(9 months, 2 weeks ago)
Public Bill CommitteesCopies of written evidence received by the Committee will be made available in the Committee Room, and will be circulated to Members by email.
We now begin line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room; this shows how the selected amendments have been grouped together for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order they are debated, but in the order they appear on the amendment paper. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when they come to the clause to which the amendment relates. Decisions on new clauses will be taken once we have completed consideration of the existing clauses of that Bill. Members wishing to press a grouped amendment or new clause to a Division should indicate when speaking to it that they wish to do so.
Clause 1
Requirement for authorisation
Question proposed, That the clause stand part of the Bill.
It is a pleasure to be here under your chairship, Mrs Cummins. The exceptional growth in volume and types of data across society globally since 2016 has affected the intelligence services’ ability to work and collaborate at the necessary operational pace. The existing bulk personal dataset safeguards do not account for the way that data and its availability have evolved since the Investigatory Powers Act 2016 was passed. This creates a negative impact on operational agility, while making it increasingly difficult for the intelligence services to develop the necessary capabilities.
Clauses 1 and 2 introduce an alternative regime for bulk personal datasets where there is low or no reasonable expectation of privacy—the so-called low/no regime. Clause 1 specifically provides a mechanism for the intelligence agencies to determine whether bulk personal datasets should be authorised under part 7 of the 2016 Act for sensitive datasets, or proposed new part 7A for low/no datasets.
It is a pleasure to serve under your chairship, Mrs Cummins. I rise to speak very briefly to clause 1, and to thank the Minister for his opening remarks.
At the outset of our consideration, we should all take the opportunity to pay tribute to the exceptional men and women who have served in our law enforcement and security services. We owe them a deep debt of gratitude. Let me say that the Opposition support the Bill, which updates aspects of the Investigatory Powers Act 2016. It is imperative that legal frameworks are updated to ensure that our security and law enforcement services keep up with the challenges to communications technology in an increasingly challenging and complex landscape of threats to our safety and national security. None the less, the important provisions proposed in this Bill need to be scrutinised carefully. The shadow Home Secretary and I made it clear on Second Reading that we will work with the Government to improve it in places, following the example of the constructive cross-party work that was done in the other place.
What can I say? We have got a little further on clause 1 than I anticipated. I am grateful to my right hon. Friend the Member for South Holland and The Deepings, the right hon. Member for North Durham and other hon. Members who have spoken. Bulk personal dataset authorisation is clearly an important change, as my shadow, the hon. Member for Barnsley Central, has set out; I was interested to hear the suggestion from my right hon. Friend the Member for South Holland and The Deepings that this was the shadow Minister’s first step on the path to greatness and to leading the Opposition. I am grateful for the points that hon. Members have made.
The type of data that may fall into part 7A is indeed covered—things like news articles, academic papers, public and official records, and the sort of bulk personal data that many people would have access to routinely. The changing nature of the need to hold data has meant that bulk personal data must be authorised in a different way than was previously thought. Paragraphs 4.14 and 4.20 of the draft code of practice set out further details of the datasets that would fall under the section 22A test, of which the hon. Member for Barnsley Central is no doubt aware.
The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East touched on various aspects of data that might fall within this approach. He will remember that Lord Anderson noted in his independent review that MI5 and MI6 estimate that roughly 20% of their bulk personal data holdings would fall into the category of “low and no”; for GCHQ, the figure would be nearer to 8%. Clearly, these things will evolve. To answer the point made by the right hon. Member for North Durham, the simple fact is that our world is producing incomparably greater volumes of data than ever before. The need to understand, handle and triage that data is therefore essential.
It is worth making the point, right at the beginning, that creating and storing huge volumes of data is to nobody’s advantage, and particularly not that of the intelligence services. The only purpose of having or examining data is to enable investigatory operations to get to targets of interest. It is not about anything other than ensuring that investigations can be properly targeted against those who threaten the interests of the British people, under various existing laws. This measure does not change those laws; it merely assists the targeting.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2
Low or no reasonable expectation of privacy
I beg to move amendment 14, in clause 2, page 3, line 18, at end insert—
“(1A) This section does not apply to a bulk personal dataset unless it has been published in accordance with the Data Protection Act 2018.”
This amendment would ensure bulk personal datasets with low or no expectation of privacy have been published lawfully and in accordance with General Data Protection Regulation (GDPR) set out in the Data Protection Act 2018.
I will be brief. I back up the comments of the right hon. Member for North Durham: much more needs to be done to define clearly what we mean by “low or no”. In many ways, separating the two out would make everything clearer. Everybody can tell what “no expectation of privacy” means. It is when we get to low expectation of privacy that we have debates: “Is it this or is it that?”
The factors considered in determining whether something qualifies as low or no include
“the extent to which…the data has been made public”.
If there is no expectation of privacy, that is obvious, so I do not understand why we cannot have more clarity and say, “This is what we mean by no expectation of privacy, and this is what we mean by low.” It might be fine for us in this room to have an understanding of what we mean, but there needs to be public understanding.
We all know that every time we go on any website, we are asked to click to accept the cookies, and sometimes we cannot progress any further unless we do. Data is being gathered left, right and centre. With the best will in the world, not everyone reads every single line of the terms and conditions. We need to be absolutely clear about exactly what we mean so that legal challenges do not occur down the line.
Before I address those points, I want to address the shadow Minister’s somewhat contentious argument that learning French is not a security issue —that was a bold innovation from him.
The points that have been raised are essential to understanding exactly why the Bill is so important. I will cover the “no” and “low” areas separately, for the reason that the hon. Member for Midlothian touched on. We all know what no expectation is; that has been largely covered, and the reality is that even the slightly more restricted version of the electoral register is shared with political parties, as the right hon. Member for North Durham knows.
That is what I was going to say. Although the register is not publicly available and therefore would not fit in this category, that is where we get to the line. The “no” is for publicly available data, and that is relatively clear.
The “low” comes in areas such as the idea of leaked papers, which somebody raised—forgive me, I cannot remember who. That is where the Bill sets out terms under which datasets should be considered, because of course it is impossible for me to give an answer that applies to every single dataset into the future. One example that came up recently, as right hon. and hon. Members will remember, is the Panama papers. One would not argue for a second that the people listed in those papers had an expectation of openness initially. However, after those papers had been published and republished over many years, at what stage do we really think the expectation of privacy is maintained?
That is where the dataset becomes low expectation. We have set out the oversight regime in another area of the Bill, but I will touch on it. The Investigatory Powers Commissioner has a range of responsibilities, the judicial commissioners have other responsibilities for approving warrants and IPCO has responsibility for overseeing the regime. That is where that is addressed—in slightly ways at each moment of influence and each moment of power, but everything is covered.
I am interested in the Minister’s example of the Panama papers. As he rightly says, when those papers were originally held by a bank or a financial institution, there would be an expectation of privacy. However, he is alluding to where they are sourced from. Those papers have been freely circulating on the open internet and anyone can download them, and it is at that point that the low or no expectation would come in. Rather than the nature of the document itself, it is the fact that it is easily available online that matters.
My hon. Friend is absolutely right. The reality is that once papers are effectively public, the argument for privacy somewhat falls away. That is exactly where we are getting to in this area, which is why we have looked at how to oversee it and the different elements within it. Part 7A explains the oversight regime clearly and section 226A really gets to the nub of it.
It is important that we focus there, where the argument comes back to the essential element: when considering whether intelligence services have applied the test correctly, the judicial commissioner will apply the same principles that a court would apply on application for judicial review. We therefore have an internal legal process overseeing this before it would even get to any legal challenge. That is why it is more robust than some voices have gently suggested, and covers many of those internal challenges.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
First, unless I was distracted, I do not think I got a specific answer on the types of data mentioned in the amendment—for example a Facebook post, CCTV footage or anything else.
Those are covered under sensitive data areas; they would not be covered under bulk personal data. The hon. Gentleman also mentioned health data, and he is absolutely right that I did not answer that. I should be absolutely clear: it is hard to envision a case in which health data would be considered “low or no”, unless it was of very ancient historical standing, or there were other exceptional reasons.
I will just answer that directly, as the hon. Gentleman seems to be running away with this issue slightly. The test set out in proposed new section 226A still applies to all datasets. It is not removed; it goes through the whole thing.
That is useful to know. I will pray in aid the fact that we did not have any witnesses; anything I say that is daft, and anywhere that I do not understand how the Bill operates, I will blame on the lack of witnesses.
That is useful to know. I will go away and look at that and make sure that that all makes sense to me. That just leaves me with my earlier request: can we have some examples of what a category authorisation looks like? I can imagine that they could be incredibly broadly drafted, but they could also be very narrow. It would be useful to get a better understanding of how they will operate.
My final point is that the Government’s case appears to centre quite largely on using the material for machine learning. We have heard about language, online encyclopaedias and whatever else. If nothing else, why not use this streamlined process on that category of information and keep the existing processes in place for everything else?
I welcome the spirit in which the hon. Gentleman approaches this issue. He is asking important questions, and I do not challenge at all the validity of the way he has approached the issue; in fact, I should put on record that I am grateful for the way the whole House, and this Committee in particular, have approached it. It is important that any questions that any Member has, particularly the questions honourably and reasonably raised by the hon. Gentleman, are addressed.
The hon. Gentleman’s question on category authorisation is important, because the individual authorisation authorises the retention or retention and examination of a bulk personal dataset, to which part 7A applies. In other words, for every individual dataset there will be an individual authorisation. The normal rule is that each individual authorisation must be approved in advance by a traditional commissioner, as my right hon. Friend the Member for South Holland and The Deepings quite rightly addressed.
A category authorisation does not itself authorise the retention or retention and examination of a dataset; rather, the category itself is the means by which the normal rule of prior judicial approval may be disapplied in respect of the individual authorisation of datasets that fall within the description approved by the category authorisation. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East knows, that allows for the internal authorisation of an individual dataset that falls within an existing category. By definition, those categories are narrow enough to be identifiable but large enough to be useful. The reality is that that must be done on a case-by-case basis, but under the watchful eye of not just the unit within the intelligence service that requests it, but a senior officer in that service and a judicial commissioner.
That oversight means that we have an effective way of ensuring that we are able to use bulk personal data as categorised in different areas in a speedy fashion to enable the detection and prevention of harm, but with the oversight regime that the hon. Gentleman quite rightly expects of any apparatus of the state. The intelligence services in particular, for reasons of operational necessity, operate in the shadows, and therefore require an extra guarantee of reliance.
I will go away and consider what the Minister said. Our basic issue here is that a process is in place whereby every single individual dataset must be approved and have the approval and authorisation of a judicial commissioner. Under this scheme, if there is a category authorisation and then an individual authorisation under it, there will not necessarily be any involvement from a judicial commissioner. That is the bit that we have an issue with.
May I come back straightaway on that? To be clear, category authorisations are reviewed by IPCO at the very latest a year—12 months—after the authorisation, but they could actually be reviewed at any point. I am afraid the idea that a category authorisation stands forever just because it has been allowed is not accurate—I know that is not what the hon. Gentleman is suggesting. The judicial commissioner would have oversight of the wider category authorisation, and the IPCO review means that the whole thing is checked at the very latest every 12 months, and probably more frequently than that.
Again, I get all that, and I do not think that we are really at cross-purposes. However, we are talking about 12 months of access to datasets without necessarily having them before a judicial commissioner.
I do not think that anyone disputes that this is a slightly weaker form of oversight, which is because the services want to access this material at scale and regard the existing oversight mechanisms as cumbersome, slow and whatever else. We still ask the question of whether there is another way to do that that would still involve judicial commissioners but happen much more randomly and at scale. However, we will go away and consider that. I repeat my request—I know it is not easy—for some examples to reassure members of the public on how exactly this will work. That would be useful. In the meantime, I do not intend to push the amendment to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I will be very brief, because I fully support what the shadow Minister and the right hon. Member for North Durham have said. If we are going to go down the route of somewhat watering down the oversight of certain bulk personal datasets, we need greater transparency and accountability. Our amendment 38 has very similar motivations. It requires complete transparency with the ISC by listing all the bulk personal datasets that would be retained under a category authorisation in the report the Bill requires to be sent to the ISC. It answers the question of how we are supposed to know how these new powers will be and are being used unless we have one of these methods of transparency.
If I may, I will come to the last point first. The information going to the ISC on this basis would be, as far as possible, the same as that going to the Secretary of State. Obviously, the operational data may not be included, depending on the relevant operational case. I hope that will reassure this Committee and, indeed, the ISC that the intention is to make sure that the ISC is as fully informed as possible.
On the point made by the right hon. Member for North Durham, he will know that the Bill, in many ways, has been a joint project between the Government and the ISC. I have spent many hours with members of the ISC, including the Chair, my right hon. Friend the Member for New Forest East (Sir Julian Lewis), and with various members of the Committee. Their input has been exceptionally important to me and has been included in many areas of drafting on this.
Turning to amendment 15, the right hon. Member for North Durham and the hon. Member for Barnsley Central, in many ways, have both been the Occam’s razor of the Bill process, not just here, but in other areas. They have been rightly keen that we should not include powers or requirements that would otherwise constrain or block processes or confuse the law. I understand the argument that hon. Members are making about a one-line email, but the reason that I am not convinced—though I am very happy to have the conversation suggested—is that the reality is that it is possible for IPCO to investigate at any point, and it must investigate at 12 months. Therefore, if we ask for a legal requirement on the services, that would force an extra legal duty into the various elements and it will be an extra change.
I disagree with the Minister. Yes, IPCO can look back and can go in at any time to look at things, but if it does not know where the needle in the haystack is, how is it going to actually find it in the first place? This is not an onerous proposal, and I do not understand why the Minister is resisting it, to be honest. This measure would just send another reassurance to the public that, again, the extra powers being given to the security services, which I fully support, at least have some oversight. We need to address the Bill in detail and in such a way that we cannot be accused of handing over powers without also providing very light-touch reassurance that there is outside oversight. I accept that, in most cases, IPCO would not actually look at any of these.
In the spirit with which the right hon. Gentleman has approached this, may I commit to meeting him and the hon. Member for Barnsley Central to discuss this?
Well, the right hon. Gentleman could make a virtue of a necessity if he wishes. I certainly will. I shall enjoy meeting him to discuss this, and I hope that he will take that commitment in the spirit with which it is made.
I think that this has been a useful debate. There have been a number of sensible and constructive contributions from both sides of the Committee. The Minister has made a commitment to sit down and discuss this further, and I am grateful for that undertaking. As I have said, we do not intend to push this amendment to a vote.
I am grateful to my hon. Friend the Member for Bootle. I am happy to give way to the Minister if he wants to respond directly to that point.
The point about these powers is indeed to make better use of resources. One challenge is that many intelligence officers are tied up doing things that are no longer genuinely necessary for the protection of personal privacy, but they are following processes that, were they to be working for a private organisation —a company or whatever—would no longer be necessary because bulk personal data could simply be bought. Therefore, what we are actually looking at doing is using resources much more efficiently and therefore helping the protection of the British people, from a better financial position. However, the point made by the hon. Member for Bootle on resources is always one that I welcome.
I have nothing further to add, other than to beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 2 ordered to stand part of the Bill.
Clause 3
Duration of bulk personal dataset warrants
Question proposed, That the clause stand part of the Bill.
We are making sufficient progress, which perhaps permits me to say a word about why, as we have now dealt with those publicly contentious matters around bulk powers, we can move to the next part of the Bill with greater confidence. The Minister has been crystal clear that he—like me, the right hon. Member for North Durham and other members of this Committee—understands fully the important role of oversight and checks and balances. Those checks and balances are multidimensional because of the role of both those elected to this House and the judiciary. I know he will want to expand on that a little as we come to the next part of the Bill.
I thank my right hon. Friend. Clause 3 amends the duration of bulk personal dataset warrants under section 213 of the IPA from six to 12 months. BPDs tend to be used to support long-term strategic intelligence activities, and a longer warrant duration will enable the value of the BPD to be better demonstrated, which will provide the relevant Secretary of State with a more accurate picture of the necessity and proportionality when an application for renewal is made. The existing part 7 safeguards will remain in place, including the double lock by the judicial commissioner.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4 ordered to stand part of the Bill.
Clause 5
Third party bulk personal datasets
I beg to move amendment 16, in clause 5, page 14, line 34, at end insert—
“(4) A third party BPD warrant may not authorise the examination of a dataset consisting of the contents of the marked electoral register.”
This amendment would prevent a third-party bulk personal dataset consisting of the electoral register, which sets out whether people have voted, from being examined by the intelligence services.
I thank hon. Members for their points. The examination of third-party bulk personal datasets by the intelligence services is vital to their role of protecting the national security and economic wellbeing of the United Kingdom and preventing and detecting serious crime.
Clause 5 places an explicit statutory regime around the intelligence services’ examination, in situ, of bulk datasets held by third parties. The regime would apply only to the intelligence services, in line with the wider part 7 BPD powers in the IPA. The clause puts in place robust oversight and safeguards. For example, third-part dataset warrants are to be subject to a double lock, and the decision to authorise the warrant will need to be approved by both the Secretary of State and an independent judicial commissioner. The Investigatory Powers Commissioner and his office will oversee the regime to ensure the intelligence services’ examination of third-party datasets is both necessary and proportionate. That relates to the point made by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East about proportionality and need.
To answer the point made by the hon. Member for Barnsley Central, we do not consider it appropriate to exclude specific types of dataset from those for which a third-party dataset warrant can be sought. The reason is, as he knows, that we can begin to go down very tricky routes on this area, as the intelligence services have a requirement to keep safe not just our democracy but our wider nation. Therefore, limiting those different arguments can be problematic. What we are aiming to do is ensure the proportionality requirement is the test applied by both judicial commissioners and the Investigatory Powers Commissioner.
The Secretary of State may issue a warrant authorising the examination of a third-party dataset only where it is necessary and proportionate—that is going to be quite a high bar in some of the areas asked about—for the intelligence service to examine the dataset to which the warrant relates. That decision will be double-locked by an independent judicial commissioner who, among other things, is required expressly to review the Secretary of State’s conclusions in respect of necessity and proportionality when deciding whether to approve the decision to issue a warrant. That is already in the Bill. Each decision will be made on a case-by-case basis and will be subject to prior judicial approval.
I am grateful for the Minister’s response. I have to say, I am struggling to think of a scenario in which it might be necessary and proportionate to examine the marked electoral register. This is something we will reflect on.
That is a helpful and useful suggestion. I am happy to proceed on that basis, if the Minister is.
On that basis, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 5 ordered to stand part of the Bill.
Clause 6
Minor and consequential amendments
Question proposed, That the clause stand part of the Bill.
Clause 6 makes minor amendments to the 2016 Act to reflect the introduction of parts 7A and 7B, including making it clear that the Investigatory Powers Commissioner is responsible for oversight of the part 7B regime.
Question put and agreed to.
Clause 6 accordingly ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned. —(Scott Mann.)