for the code of practice, if there was a change in it—because there might be sometime—would that come back to Parliament to be approved? We are dancing on the head of a pin here. I do not know why, but that is quite common with the Home Office. The Minister says that it will be mainly four people, but I would love to know what he means by “necessary operational awareness”, which is clunky language.
Codes of practice will be brought forward through regulations in the usual way, as the right hon. Gentleman is aware, and the House will scrutinise them in the usual way. This is a very legalistic process, as I recognise from the inside as much as he does from the outside. It is true that if, for example, the Northern Ireland Secretary became the Education Secretary, they could then be included. The idea is to ensure that it is somebody who is appropriate to the task, which is why the measure is worded as it is. I always listen to right hon. and hon. Members across the House. I believe that the amendment is the best version that we have come to so far. I will continue to listen to the right hon. Gentleman, as always.
Given what the Minister said about a change in Government—I do not expect one, but I suppose it is a remote possibility—perhaps the words “operational responsibility or experience” would cover the point made and be slightly tighter than “awareness”. Also, there is the matter of notifying the PM. The Committee made the good suggestion that the PM should be notified as soon as practicable, which may be something with which the Minister agrees. If the Prime Minister were indisposed because of illness or whatever, they would be notified as soon as is practicable that a warrant had been issued.
On the second point, I am sure that, like me, my right hon. Friend finds it absolutely inconceivable that that PM would not be notified. I am not convinced that that must be in primary legislation. I find it genuinely inconceivable that the Prime Minister would not be notified at the earliest opportunity. Obviously, if they could be notified immediately, the provision would not be required.
But, Minister, let us be honest: a lot of things that we would have taken for granted were ignored in Downing Street over the last few years. Until Boris Johnson became Prime Minister, it had been a great part of our constitution that convention was followed. Surely it would therefore be better to have the point about notification in the Bill; otherwise, we are leaving it to the free will of convention. I would have trusted convention, but we have had Boris Johnson as Prime Minister.
I want to help the Minister, because I do not necessarily agree with the right hon. Member for North Durham; occasionally, he and I do disagree, despite the impression that we have created in this Committee. Notification could be covered in a piece of statutory guidance that supports the Bill. It could state that the Prime Minister should be notified as soon as reasonable practicable, exactly in the terms just described. How’s that?
As is so often the case, I absolutely agree with my right hon. Friend.
I will look at putting it in the guidance, as suggested by the right hon. Member.
I have said what I am going to say on the matter.
Amendment 3 agreed to.
I beg to move amendment 17, in clause 22, page 47, line 26, at end insert—
“(2G) If a warrant is issued by an individual designated by the Prime Minister, the Prime Minister must be informed of that decision as soon as it is reasonably practical to do so.”
This amendment would require the Prime Minister to be notified of a decision of a designated Secretary of State to authorise the interception of certain elected representatives’ communications as soon as is reasonably practicable.
With this it will be convenient to discuss amendment 18, in clause 23, page 48, line 21, at end insert—
“(7F) If a warrant is issued by an individual designated by the Prime Minister, the Prime Minister must be informed of that decision as soon as it is reasonably practical to do so.”
This amendment would require the Prime Minister to be notified of a decision of a designated Secretary of State to authorise a targeted equipment interference warrant relating to one of certain elected representatives as soon as is reasonably practicable.
I am conscious of the debate that has just taken place, so I anticipate what the Minister may say in response. Let us give him another go anyway.
Amendments 17 and 18 relate to the decision of a designated Secretary of State to authorise the interception of elected representatives’ communications and interference with equipment relating to elected representatives. As the Minister will know, two similar amendments were proposed by Lord West in Committee in the other place. The reason for tabling the amendments in Committee in the Commons is that the Opposition believe that the Prime Minister’s overall involvement in the warrants must be retained, even if, in designated cases, it could be retrospective. As I said, I am mindful of the debate that has just taken place.
In the other place, Lord Sharpe rejected Lord West’s amendment on the basis that the oversight arrangements for warrant decisions taken by a designated Secretary of State, which include review by the judicial commissioner, are sufficient scrutiny. I understand that argument, but I wonder why it should not be the case that a Prime Minister is at least notified about decisions to issue warrants that they have had to delegate due to their being unable to do so. Furthermore, would a Prime Minister not being notified of a decision unnecessarily diminish their operational awareness in making future decisions to issue warrants?
My amendment would require the Prime Minister to be informed of a decision taken by a designated Secretary of State on their behalf as soon as the circumstances that have prevented the Prime Minister from approving a warrant in the first place have passed. I hope the Minister and the Committee will understand the emphasis on the important nuance in the difference between review and notification. Mindful of the earlier debate, I hope that the Minister will consider accepting the amendments.
For want of repeating myself, I will probably leave that to stand.
We are speaking about elected representatives who are then appointed into Government and make decisions, and we have rightly had an important debate, to which the Minister has responded. If possible, it would be helpful if he could confirm who from the agencies would also be involved in the decision making. That would add some faith as to the robustness of the decision making that takes place when such actions are taken.
I am cautious about answering that question, for the simple reason that it depends on where and how the information was gathered, whether it was gathered deliberately or accidentally as part of an existing operation, and whether it was tangential. It is absolutely inconceivable that the chief of whichever agency it was would not be aware and therefore not part of that conversation.
I suspect that we may return to this matter on Report. On the basis of the remarks made by the Minister, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
With this it will be convenient to discuss the following:
Clause stand part.
Clause 23 stand part.
New clause 1—Requirement for the Prime Minister to appear before the Intelligence and Security Committee—
“After section 26 of the Investigatory Powers Act 2016, insert—
‘26A Requirement for the Prime Minister to appear before the Intelligence and Security Committee
(1) The Prime Minister must appear before the Intelligence and Security Committee of Parliament to provide oral evidence on the matter set out in subsection (2).
(2) The matter is decisions made by the Prime Minister or an individual designated under section 26 to—
(a) give approval to issue warrants to intercept and examine communications of Members of Parliament;
(b) interfere with equipment belonging to Members of Parliament;
(c) other relevant decisions relating to Members of Parliament in the interests of national security
(3) The duty in subsection (1) applies once every session of Parliament.
(4) Subsection (1) does not apply if the Intelligence and Security Committee does not require the Prime Minister to attend.’”
This new clause would require the Prime Minister to appear before the Intelligence and Security Committee to provide oral evidence on decisions made to approve warrants to intercept and examine communications of MPs or to interfere with equipment belonging to MPs, and other relevant decisions relating to MPs.
New clause 4—Interception notification for Members of Parliament etc.—
“After section 26 of the Investigatory Powers Act 2016 (Members of Parliament etc.) insert—
‘26A Interception notification for Members of Parliament etc.
(1) Upon completion of conduct authorised by a warrant under section 26, or the cancellation of a warrant issued under that section, a Judicial Commissioner must notify the subject of the warrant, in writing, of—
(a) the conduct that has taken place, and
(b) the provisions under which the conduct has taken place.
(2) The notification under subsection (1) must be sent within thirty days of the completion of the conduct or cancellation of the warrant.
(3) A Judicial Commissioner may postpone the notification under subsection (1) beyond the time limit under subsection (2) if the Judicial Commissioner assesses that notification may defeat the purposes of an ongoing serious crime or national security investigation relating to the subject of the warrant.
(4) A Judicial Commissioner must consult the person who applied for the warrant in order to fulfil an assessment under subsection (3).’”
This new clause would require members of a relevant legislation who are targets of interception to be notified after the fact, as long as it does not compromise any ongoing investigation.
Clauses 22 and 23 will increase the resilience and flexibility of the warrant system. They will ensure the effective processing of warrants that authorise the interception of, or the use of equipment interference to obtain, the communications of a Member of a relevant legislature when the Prime Minister cannot fulfil their duties due to medical incapacitation or a lack of access to secure communications. The changes will enable the authorisation process to function in an agile manner, thereby enabling the important work of the intelligence agencies to continue while maintaining a high bar for the authorisation of some of the most sensitive warrants.
I rise to speak to new clause 1, which relates to oversight by the Intelligence and Security Committee of warrants to intersect and examine the communications of Members or the interference with equipment relating to Members. The context of the new clause will be clear to those who followed the debates in the other place about the role of the ISC. To be absolutely clear, I am not seeking to debate the Wilson doctrine—I know that Members will be relieved to hear that.
The purpose of the new clause is to probe and seek further safeguards for the ISC to provide essential oversight of this extremely sensitive matter, codified by the 2016 Act as part of a wider context of decisions made by the Prime Minister in the interests of national security. Members of this Bill Committee who also serve on the ISC will know that successive Prime Ministers have, unfortunately, not appeared in front of that Committee since, I believe, 2014. As a result, there has been no opportunity for direct accountability over prime ministerial decision making on warrants to intercept and examine Members’ communications, or on interference with equipment relating to Members.
I shall speak to new clause 4. We are discussing our very important role as legislators—people who have to scrutinise the Government to represent our constituents. Any interference with that role, and any surveillance of us, is a matter of great significance and some controversy, so there should be as much oversight and transparency as possible. I am not a member of the ISC, and I do not know whether this is something the Minister will be able to tell us, but I would be interested to know how often powers have been used to institute surveillance on MPs in each and every of the past few years.
New clause 4 allows us to debate the possibility of post-surveillance notification. That proposal was debated in the House of Lords, but I think it is something that MPs should be alive to as well. Post-surveillance notification would give judicial commissioners a mandatory duty to notify parliamentarians subject to surveillance once a particular operation or investigation had ended. That would typically introduce a further safeguard to protect democracy and our role as legislators, and would ensure the Government are complying with their obligations under article 8 of the European convention on human rights.
Various objections were made to that line of argument in the House of Lords. For example, it was argued that notification would risk revealing sources or methods. That does not have to be the case; post-surveillance notification can inform an individual of the fact of past surveillance without having to disclose such information. Such a post-surveillance notification regime works in Germany, for example.
In particular, there would be no risk—this was alleged by the Government in the House of Lords—of affording judicial commissioners any operational decision-making power. That is because notification would occur only when a surveillance operation was no longer active and, secondly, any such notification regime could allow the judicial commissioner to consult whomever applied for the warrant in the first place. I am absolutely open to a discussion with the Government about the safeguards that would needed to allow such a measure to be implemented.
The other line of argument pursued by the Government in the House of Lords was that redress is already available to parliamentarians thorough the Investigatory Powers Tribunal. As we all know, however, if someone does not know that they have been subject to surveillance, they have no reason to go to the tribunal in the first place.
This proposal is not without some difficultly, but it is worthy of discussion. The Government’s resistance to it has not always stacked up so far, so I look forward with interest to hearing what the Minister will say.
On the point about notification: forgive me, but it is inconceivable that it should be required in law to inform somebody that they have been subject to an investigation by the intelligence services in such a way. I would be delighted to discuss with the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East in a more secure environment why, for a whole series of reasons, that may not be such a good idea. On the question of the Prime Minister appearing before the ISC, my friend the hon. Member for Barnsley Central knows my views—I have expressed them on many occasions—but that is way above my pay grade.
For now!
Question put and agreed to.
Clause 22 accordingly ordered to stand part of the Bill.
Clause 23
Equipment interference: Members of Parliament etc
Amendment made: 4, in clause 23, page 48, line 15, leave out from “and” to end of line 17 and insert—
“(b) has the necessary operational awareness to decide whether to give approvals under subsection (3) or (6).”—(Tom Tugendhat.)
This amendment replaces the reference to an individual being required in their routine duties to issue warrants under the Investigatory Powers Act 2016 with a reference to an individual being required to have the necessary operational awareness to decide whether to give approvals under section 111 of that Act.
Clause 23, as amended, ordered to stand part of the Bill.
Clause 24
Issue of equipment interference warrants
Question proposed, That the clause stand part of the Bill.
The Bill makes minor changes to the equipment interference regime, specifically in relation to the warrantry processes associated with its authorisation. The purposes behind those changes are to correct minor drafting errors in the IPA to provide greater clarity, and to improve the efficiency of the warrantry process for equipment interference.
Question put and agreed to.
Clause 24 accordingly ordered to stand part of the Bill.
Clauses 25 and 26 ordered to stand part of the Bill.
Clause 27
Bulk equipment interference: safeguards for confidential journalistic material etc
I beg to move amendment 19, in clause 27, page 50, line 9, at end insert—
“(2A) Where a senior official acts on behalf of the Secretary of State under subsection (2), they must inform the Investigatory Powers Commissioner of the selection for examination of BEI material as soon as reasonably practicable.”
This amendment would require a senior official acting on behalf of the Secretary of State who has selected BEI material for examination when there has been an urgent need to do so to inform the Investigatory Powers Commissioner as soon as reasonably practicable.
Amendment 19 would require a senior official acting on behalf of the Secretary of State who has selected bulk equipment interference material for examination, when there has been an urgent need to do so, to inform the Investigatory Powers Commissioner as soon as is reasonably practical. It would ensure that every reasonable oversight arrangement was in place concerning the Bill’s investigatory powers provisions.
The amendment does not suggest that the Investigatory Powers Commissioner retrospectively reviews the approval, but instead proposes that they be informed to ensure that there are the most comprehensive and effective oversight arrangements on investigatory powers. We intend not to burden the police and the security services with additional duties, but to ensure that there is the maximum possible oversight with the minimum possible additional work. I hope that the Minister will at least agree with the intentions of the amendment and consider its merits in further strengthening the Bill’s oversight arrangements.
I welcome the amendment, and not only do I agree with it, but I feel that we have already done it. My understanding is that the provision duplicates what already occurs in practice under the current regime, as well as the changes made by clause 27. Currently, the Investigatory Powers Commissioner is already effectively notified when a senior official acting on behalf of the Secretary of State, in urgent circumstances, approves the selection for examination of journalistic material derived from bulk equipment interference. Clause 27 already inserts into the IPA new section 195A(2), which will ensure that the Investigatory Powers Commissioner is notified as soon as is reasonably practical by the Secretary of State when a senior official approves the use of criteria to select for examination journalistic material in reliance on an urgent approval. Effectively, the senior official is informing on behalf of the Secretary of State, or indeed the Secretary of State is informing on behalf of the senior official. We all very much hope it is the former of the two.
Clause 27 enhances the safeguards already afforded to journalistic material within the IPA, and the Government recognise the importance of journalistic freedom within free and democratic societies, which is why we are introducing this measure. Under the current regime, the Investigatory Powers Commissioner must be informed when a communication that contains confidential journalistic material or sources of journalistic material is retained following its examination for purposes other than its destruction. The clause introduces a requirement for prior independent approval by the IPC before any search criteria are used to select such material. Prior independent approval is also required before it is removed.
I am grateful to the Minister for that clarification. On that basis, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 27 ordered to stand part of the Bill.
Clause 28
Exclusion of matters from legal proceedings etc: exceptions
Question proposed, That the clause stand part of the Bill.
Clause 28 will amend schedule 3 to the Investigatory Powers Act 2016 to provide exceptions for disclosures of intercepted materials to inquiries or inquests in Northern Ireland or Scotland into a person’s death. The clause will create parity with existing provisions for coroners in England and Wales. It also adds an exception to enable panel members of the Parole Board in England and Wales to access intercepted materials when considering parole applications and any subsequent appeals. It will also enable relevant coroners in Northern Ireland and sheriffs investigating deaths in Scotland to access intercepted material in connection with their inquiry or inquest.
Question put and agreed to.
Clause 28 accordingly ordered to stand part of the Bill.
Clause 29
Freedom of information: bodies dealing with security matters
Question proposed, That the clause stand part of the Bill.
Under the Freedom of Information Act 2000, the Investigatory Powers Commissioner’s Office is not, and never has been, a public authority within the scope of the Act. The lack of control over the onward disclosure of information related to the functions of the judicial commissioners raises security concerns and has the potential to compromise the IPC’s inspections, which are often, by their very nature, intrinsically sensitive. The clause would prevent sensitive intelligence being further disclosed under the FOIA once such information is supplied by IPCO to a public body.
Question put and agreed to.
Clause 29 accordingly ordered to stand part of the Bill.
Clause 30
Power to make consequential provision
Question proposed, That the clause stand part of the Bill.
With this it will be convenient to discuss the following:
Clauses 31 and 32 stand part.
Government amendment 5.
Clause 33 stand part.
Clauses 30 to 33 are typical clauses that are included in the vast majority of legislation. Clause 30 allows the Secretary of State, by regulations made by statutory instrument, to make provision that is consequential on this Act. Clause 31 details the extent of the Bill. The Bill extends and applies to the whole of the United Kingdom, with the exception of measures contained in clause 28, in which subsection (2) applies to England and Wales only and subsection (3) applies to Northern Ireland and Scotland only.
As national security is a reserved matter, a legislative consent motion is required from Scotland only in relation to a small number of clauses in part 2—the oversight aspect—of the Bill. I am pleased that the Scottish Government have recommended that legislative consent be given.
Clause 32 details when the Bill commences. Part 6 comes into force on the day on which the Bill is passed; the other provisions come into force on such day as is appointed by regulations made by the Secretary of State.
Question put and agreed to.
Clause 30 accordingly ordered to stand part of the Bill.
Clauses 31 and 32 ordered to stand part of the Bill.
Clause 33
Short title
Amendment made: 5, in clause 33, page 56, line 1, leave out subsection (2).—(Tom Tugendhat.)
This amendment removes the privilege amendment inserted by the Lords.
Clause 33, as amended, ordered to stand part of the Bill.
New Clause 2
Report on the Prime Minister’s engagement with the Intelligence and Security Committee
“After section 240 of the Investigatory Powers Act 2016 insert—
“240A Report on the Prime Minister’s engagement with the Intelligence and Security Committee
(1) The Secretary of State must publish a report about the Prime Minister’s engagement with the Intelligence and Security Committee in relation to the investigatory powers regime and lay the report before Parliament.
(2) The report must be published within six months of the passage of the Investigatory Powers (Amendment) Act 2024, and annually thereafter.””—(Dan Jarvis.)
This new clause would ensure the Secretary of State publishes a report on the engagement, including any meeting held, between the Prime Minister and the Intelligence and Security Committee in relation to the investigatory powers regime.
Brought up.
I recognise that we have already had an extensive debate on this matter. I do not intend to detain the Committee any longer, and there is therefore nothing further I wish to say about new clause 2, so I do not wish to move it.
New Clause 3
Impact of Act on EU data adequacy decisions
“Within six months of the passage of this Act, the Secretary of State must publish a report assessing the potential impact of this Act on EU data adequacy decisions relating to the United Kingdom.”—(Dan Jarvis.)
This new clause would require the Secretary of State to publish a report on potential impact of the provisions within this Bill on the requirements necessary to maintain a data adequacy decision by the EU.
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
New clause 3 relates to the impact of the Act on EU data adequacy decisions. When a similar measure to this new clause was proposed by my noble Friend Lord Coaker during the Bill’s passage through the other place, the response from the Minister, Lord Sharpe, confirmed the UK Government’s regular contact with the European Commission about the Bill to ensure that any changes are understood. We welcome that but, as I hope the Minister will understand, such engagement is a continuous process, not a single event or even a series of events. As part of this continuous process, we believe that the Secretary of State should publish a report assessing the potential impact of the Act on EU adequacy decisions.
As Lord Coaker said in the other place:
“The adequacy agreement is dependent on the overall landscape of UK data protections”.—[Official Report, House of Lords, 23 January 2024; Vol. 835, c. 688.]
That is even though the UK protections require some further work. However, given the time pressures, Mrs Cummins, that is all I will say about new clause 3.
First, I welcome the interactions we have had on this point, as well as the work of Lord Coaker and Lord Sharpe to ensure that this is widely understood. The work that has been done is important. We face the challenge that although we obviously commit to fulfilling our side of the TCA and the various agreements we have struck, this is really a matter for the European Commission to determine, so it is not one that we can pass into UK law. It is really a matter for them.
I have nothing further to add. I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
On a point of order, Mrs Cummins. I would like to express my extreme personal thanks to Tom Ball and the Bill team, Phoebe, the Lucys, and the many others who have contributed brilliantly to ensure that this Bill has proceeded with speed and professionalism. I thank not only the members of the Committee, but all Members of many parties, and particularly the ISC, which has contributed so much to this Bill, despite what the right hon. Member for North Durham claims. May I say a particular thanks to my very good friend and shadow, the hon. Member for Barnsley Central? It is an enormous pleasure to think that we have gone from fighting the Queen’s enemies to passing the King’s laws together.
Further to that point of order, Mrs Cummins. I join the Minister in warmly extending my thanks on behalf of Labour to all members of the Public Bill Committee and all the officials, both in the Department and in the House, who have done a sterling job in getting us to this point. I am grateful to the Minister for his collegiate approach, which I very much hope we will be able to maintain during the further passage of the Bill. Thank you, Mrs Cummins.
Further to that point of order, Mrs Cummins. May I say a particular thanks to you for chairing this Committee today in such a fantastic and eloquent way?
Further to that point of order, Mrs Cummins. Since we are having further points of order, I want to say to the Minister, and the shadow Minister, how grateful I think most of the Committee are for the way this Bill has been conducted. This is a really good example of how a measure can be considered in Committee in a way that is not nakedly partisan or, worse, spiteful. I simply say to the Minister that I do regard the original Act as my child, and I see him as its foster parent, so he had better do a good job.
Bill, as amended, to be reported to the House.