(9 months, 2 weeks ago)
Public Bill CommitteesThe Investigatory Powers Act 2016 contains world-leading oversight arrangements, which have strengthened the safeguards that apply to the use of investigatory powers. The clauses will enhance this oversight regime, including the role of the Investigatory Powers Commissioner, to ensure it is resilient and that the IPC can continue to effectively carry out their functions. This includes creating a statutory basis for appointing deputy IPCs to whom certain functions can be delegated and, in exceptional circumstances, the appointment of temporary judicial commissioners. The clauses also place certain existing oversight functions on a statutory footing and provide clarity to public authorities in their error reporting obligations. These are important and targeted amendments to ensure the oversight regime remains robust and the IPC can continue to carry out their role effectively.
Question put and agreed to.
Clause 7 accordingly ordered to stand part of the Bill.
Clauses 8 to 10 ordered to stand part of the Bill.
Clause 11
Personal data breaches
I beg to move amendment 1, in clause 11, page 31, line 36, leave out “a court or tribunal” and insert “the Investigatory Powers Tribunal”.
This amendment is consequential on amendment 2.
With this it will be convenient to discuss the following:
Government amendment 2.
Clause stand part.
Clause 11 will ensure that there is clarity for telecommunications operators operating within the IPA framework about which regulatory body certain personal data breaches should be notified to. It also provides a statutory basis for the Investigatory Powers Commissioner being notified of such breaches. Without this change, there will be confusion about personal data reporting obligations and a regulatory gap in respect of certain personal data breaches by telecommunications operators not being dealt with by the appropriate regulatory body. The clause also ensures that an individual affected by a personal data breach can be notified of the breach by the Investigatory Powers Commissioner, if the IPC deems to it to be in the public interest to do so. This will enable them to seek remedy from the Investigatory Powers Tribunal.
Government amendments 1 and 2 build upon the provisions already contained in clause 11 by providing a clear route to redress for those affected by personal data breaches committed by telecommunications operators. They ensure that the Investigatory Powers Tribunal has the jurisdiction to consider and determine complaints about personal data breaches committed by TOs and grant a remedy. The IPT already has significant experience of considering complaints from individuals who believe they have been the victim of unlawful interference by public authorities. It is therefore the appropriate forum to consider complaints regarding certain personal data breaches.
Amendment 1 agreed to.
Amendment made: 2, in clause 11, page 32, line 19, at end insert—
‘(1A) In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—
(a) in subsection (2), after paragraph (b) insert—
“(ba) to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;”
(b) after subsection (4) insert—
“(4AA) The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.
(4AB) In subsection (4AA) “relevant personal data breach” means a personal data breach that the individual is informed of under section 235A(5) of the Investigatory Powers Act 2016 (serious personal data breaches).”
(1B) In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—
(a) in subsection (1)(b), after “65(2)(b)” insert “, (ba)”;
(b) in subsection (5)—
(i) the words from “section” to the end become paragraph (a), and
(ii) after that paragraph insert “, or
(b) section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.”
(c) in subsection (6), for “reference” substitute “complaint or reference has been”.
(1C) In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—
“(8) In this section “relevant Commissioner” means—
(a) the Investigatory Powers Commissioner or any other Judicial Commissioner,
(b) the Investigatory Powers Commissioner for Northern Ireland, or
(c) the Information Commissioner.”’—(Tom Tugendhat.)
This amendment provides for the Investigatory Powers Tribunal to be the appropriate forum for complaints by individuals about certain personal data breaches reported to the Investigatory Powers Commissioner under section 235A of the Investigatory Powers Act 2016 (personal data breaches).
Clause 11, as amended, ordered to stand part of the Bill.
Clause 12
Offence of unlawfully obtaining communications data
I beg to move amendment 39, clause 12, page 33, leave out lines 16 and 17.
This amendment would remove one of the examples cases where a relevant person has lawful authority to obtain communications data from a telecommunications operator or postal operator, being where the data has been “published”.
The clause relates to section 11 of the Investigatory Powers Act 2016, which created an offence where a relevant public authority knowingly or recklessly obtained communications data from a telecoms or postal operator without lawful authority. That is an extra protection against unlawful invasions of privacy by public authorities. Comms data can of course be vital to prevent serious crime or to assist in missing persons investigations, but it can also be seriously invasive if not monitored, as such data can reveal all sorts of details about our lives and the people that we are linked with. The clause makes changes to that offence.
It is said that there is a lack of clarity around the concept of lawful authority, so the clause includes some examples of what lawful authority is. Most are uncontroversial—for example, where there is a statutory basis for gathering the data, where there is a relevant court order or an authorisation, or where it is obtained to respond to a call to the emergency services. However, we contest the assertion that new subsection (3A)(e) is a proper example of lawful authority, referring to:
“where the communications data had been published before the relevant person obtained it”.
We are concerned that that is not a correct expression of the law as it stands.
The simple fact of data being published is not in and of itself lawful authority for it to be obtained and subject to surveillance. The fact that I publish a Facebook post at such and such a time in such and such a place does not give public authorities the right to seek it from Facebook. In fact, on a Zoom meeting about a controversial political campaign, it cannot be the case that Zoom can then be ordered by the police to obtain the relevant communications data simply because the data was published and available to those who attended the meeting.
We need a very careful explanation from the Minister about what precisely is intended by the example in paragraph (e) because as drafted—again, it depends on how we interpret these things—it seems to be open to an interpretation that anything even semi-publicly available can be obtained by public authorities without anything more.
I will speak more widely to clause 12 before addressing the amendment. The clause does not create new routes to obtain communications data outside the Investigatory Powers Act. Rather, it provides examples of existing routes to acquire communications data in order to put the existing position, as set out in the communications data code of practice, on to a statutory footing. This will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in section 11 of the IPA. It makes it clear that sharing of communications data between public bodies is lawful. It is not the intention of section 11 to discourage public sector sharing of data when administering public services for purposes such as fraud prevention. Clause 12 puts that beyond doubt.
While discussing clause 12, I will take the opportunity to set out that a communications data authorisation can amount to lawful authority to require a telecommunications operator to carry out any necessary activity on their systems to enable or facilitate the obtaining of the relevant communications data. The list of examples of what will amount to lawful authority in clause 12 will provide additional clarity to the existing drafting of section 60A(5) in the Investigatory Powers Act, which sets out what can be authorised under part 3 for the purposes of acquiring communications data.
I would also like to address an inconsistency with paragraph 176 of the explanatory notes for the 2016 Act and the conduct that the Act permits. To be clear, a communications data authorisation may authorise interference with equipment by a person where that is done to enable or facilitate the acquisition of communications data for the purposes of identifying an entity as well as information about their previous or current location.
The Government do not support amendment 39, moved by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East. Additional authority for published material should not be required for its disclosure by a telecommunications operator to a public authority when that data has been disclosed with the consent of that operator. The consent of the operator provides the lawful authority for the obtaining of the previously published communications data, which public authorities can rely on. It places the existing position, set out in paragraph 15.11 of the communications data code of practice, on a primary legislative footing. It does not create new acquisition routes.
Clause 13 amends the definition of communications data to include subscriber and account data, ensuring that this communications data is available to investigators with an IPA part 3, even if it is transmitted as the content of the message. That is not a broadening of the definition but a clarification of scope. “Subscriber data”, or “account data”, includes the details provided when someone completes an online registration form for a telecommunications service or system. This change overcomes the current uncertainty for investigators about the data types that will be “communications data” and therefore available to them.
Clause 14 restores the general information gathering powers to regulatory or supervisory bodies, which were repealed by section 12 of the 2016 Act. It will ensure that public authorities will be able to utilise their own pre-existing statutory powers to acquire communications data for civil purposes. These are existing statutory powers that have been conferred on public authorities by Parliament—for example, in the regulation of the financial markets to ensure market stability.
Since 2016, the data sought has increasingly moved online and is now being caught by the definition of “communications data” in the 2016 Act. For example, His Majesty’s Treasury is responsible for the civil enforcement of financial sanctions regulations. Some information that is essential in carrying out its civil enforcement functions, such as the timestamp of an online banking transaction, is now communications data, and His Majesty’s Treasury cannot currently use its powers to compel that information to be provided by a telecommunications operator. Communications data is available under the IPA only if the matter under investigation is a serious crime, and so is out of reach for public authorities exercising civil enforcement functions.
I thank the Minister for his response and his explanation. We will of course take that away and give it consideration again. He has referred to codes of practice being put into statute, so we will go away and look at those codes of practice. Of course, codes of practice can sometimes be inconsistent with various laws as well, so this is not necessarily the end of the matter. It would be helpful if the Minister could perhaps—in writing, or perhaps we will have to revisit it on Report—look at the specific examples that I gave and just explain whether or not those amount to prior publications of comms data.
I very much appreciate that, and that will hopefully help to clear things up before we get to the next stage of proceedings. I will withdraw the amendment.
As always, my right hon. Friend asks a pertinent question. I hope he will forgive me for saying that I very much hope that the letter I asked to be sent arrived in his inbox this morning. He may not have seen it, which I completely understand, as there are many pressing issues on his time. I have also attached it into the packet for the Bill and indeed copied it to the ISC secretariat, which has done such an important job in ensuring that we are all as one on this. I hope very much that that will answer my right hon. Friend’s questions. If it does not, he knows where I am—I would be delighted to clarify it further. As my right hon. Friend has very kindly asked, I shall give that list now, for the record: HM Revenue and Customs, the Financial Conduct Authority, the Department for Work and Pensions, the Treasury, the National Crime Agency, the Department for Business and Trade, and the Competition and Markets Authority.
My right hon. Friend reminds me of that famous scene in “Yes, Prime Minister”—thank God defence is held at central authority, or we would not have to worry about the Russians; we would have a civil war in two weeks. His point about local authorities having intelligence powers is valid. They do not have the same intelligence powers as MI5—let us be absolutely clear about that. That is not what we are offering.
It does the Minister great credit that he has made that list available during the course of our consideration. That is very important. What I had feared might happen was that we might not get it while we were in Committee. In fact, I have not actually seen it, but I am grateful to him for making it available, at least, during our consideration.
This is an area that concerns me. I am quite certain the security services have protocols on how to deal with such things, but it worries me that the DWP is on that list. Having been involved in work on the Horizon Post Office scandal for many years, I know the DWP did not cover itself in glory on some of those cases. Can the Minister reassure the Committee that there are protocols governing when and how it will use those powers? That, I think, would give the public some assurance that there is a standard for how they will be used.
The right hon. Gentleman tempts me towards an area that the Bill does not cover, so I hope he will forgive me for focusing on what it does cover, such as the safeguards. Clause 14 will limit communications data acquisition to the purpose of a body required to meet its civil functions and duties, such as a regulatory body providing oversight of financial markets, or indeed the DWP overseeing different elements of its responsibilities. Where disclosure is in support of a criminal prosecution and IPA part 3 authorisations for communications data must continue to be sought, using the existing safeguards and oversight provided for by the Investigatory Powers Commissioner’s office, the courts will oversee the use of those powers by public authorities in the same way as the acquisition of non-communications data under the existing powers. He has asked me specifically about a connected area, so—I hope he will forgive me—I will have a look at it and write to him very specifically about that.
May I suggest that the Minister does write to the Committee? I accept the safeguards in place, but for organisations other than the security services, I want to know what internal mechanisms they have to ensure that use of those powers is proportionate in terms of investigations and so on, and what training and protocols they are using. If the Minister could write to us on that, that would be helpful.
Forgive me, but the right hon. Gentleman is asking for a very large piece of work there. I am setting out the legal authority under which those organisations can act. Their internal processes may be different in different circumstances and be answerable to different Ministers.
I am sorry, but I do not agree with the Minister. He is giving those other public bodies additional powers, and I think it is quite reasonable for this Committee and the public to be assured of how those powers are actually going to be used. As I say, I have no problem with the security services, because I am well aware that they have very clear, strong protocols and safeguards governing the use of their powers internally, with authorisations and so on. I think he just needs to ask those other Departments how they are going to do this, and what the internal mechanisms are.
I am very happy to ask them; I am just stating clearly that they are not under the responsibility that I have as a Minister. The legal powers that they are given are not additional powers; they are repetitions of the IPA 2016, so they are not additional powers—[Interruption.] Forgive me, but they are not additional powers. Their existing codes of practice under the different organisations have their own responsibilities within them.
I beg to differ. In the next clause, we will come on to the breadth and depth of the new powers, but that is a different argument—I will save that until then. However, he is the Minister and, in my experience, the Minister leads the Bill. I would have thought it would be quite simple to ask those other Departments what those protocols are. If he does not ask, he does not get.
I will happily ask. The right hon. Gentleman is asking for internal management structures, though.
I am grateful to the Minister for offering me a second bite of the cherry. Perhaps I can offer a Hegelian synthesis between him and the right hon. Member for North Durham. We talked earlier about operational purposes, but we have to be careful about that: in the case of the agents of the police, one cannot publish purposes in fine detail, because that would be unhelpful. However, in broad terms, perhaps the way forward on this is to illustrate the kind of purposes that the bodies the Minister described might employ, within the legal constraints that he just set out. Perhaps that is the way forward; it would certainly satisfy me, and I cannot think that would not help to satisfy the right hon. Member for North Durham, who is a reasonable man—not my right hon. Friend, but a right hon. Gentleman and a personal friend, which is better than being a right hon. Friend.
As always, I welcome my right hon. Friend’s contribution. That is covered in many areas in the letter I wrote to him.
In an earlier response to comments by the right hon. Member for South Holland and The Deepings, the Minister helpfully mentioned the letter that I think has been sent to the right hon. Member and possibly other members of the Committee. Can the Minister confirm that that letter will also be sent to the Opposition?
To be absolutely clear, the letter was in response to my right hon. Friend the Member for South Holland and The Deepings, so it was sent to him, it was copied to the secretariat of the ISC and it is in the Bill pack. The hon. Member for Barnsley Central therefore has access to it.
May I ask the Minister to look at his internal process again? We also had this problem with the National Security Bill. I do not know whether he should change the pigeon post he is using to ensure people have it. May I also point out that the ISC is not constantly in session? Therefore, if he has to send it to the ISC, we do not automatically get it until our next meeting or when we do the next reading.
I am delighted to clarify that the letter was emailed to my right hon. Friend the Member for South Holland and The Deepings. He is a traditionalist in many ways, but I believe he has entered the electronic age.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 12 ordered to stand part of the Bill.
Clauses 13 and 14 ordered to stand part of the Bill.
Schedule agreed to.
Clause 15
Internet connection records
Question proposed, That the clause stand part of the Bill.
The changes made by clause 15 should transform the intelligence services and the National Crime Agency’s ability to detect serious criminals and those seeking to undermine national security. Current internet connection record conditions only enable identification of individuals involved in known events. That means an investigator must know the date, time and service being used, preventing identification of offenders where they cannot be linked to a specific time of access. For example, where analysis of a seized device identifies a site serving images of child sexual exploitation, it would not currently be possible to search ICRs for subjects accessing that site beyond a specific known event. New condition D would help to identify other subjects accessing those sites. This will not be a fishing exercise. As with all investigatory powers, the case for requesting ICR data must be necessary, proportionate and intelligence-led. As Committee members will have heard this week, the benefit to the agencies is in being more, not less, specific.
The new condition will be subject to robust safeguards, including limiting the statutory purposes available, stringent necessity and proportionality requirements and independent oversight, including regular inspections by the Investigatory Powers Commissioner’s Office. Where internal authorisation takes place for urgent and national security-related applications, authorising officers must be independent of the operation and not in the line management chain of the applicant. If an investigator knowingly or recklessly obtained ICRs—for example, if the request was clearly not proportionate—they would be at risk of having committed a section 11 offence of unlawfully obtaining communications data, which can result in a fine or imprisonment.
Exactly. That point was made when we debated the original Act, and I think that I committed at the time to those kinds of things being detailed in the annual report. To clarify a point that was made earlier, David Anderson was clear at the time, and has been since, that we cannot detail the operational purposes of the agencies if doing so would compromise them. The techniques and approaches that they necessarily use in the performance of their duties could be compromised if we were to talk in detailed terms about the character of their operational activities. However, we can speak in broader terms about the kinds of circumstances in which powers might be used—and all the more so for the other public bodies, in a sense, because even if a serious criminal investigation is taking place, those investigations are not typically as secret as they might necessarily be in respect of the security and intelligence community.
Perhaps those two grounds—greater sight of the processes in those bodies and clarity about the circumstances in which the powers can be used; in other words, exceptionally and for very serious matters—would be helpful ways of dealing with some of the points raised by my colleague on the ISC, the right hon. Member for North Durham.
As usual, right hon. and hon. Members have raised some excellent points. Let me be clear: it is not true to say that there is no judicial oversight. To say that there is no judicial oversight would be correct if the IPC were not in place. I know what the right hon. Member for North Durham is going to say, but that is a form of judicial oversight.
As to the way in which the authorisations work, I hope that I have been clear—I will repeat it to ensure that I am—that an investigating officer would have to make an application to use the powers. That would have to go to a senior officer in their service who is not in their chain of command: someone who is not overseeing the operation or in their management chain—a separate element. Any abuse of that system could mean that that individual, or those individuals, are in violation of section 11. I know that the right hon. Member for North Durham takes his responsibilities on the ISC exceptionally seriously and is fully aware that sometimes there can be a pressing need for operational action at pace. That is what this is also designed to help. It is important that officers have the ability to act under a regulatory framework that means that abuses are, at worst, extremely limited due to various constraints.
I accept that and I have confidence in the internal protocols—do not get me wrong on that—but the Minister does not have to convince me or members of this Committee; it is about the public perception. What is the problem? If we are not going to have judicial oversight in terms of judicial authorisation, what is to stop us having another system whereby, when it is used, the IPC is informed? We could send a simple email so that it would at least have ongoing oversight when these powers are being used.
The right hon. Gentleman is creating his own haystack here. Although I hope as ever that this power will be used only exceptionally rarely, sadly the nature of serious and organised crime and terror in this country means that it will be used more often. There is a slight misunderstanding as to how this will be used. Targeting a train website or a single authority would not be proportionate or meet the necessity provisions within the Bill. It would be neither necessary nor proportionate. In fact, it would be unnecessary and would be vastly disproportionate, because it would be a mass collection exercise that would neither be targeted in a way that would satisfy the proportionality requirement, and nor would it give a useful answer—it would give such bulk data as to be useless—and therefore it would not be necessary.
The whole point of this is that it sets out a series of conditions in which these powers could be used—perhaps against a certain website, that is true—but on the basis of intelligence. It would have to have a particular cause and a particular time. This is not a Venn diagram with a single circle, but a Venn diagram with four or five circles; it must be in the centre of those for it to be necessary and proportionate.
I would be reassured if there was independent advanced judicial oversight. The Minister has said a couple of times that the powers will be used “exceptionally”. What is the difficulty in making sure that there is an exception for urgent cases of advanced judicial authorisation for use of these powers?
“Exceptional” does not mean that there is necessarily huge amounts of time to act; exceptional means that the seriousness of the offence is extremely grave. These powers are for things such as child sexual exploitation. I wish it were not so, but even in this country, the police very often have to act extremely speedily to prevent harm to a child and sometimes, very sadly, multiple children. They have also to act extremely speedily to prevent terrorist plots or other forms of very serious organised violence or criminal activity.
That is why “exceptional” does not necessarily mean that it can be dealt with in a procedural way over a number of weeks; exceptional may mean absolutely pressing as well, and that is what this is designed for. The right hon. Member for North Durham may have been aware from briefings that I believe he has received that, in some circumstances, this Bill will reduce the time taken to interrupt serious abuse of children, from months and occasionally years down to days and weeks. That is surely an absolutely essential thing to do, but that will not work unless these powers are used according to the Act, with the important words being “proportionate” and “necessary”. The reason I repeat those words is that were the intelligence services to go on some sort of fishing expedition—and I know that the right hon. Gentleman is not suggesting that they would—that would not be legally permissible under this Act and nor would it achieve the required results, because it would turn up so much data that it would simply be an unusable, vast collection of fluff. Effectively, instead of targeting the needle, they would have merely collected another haystack.
It is not about a fishing expedition, but they will get into a fishing expedition anyway. He says that train lines would not be affected, but they would. If someone wants to see an individual’s travel pattern, that is what they may do. Therefore, a lot of people’s data will be dragged in, not because it has been looked for but because it will come in anyway.
The problem is that if the argument is about speed—which I do not necessarily think is the case in some cases—the Minister has to do two things to reassure people that the powers are going to be used in the right way. First, he must provide pre-authorisation judicial oversight, and secondly, the IPC should be told, perhaps via a simple email, when the powers are used. That would at least allow it to look at the trends and uncover any concerns. I accept the protocols in place and am 100% sure that they are being followed, but it is possible that some people will not follow them and that is what we have to guard against.
This is a somewhat odd argument, because the right hon. Gentleman and I are slightly together but also arguing at cross purposes. Both of us have a very high regard for the intelligence services and are confident in their integrity, but we are slightly at cross purposes because he believes that we are not satisfying the oversight element, but I believe we are.
Let me be clear. I am not being a stick in the mud about this for any political reason. I actually happen to believe that this is the right way to approach this. There is a constant balance in all forms of oversight between the ability to act quickly and the ability to be controlled from outside. I believe that this sets in place a very significant, burdensome requirement on those who are taking these responsibilities to act according to certain principles. To repeat, the principles are necessity and proportionality. I do not think anybody in here would argue against those. What this requires them to do is make sure that the principles are met by effectively targeting in advance.
The right hon. Gentleman’s comment about train line use would, I am afraid, not satisfy that proportional need. The individual would have to be specifically identified in advance. The pattern of use of the website from the single point and to the point of contact—from a phone to an internet server or whatever it might happen to be—would have to be clarified. These ICRs are Venn diagram circles that are getting narrower and narrower. The idea that this would end up with some sort of week-long or month-long trawl of a train line website is, I am afraid, not permissible under the 2016 Act. Were any intelligence officers to do it—though I do not believe that they would—they would fall foul of section 11 and would not be acting necessarily and proportionately. Therefore, it would not be permissible.
It is pretty clear that existing conditions B and C already enable public authorities to make an application for a known individual’s internet connections. New condition D only enables a request for details to identify individuals who have used one or more specified internet services in a specified time.
I think that is the point. I do not think anyone is arguing against the fact that there will sometimes be exceptional circumstances that require haste. Everybody accepts that, but the issue with condition D is that it is explicit in removing the targeted nature of the other conditions. It is where they do not know the time or person and do not have the data available that they are using condition D. There is nothing in the Bill to make clear that it can only be used in exceptional circumstances. How can we square that circle? I do not think that anyone would disagree with the fact that there needs to be an ability to move at pace at times, but there is nothing here that says that power could only be used in those sorts of circumstances. Condition D creates a situation where we are going to hoover up data on a huge number of people, but there is nothing to say how long we are going to hold on to that data for, or what would be done with it.
To answer the last part of the question first, the holding on to data and what is to be done with it is the same as under the IPA generally. Information can be held or not held according to those provisions. This Bill does not change any of that, which is why that is not covered here, and I know the hon. Gentleman would not expect it to be.
It is worth pointing out that condition D is not only no more intrusive than conditions A, B or C, in terms of data—
Let me just finish the point; I know the hon. Member will come back to me.
Condition D is no more intrusive, and it does require the serious crime threshold, which does add an extra layer before it can be used. I hear the hon. Member’s point; the condition still requires proportionality and necessity, so it could not be simply anybody who is using Facebook, because clearly that is not proportionate. It still requires that targeting; it still requires those Venn diagrams, if he likes, to close over a target; and, even then, it requires the serious crime threshold.
The key thing to understand here is that the agencies have always had the ability to intercept communications data. Communications data is one’s letters. Communications data is one’s phone calls. We speak about communications data now, mindful of the way that people communicate now, and we think of the internet and telephones, but the process of intercepting communications has been a core part of the work of the agencies since the agencies began, so we need to put this in context.
The difference here is the nature of how people communicate. It is right to say that—I rise to be helpful to the Minister—the character of encryption, in particular, is making it harder, even in the kind of serious cases that have been described, for those who are missioned to keep us safe to do so by accessing the information they need. So it is right that the law needs to be updated. The critical thing for me, therefore, is this matter of the threshold, which was debated when we debated the original Act.
As far as I understand, this Bill does not change the threshold; it reinforces the threshold. If that is the case and, as has been said, exceptionality is a measure of significance and not complexity—some cases will be complicated, but it is about significance—then the only outstanding difference, as the Minister has said, is oversight. I think the reporting in the annual report matters—the right hon. Member for North Durham made that point—and that would be a small concession to make, if I can describe it as such. I take the point about alacrity, too. What we cannot do is slow down the process by making it bureaucratic.
I think there is an easy way out of this. Being very clear about thresholds, as the Minister very helpfully has been today, is perhaps the way out of it. To clarify that in writing might be helpful.
I do not think anyone could describe the right hon. Member for South Holland and The Deepings or myself as woolly liberals, but I do have a concern with this. Where we are giving an extra power—which is what this is, although the Minister disagrees about the breadth—I want to ensure somehow that, in a democracy, we have oversight of it. I do not want to make it difficult for the agencies to implement their powers, but there are simple ways of doing so. That could mean telling the IPC when it occurs.
I have faith in the internal mechanisms that the Minister refers to, but I was also on the Intelligence and Security Committee in 2017, when we did our rendition and detention inquiry. All the safeguards were in there then, and they were ignored. That led to some fundamental changes, including the Fulford principles. There are occasions when the best things in legislation are not followed through, and that can lead to some very serious consequences.
I take the right hon. Gentleman’s point and the spirit in which it was made. I reiterate that requests for communications data must be approved by the Investigatory Powers Commissioner’s Office, as he knows, unless they are urgent or for the purposes of national security. That is where this is being focused. Condition D, which we have spoken about, will be restricted to only the intelligence services and the National Crime Agency when it is pursuing a national security element within its remit—that is a separate area, as he knows. Those organisations have the necessary expertise to raise compliant and proportionate restrictions.
Again and again, the principle in the Bill is that the least intrusive power must be used. The oversight starts internally, but very rapidly goes externally, whether it is to IPCO or a judicial commissioner. The ability to review is always there, and the penalties under section 11 of the 2016 Act, which we all hope will never be needed or used, are pretty onerous on anybody who abuses their power or in any way exploits their ability in order to conduct themselves in a way that we would all agree is unsatisfactory in a democracy. It is really important to say that.
Going back to the question raised by the hon. Member for Midlothian, the reality is that condition D applications will limit collateral intrusion as much as is reasonably practical. The returned data may only provide an indication of involvement in an investigation, and further analysis will likely be necessary to allow fuller determination. That is the nature of handling intelligence data and then conducting an analysis on the back of it. In all cases, that activity will have to be justified, and will be no more than is necessary to achieve the desired outcome.
To be absolutely clear, that has to be targeted. This is a series of circles in a Venn diagram to target as narrowly as possible. Were others to be captured in that narrowest possible target, that data could not be held, or a separate application would have to be made in order to hold it. For example, one can imagine a circumstance in which an intelligence agency is targeting a paedophile on a particular street. Using different forms of communication technique, it narrows it down from a handset to an operator, a particular website, a particular time, and so on, so the Venn diagram narrows—it is very focused. If it turns out that there is another paedophile operating in exactly the same area at that time, that would require a separate application, because it is a separate target. The data could not just be held. Nor would it be ignored—I am sure the hon. Gentleman would not suggest it should be. But the judicial oversight needs to be gone through and the application needs to be made. It is a separate warrant, and so on.
In the example the Minister gives, at the same time the agency targets that individual, it will have a lot of other people who communicated with that individual. How long will that information be kept? That is the concern people have. It is not the depth, but this is broad. Most of those people would be completely innocent of anything. There is then the issue of how long that information is kept and who makes the decision about how long to keep it.
Forgive me, but I disagree with the right hon. Member on this. It is unlikely that there would be a large number of people at a specific geographic location, using a specific cell site, from a specific handset, viewing a specific website at a specific time. Once it is narrowed down like that, the numbers are very small. That does not mean that any intrusion that is not legally authorised is acceptable—that is absolutely not what I am saying. But we are getting down to very small numbers of people, and quite deliberately so, in order to achieve an intelligence outcome.
As I understand it, the Minister is describing the powers that already exist under the 2016 Act. If we are down to that level of knowledge of where, when and who, then what in the Bill goes beyond that? I do not follow.
In the existing Act, one would have to be entirely specific about a particular time. It could not be 5.30 pm to 6.30 pm; an internet connection record could be done only at 5.30 pm exactly. The Bill extends that a bit, but it still has to be very targeted. This is a proportionate change in the law to allow the intelligence services to collect information that would enable the targeting of serious and organised crime.
Let me go back to the Trainline example. Suppose it is not child exploitation—the Minister is possibly right that it is specific, and hopefully there are not many people in one street—and someone is trying to look for a person’s travel plans, so they want to know how many people in an area have contacted Trainline. It will be more than one person, so there will be a lot of other people they are not looking for in there. That is the problem, and that is all that the ISC, the hon. Members for Midlothian and for Glasgow South and the Labour Front Benchers are saying.
Earlier the Minister used the words “control from outside”. I am sorry if he sees oversight as control, but I certainly do not. It is about giving confidence to the public that there is independent oversight over these powers, whether that is informing the IPCO when they are used or having pre-authorisation, as was suggested earlier. I do not see the problem with keeping people informed. The Minister is hiding behind IPCO, but it was introduced in the first place to give the public confidence.
I suspect we are not going to come to an agreement on this, so I will probably leave it after this point. The IPCO oversight means that IPCO can look at a request at any point. The maximum period it can go without looking at it is 12 months, but it can look at any point. We have said that requests for communications data must be approved by the Investigatory Powers Commissioner’s Office
“except where they are urgent or are for the purpose of national security”.
That interaction, which the right hon. Gentleman rightly supports, is already there, so I do not accept it is lacking.
On the question of proportionality, the amount of information that one may need to investigate a paedophile network, for example, may mean being slightly vaguer about the specific time, whereas following a known individual may require different forms of flexibility and proportionality. I am afraid I am going to be very cautious about setting out what each one means, because these principles will have to adapt and be applied as appropriate.
We are going to have to close this down and move on because we have other things to do. Perhaps the way through is, as was suggested a few moments ago, that this be reviewed over time. If in the annual report we have a really thorough examination of how the measure has been applied and in what circumstances—in broad terms, of course, because we do not need the details of the crimes—that would give us the assurance we need. Our Committee has made that point emphatically. That would be a terribly good way out of this and it would not be a huge step. If the Minister agrees to that, I would certainly be satisfied.
It is not for me to tell the ISC what it should look into, but I would be surprised if it did not want to look into this in great depth.
I think the Minister might have misunderstood. Forgive me; I did not mean that. I meant that this could be reviewed in the IPCO annual report. That would obviously be considered by the ISC in the way he describes. I think we need a summary of how this will work in practice and a commitment that we do that now. He sort of talked about a retrospective review. Rather than debate this further now, that would be a very good way forward.
I am entirely supportive of the idea that IPCO should update the ISC and the Secretary of State about how it is working and provide information so that a proper view can be taken. I think that is entirely appropriate.
Well, that would be fine if the Government did not redact things in IPCO reports and try to stop us getting access to—[Interruption.] I am sorry, but the Government are doing that. They have done it over the past few years. That is the problem. The Government are paying lip service to the ISC. We are not trying to thwart the work of our security services; we are an important part of the democratic oversight of them. That is why we were set up under the Justice and Security Act 2013. I am sorry to say that the Government are trying to drive a coach and horses through it, including by preventing information from IPCO from being given to us.
I think we have covered the area, and I have said all I am going to about the matter.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16
Powers to require retention of certain data
Question proposed, That the clause stand part of the Bill.
Section 87(4) of the IPA provides that a data retention notice cannot require the operator to retain so-called “third party data”. There is no intention to revisit the principle of this important provision, but technological advancements have highlighted some discrete and unintended consequences. For example, the Secretary of State is prevented from placing communications data retention obligations on a UK telecommunications operator in relation to data associated with users of a foreign SIM card within the UK.
Clause 16 addresses those unintended consequences and makes an exception for that data within Section 87(4), so that data in relation to roamers using a foreign SIM in the UK would be treated in an equivalent way to the data that could be retained in relation to users of UK SIM cards. Clause 16 also clarifies that communication data required for an internet connection record can be subject to a data retention notice. All existing safeguards will continue to apply.
Continuing to clause 17, the IPA already has extraterritorial effect. Data retention notices—or DRNs—and interception technical capability notices—or TCNs—can be given to a person overseas where there is an operational requirement, and it is necessary and proportionate to do so. However, only TCNs are currently enforceable in relation to a person overseas.
Clause 17 amends section 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs, if required, for UK security purposes when addressing emerging technology and the increasing volume of data being held overseas, bringing them in line with interception TCNs. It is vital to have this further legal lever, if needed, to maintain the capabilities that the intelligence and law enforcement agencies need to access the communications data that they need to in the interests of national security and to tackle serious crime.
I have some comments to make about extraterritoriality, but I will do so in the next debate.
Question put and agreed to.
Clause 16 accordingly ordered to stand part of the Bill.
Clause 17 ordered to stand part of the Bill.
Clause 18
Review of notices by the Secretary of State
Question proposed, That the clause stand part of the Bill.
The notice review mechanism is an important safeguard. If operators are dissatisfied with a notice that they are given, or with any part of it, they have a statutory right to refer it to the Secretary of State for a review. Clause 18 is essential to ensure that operators do not make any technical changes during the review period that would have a negative impact on existing lawful access capabilities.
Operators will not be required to make changes to specifically comply with the notice. However, they will be required to maintain the status quo. If there was lawful access at the point at which a notice was given, access to data must be maintained by the operator while the notice is being comprehensively reviewed. This will ensure that law enforcement and intelligence agencies continue to have access to vital data during that period in order to keep people safe.
To be clear, companies can continue to make technical changes or roll out new services during the review period, so long as lawful access remains unaffected. The status quo will apply only to services or systems specified within the notice; anything outside the scope of the notice will be unaffected. If, at the conclusion of a review, the Secretary of State confirms the effect or varies the notice, maintaining the status quo will be vital to ensure that law enforcement and intelligence communities do not lose access to data during the review period that they would otherwise have been able lawfully to obtain. In the Lords, the Government amended the Bill to introduce a timeline for the review of a notice.
I will be very brief. I am grateful for the Minister’s remarks, but I want to raise the concerns of some telecommunications operators and of organisations representing the sector about clauses 18 and 19. These include a view that the role of the proposed new notices regime would hinder and even veto product development.
I know that the Minister and his Department have engaged with stakeholders about those concerns, as have Labour Members. I would be grateful if the Minister briefly set out whether recent engagement has taken place with stakeholders with regard to these matters, and whether he has any further plans to address the concerns that they have expressed about clauses 18 and 19.
I want to make a similar case. We are now getting into territory where I struggle to understand exactly what is going on, because I am not a tech geek. We are speeding past this measure almost as if it were inconsequential, but the language in some of the briefings that we have received about it is pretty dramatic.
The bundle that was emailed to Committee members this morning includes evidence from Apple that I think needs to be addressed:
“At present, the SoS must navigate important oversight mechanisms before they can block the offering of a new product or service they believe will impact…ability to access private user data.”
Apple summarises the suite of clauses that the Committee is considering, including the requirement in clause 18 to maintain the status quo during the review process, as allowing the Secretary of State
“to block, in secret, the release of a product or service even before the legality of a Technical Capability Notice can be reviewed by independent oversight bodies. The effect of this amendment will be to, extraordinarily, hand the SoS the power to block new products or services prior to their legality being ascertained. This result upends the balance of authority and independent oversight Parliament struck in the IPA.”
Given the new definition of “telecommunications operator” in clause 19, Apple has also warned that there will be serious implications for conflicts with other laws, including the EU GDPR and with US legislation.
As well as Apple, we have heard from various other organisations. TechUK has highlighted problems with broadening the definition of “telecommunications provider” before control of provision of a telecoms service, including to UK users, is established overseas. It also highlights the potential conflict of laws. What if the domestic law in the country in which a company is based does not allow for compliance with the notice that the Home Secretary has delivered? That company might not even be able to raise the issue of a conflict of laws, because it would be sworn to secrecy under the Bill.
According to TechUK, the proposed changes mark a departure in the way that the UK approaches the extraterritorial reach of the UK or UK laws and the consequential conflicts of laws. That was all recognised in the 2016 Act, in which a partial solution was found in the form of a UK-US agreement. Currently, however, the Government have not set out any plans to work towards equivalent solutions.
In relation to clause 21, I will raise similar concerns from other experts, but it is clear that some very serious companies and organisations have significant concerns about what the combination of these notices may end up delivering. Those concerns need addressed.
I thank hon. Members for the spirit in which they have engaged. To be clear, it is absolutely right that we listen to representations from companies around the world, as I am absolutely sure all Members across the House would expect. We are still engaged in conversations: the Home Secretary was on the west coast of the United States only last week, I think, and I maintain regular communication with many different companies, including many of the same companies to which the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East referred.
Let me be quite clear about one aspect. There is a real challenge here, and it is absolutely worth getting to the heart of it. The way in which communications data has evolved means that there are now jurisdictions in which the UK cannot protect its citizens without the co-operation of certain companies overseas. That was always bound to happen to a certain degree, but it is now very much the case: I do not know whether the hon. Gentleman has children, but he will know that many children use tablets and internet-connected devices in their bedroom.
The reach of these companies into the personal life of children in our country has to be a matter of concern to the British Government—it just has to be. The question is who governs these spaces. Are they governed by the association agreements and terms and conditions of the companies, or are they governed by the laws of the United Kingdom passed by Members of this House, of whichever party? That is the fundamental question.
The jurisdiction of this House must be sovereign. If sovereignty is to mean anything, it must mean the ability to protect our children from serious harm. That is basic. Under the IPA and previous legislation going back to the 1980s, this House has always exercised a certain element of influence. Yes, the Bill is extraterritorial, but so are many other Bills that this House passes in relation to the protection of our citizens and our interests. We can have operational reach further than the UK border in order to protect our citizens. That is what we are doing here, and that is what makes it proportional.
It is true that there are conflicts of interest that we have to resolve. I must be honest with the hon. Gentleman: this has come up before. It has even come up in my time. It is something that we have to look at in order to ensure that we address those conflicts and see where the balance of proportionality lies.
It is our very good fortune that many of the conflicts arise between jurisdictions with which we are extremely close. The United States, for example, is an extremely close ally. We regularly—in fact, I regularly—have conversations with the US Justice Department and others to make sure that we manage those conflicts of interest in the best interests of all our citizens. It is unusual for us not to find a resolution, but there are means of dispute resolution when we do not. Although I take the hon. Gentleman’s point, it is not exceptional for companies rightly and understandably to defend their interests where they feel that they have a commercial advantage. That is, of course, reasonable.
The reality is that we are not stopping companies doing anything; we are asking them not to change our ability to protect our citizens, until we have found a fix. If they want to introduce a new product or service or change the way they operate, that is fine: it is nothing to do with us. All we ask is that they maintain our ability to protect our citizens during that translation and into the future.
I will come on later to another line of argument that relates to the unintended consequences of these permissions, but for now I have a specific question. The Minister has spoken about how conflicts of law can be resolved. Is there not an added complication? If we put a notification notice—if we are calling it that—on a company, it cannot share the fact of that notification with anybody at all. Does that not make it well-nigh impossible to resolve the issue with conflicts of law?
Without going into details that it would be inappropriate to share: no, it does not. I can assure the hon. Member that this is a long-standing practice that has been tested, and it does operate.
On clause 19, I wish to put one further point on the record. The clause will amend the definition of a telecommunications operator, out of an abundance of caution, to ensure that the IPA continues to apply to those to whom it was intended to apply, building on the work that my right hon. Friend the Member for South Holland and The Deepings has laid out. There are circumstances in which a telecommunications system that is used to provide a telecommunications service to persons in the United Kingdom is not itself controlled from the United Kingdom; we have talked about some of those services. The clause will ensure that multinational companies are covered in their totality in the context of the IPA, rather than just specific entities.
Clause 19 does not seek to bring additional companies within the scope of the definition, nor does it seek to constrain how a company structures itself. It is a clarificatory amendment that will improve the effectiveness and efficiency of the regime and the process of giving notices.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clause 19 ordered to stand part of the Bill.
Clause 20
Renewal of notices
Question proposed, That the clause stand part of the Bill.
Currently, a notice must be kept under regular review by the Secretary of State, but it does not cease to have effect unless the Secretary of State revokes it. The clause will introduce a notices renewal process such that if two years have passed since a notice was given, varied or renewed, it must go through the double lock process to obtain the approval of a judicial commissioner, in addition to a full necessity and proportionality assessment by the Secretary of State. This change will provide reassurance to operators that their notice remains necessary and proportionate.
Question put and agreed to.
Clause 20 accordingly ordered to stand part of the Bill.
Clause 21
Notification of proposed changes to telecommunications services etc
I beg to move amendment 6, in clause 21, page 45, line 7, leave out first “person” and insert “relevant operator”.
This amendment and amendments 7, 8, 10, 11, 12 and 13 provide that the expression “relevant operator” is used consistently in inserted sections 258A and 258B of the Investigatory Powers Act 2016.
With this it will be convenient to discuss the following:
Government amendments 7 to 13.
Clause stand part.
Clause 21 is required to safeguard lawful access to critical data, which is needed by law enforcement and intelligence agencies to keep the public safe from serious threats such as terrorism and child sexual exploitation.
Technology has advanced rapidly since 2016, presenting a risk to lawful access capabilities. Notification notices have been introduced in response to technological advancements and will require relevant operators who provide, or are expected to provide, lawful access to data of significant operational value to inform the Secretary of State of any technical changes that they intend to make that will have an impact on existing lawful access capabilities.
The requirement will apply only to relevant services or systems specified within the notice, which will be agreed in consultation with the operator, prior to the notice being given, and will not necessarily apply to all elements of their business. It should be noted that technical capability notices already contain a notification requirement; this is not a new concept to the IPA. The clause replicates the power as a standalone obligation within notification notices.
To be clear, there is no ability within the notification process for the Secretary of State to delay, prevent or alter the roll-out of the operator’s intended change. The requirement is needed to provide the Secretary of State—and, by extension, operational partners—with time to identify and evaluate any potential impact that the change may have on lawful access capabilities. It will also be important in giving operational partners time to adjust their ways of working to ensure that lawful access is maintained. The primary objective of the obligation is to create an opportunity for collaborative working between operators and Government to protect the crucial capabilities required to keep people safe.
Amendments 6 to 13 are minor and technical amendments to ensure consistency of language throughout the clause and the IPA.
I want to pursue another line of argument that has been put to members of the Committee. I spoke earlier about the principles of the notification regime; I now want to probe the Government on the extent to which they have considered the possible unintended consequences of setting it up.
The evidence circulated this morning includes a letter from academics and experts from the United Kingdom and across North America, who express considerable concern about the outcome of the proposal. During the last debate, the Minister explained that the justification is that companies from across the world have a reach into children’s homes in the United Kingdom, and it is the duty of this Parliament and legislators to keep them safe. I do not think anyone would dispute that at all.
The experts argue that an unintended consequence of being as radical as the proposal in the Bill is that citizens in the United Kingdom could be less safe. Although the Government are trying to restrict the scope of the regime to what happens in the United Kingdom, in reality it will mean that certain updates and security features will not be rolled out to the United Kingdom. In fact, certain organisations may think twice about developing products for the UK market at all.
I am way outside my comfort zone, so I will go straight to what the experts argue in their evidence:
“If enacted, these proposals would have disastrous consequences for the security of users of services operating in the UK, by introducing bureaucratic hurdles that slow the development and deployment of security updates. They would orchestrate a situation in which the UK Government effectively directs how technology is built and maintained, significantly undermining user trust in the safety and security of services and products.”
They argue that this contains a significant risk of increased cyber-crime, as well as of endangering the encryption of important services. They conclude that
“these proposals are anathema to the best interests of UK citizens and businesses and internet users everywhere, and contradict universally accepted security best practices.”
I want to probe the Government on the extent to which they have considered the possible unintended consequences of how these companies may react to their proposals.
I thank the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East for the way in which he has approached the issue, and I am grateful to him for raising it, but I simply disagree. I disagree on the basis of advice that I have received from intelligence services, from UK-based companies, from the National Cyber Security Centre and indeed from many others.
Let us be quite clear. A notification notice does not create any conflicts of law, prevent any updates or prevent the application of any security patches. The only thing that it does is ask a company to keep the UK Government informed if it is going to change the way the UK Government will be able to protect British people. That has led to somewhat more caution in the reading than is necessary in reality; I have had many conversations with companies about that.
This is a difficult area, but as I understand it, the argument is not that the notification notices themselves have that issue, but that the combination of notices, together with the technical capability notice, the new provisions in relation to review and the status quo, could give the Government that sort of power. That is the argument.
I hear the hon. Gentleman’s point. I will just say that many of these powers have been in place for a significant period. The situation that he describes is not one that we have found or noticed in any way at all. I believe that this is a case of people gilding a lily to turn it into lead.
Amendment 6 agreed to.
Amendments made: 7, in clause 21, page 45, line 8, leave out “person’s” and insert “relevant operator’s”.
See amendment 6.
Amendment 8, in clause 21, page 45, line 29, at end insert—
“‘relevant operator’ has the same meaning as in that section.”
See amendment 6.
Amendment 9, in clause 21, page 45, line 35, leave out “notice, as varied,” and insert “variation”.
This amendment provides that references to the variation of a notice are used consistently in Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
Amendment 10, in clause 21, page 46, line 2, leave out first “person” and insert “relevant operator”.
See amendment 6.
Amendment 11, in clause 21, page 46, line 2, leave out second “person” and insert “relevant operator”.
See amendment 6.
Amendment 12, in clause 21, page 46, line 5, leave out “person” and insert “relevant operator”.
See amendment 6.
Amendment 13, in clause 21, page 46, line 6, leave out “person” and insert “relevant operator”—(Tom Tugendhat.)
See amendment 6.
Clause 21, as amended, ordered to stand part of the Bill.
Clause 22
Interception and examination of communications: Members of Parliament etc
I beg to move amendment 3, in clause 22, page 47, line 17, leave out from “and” to end of line 19 and insert—
“(b) has the necessary operational awareness to decide whether to give approvals under subsection (2).”
This amendment replaces the reference to an individual being required in their routine duties to issue warrants under the Investigatory Powers Act 2016 with a reference to an individual being required to have the necessary operational awareness to decide whether to give approvals under section 26 of that Act.
Government amendments 3 and 4 require that any Secretary of State to be designated by the Prime Minister as an alternative approver must have the necessary operational awareness of the warrantry process to undertake the role. This change will replace the current drafting inserted in the House of Lords relating to “routine duties”, which is over-restrictive and will undermine the resilience of the triple-lock process that the clauses seek to safeguard.
Requiring relevant operational awareness will ensure the necessary flexibility and resilience while maintaining a proportionate scope for delegation. It will allow scope to include those who may be new to their role and do not yet carry out such duties routinely, or who no longer carry them out routinely due to machinery-of-government changes but have valuable pre-existing knowledge that makes them a suitable alternative approver.
I am grateful to the Minister for the fact that his amendment goes some way to dealing with the issues that I and others raised in relation to the change from existing practice. At the moment, the Prime Minister provides the element of what has been described as the triple lock. The Government proposal is that other Secretaries of State should perform the role when the Prime Minister is unable to for a number of reasons. My anxiety, reflected by the Intelligence and Security Committee, is that those Secretaries of State who act for the Prime Minister in such circumstances should be people with operational experience. Typically, that would mean people with warranting powers—people accustomed to the business of issuing warrants, with all that that suggests.
The Government amendment speaks of operational awareness. I think “operational experience” is a better turn of phrase, although I accept the Government’s point that if there was a new Secretary of State—a new Home Secretary would be a good example—they would not necessarily have experience. By definition, they would be new in the job, whether that was the Home Secretary or Foreign Secretary and so on. It might be possible to speak of experience and responsibilities, so it could be either responsibilities or experience. Of course, the Government rightly say that a former Home Secretary, Foreign Secretary or Northern Ireland Secretary who was then doing a different job in Government could be one of the people designated, so I take that point.
The issue here is ensuring that the people who perform the role are competent to do so, and I know that is something on which we agree. It is really a matter of the semantics, but semantics are not always insignificant. I am aware of bolshevism and liberalism, but I would not want anything to do with either of them. I am aware of the separatist case on the United Kingdom, but awareness is as far as I want to go with that—I say that without contention or, indeed, acrimony of any kind. I am not sure that “awareness” is quite the right word, and I simply offer that semantic but not insignificant point to the Minister for his consideration.
I think so, because the original wording talked about being able to nominate basically anybody. It was then defined, but the amendment widens it again. It says, “necessary operational awareness”; is that, for example, that any Secretary of State is aware that it is a voluntary process? For example, the Foreign Secretary and the Home Secretary sign warrants, and another Secretary of State could say, “Yes, I’m aware of that.” As the right hon. Member for South Holland and The Deepings said, “operational experience” would be better wording, because “necessary operational awareness” is too broad. What does it actually mean in practice? For example, must they have any experience of having signed a warrant before? Or do they just need to know that the warrantry system exists?
First, I place on the record my gratitude to the ISC, to which I have listened extremely carefully on this matter; indeed, the Bill has been changed because of it. Let me be clear that although many people are aware of things, to be operationally aware is not the same as to be just aware. Many people were aware of the conflict in Helmand, but I argue that only the hon. Member for Barnsley Central and I were operationally aware of the conflict in Helmand. It is rather a different requirement. It does not mean that one knows about the operation; it means one is aware in an operational sense of it. It is not just an observation of the challenge.
I have to say that from my experience as a former Minister in the Ministry of Defence—I said I was never a Secretary of State—I was not only aware of what was going on but operationally aware. Could an Under-Secretary of State at the Ministry of Defence therefore be designated as one of these people? On Tuesday mornings every week, I was very operationally aware of what was going on in Helmand, for example.
First, this goes alongside the code of practice, which challenges the right hon. Gentleman’s point. It would need to be people who were briefed into the warrantry process. It needs to be somebody who understands what a warrant is, so it is not somebody who is merely observing it, such as a Secretary of State for Culture, Media and Sport.
On the point that my right hon. Friend the Member for South Holland and The Deepings made about experience, I understand the debate. There is a possibility—I know that he and I will do everything we can to prevent it—that there will be a change of Government soon. In that case, there will be an awful lot of people who have absolutely no experience at all of these matters. It would therefore be wise not to set up a provision that would immediately require amendment. Disappointed though we would be at that outcome, my right hon. Friend would agree that he would not want a law to be amended in its first year, if we could possibly avoid it.
To be clear, the Government view the four alternative approvers as being likely to be the Home Secretary, the Foreign Secretary, the Defence Secretary and the Northern Ireland Secretary. Only three would be able to act as the triple-locking Secretaries of State, because of course we would have already used up two of them to do the first two functions. That is why the numbers are required, and why I am incredibly grateful to the ISC for pointing it out and being very cautious on it.
If what the Minister has just said is the case, why do the Government push back on a suggestion that I think they actually made earlier on? The Minister is now pushing back on it. Although I understand the need for the code of practice, if there was a change in it—because there might be sometime—would that come back to Parliament to be approved? We are dancing on the head of a pin here. I do not know why, but that is quite common with the Home Office. The Minister says that it will be mainly four people, but I would love to know what he means by “necessary operational awareness”, which is clunky language.
Codes of practice will be brought forward through regulations in the usual way, as the right hon. Gentleman is aware, and the House will scrutinise them in the usual way. This is a very legalistic process, as I recognise from the inside as much as he does from the outside. It is true that if, for example, the Northern Ireland Secretary became the Education Secretary, they could then be included. The idea is to ensure that it is somebody who is appropriate to the task, which is why the measure is worded as it is. I always listen to right hon. and hon. Members across the House. I believe that the amendment is the best version that we have come to so far. I will continue to listen to the right hon. Gentleman, as always.
Given what the Minister said about a change in Government—I do not expect one, but I suppose it is a remote possibility—perhaps the words “operational responsibility or experience” would cover the point made and be slightly tighter than “awareness”. Also, there is the matter of notifying the PM. The Committee made the good suggestion that the PM should be notified as soon as practicable, which may be something with which the Minister agrees. If the Prime Minister were indisposed because of illness or whatever, they would be notified as soon as is practicable that a warrant had been issued.
On the second point, I am sure that, like me, my right hon. Friend finds it absolutely inconceivable that that PM would not be notified. I am not convinced that that must be in primary legislation. I find it genuinely inconceivable that the Prime Minister would not be notified at the earliest opportunity. Obviously, if they could be notified immediately, the provision would not be required.
But, Minister, let us be honest: a lot of things that we would have taken for granted were ignored in Downing Street over the last few years. Until Boris Johnson became Prime Minister, it had been a great part of our constitution that convention was followed. Surely it would therefore be better to have the point about notification in the Bill; otherwise, we are leaving it to the free will of convention. I would have trusted convention, but we have had Boris Johnson as Prime Minister.
I want to help the Minister, because I do not necessarily agree with the right hon. Member for North Durham; occasionally, he and I do disagree, despite the impression that we have created in this Committee. Notification could be covered in a piece of statutory guidance that supports the Bill. It could state that the Prime Minister should be notified as soon as reasonable practicable, exactly in the terms just described. How’s that?
As is so often the case, I absolutely agree with my right hon. Friend.
I will look at putting it in the guidance, as suggested by the right hon. Member.
I have said what I am going to say on the matter.
Amendment 3 agreed to.
I beg to move amendment 17, in clause 22, page 47, line 26, at end insert—
“(2G) If a warrant is issued by an individual designated by the Prime Minister, the Prime Minister must be informed of that decision as soon as it is reasonably practical to do so.”
This amendment would require the Prime Minister to be notified of a decision of a designated Secretary of State to authorise the interception of certain elected representatives’ communications as soon as is reasonably practicable.
I am conscious of the debate that has just taken place, so I anticipate what the Minister may say in response. Let us give him another go anyway.
Amendments 17 and 18 relate to the decision of a designated Secretary of State to authorise the interception of elected representatives’ communications and interference with equipment relating to elected representatives. As the Minister will know, two similar amendments were proposed by Lord West in Committee in the other place. The reason for tabling the amendments in Committee in the Commons is that the Opposition believe that the Prime Minister’s overall involvement in the warrants must be retained, even if, in designated cases, it could be retrospective. As I said, I am mindful of the debate that has just taken place.
In the other place, Lord Sharpe rejected Lord West’s amendment on the basis that the oversight arrangements for warrant decisions taken by a designated Secretary of State, which include review by the judicial commissioner, are sufficient scrutiny. I understand that argument, but I wonder why it should not be the case that a Prime Minister is at least notified about decisions to issue warrants that they have had to delegate due to their being unable to do so. Furthermore, would a Prime Minister not being notified of a decision unnecessarily diminish their operational awareness in making future decisions to issue warrants?
My amendment would require the Prime Minister to be informed of a decision taken by a designated Secretary of State on their behalf as soon as the circumstances that have prevented the Prime Minister from approving a warrant in the first place have passed. I hope the Minister and the Committee will understand the emphasis on the important nuance in the difference between review and notification. Mindful of the earlier debate, I hope that the Minister will consider accepting the amendments.
For want of repeating myself, I will probably leave that to stand.
We are speaking about elected representatives who are then appointed into Government and make decisions, and we have rightly had an important debate, to which the Minister has responded. If possible, it would be helpful if he could confirm who from the agencies would also be involved in the decision making. That would add some faith as to the robustness of the decision making that takes place when such actions are taken.
I am cautious about answering that question, for the simple reason that it depends on where and how the information was gathered, whether it was gathered deliberately or accidentally as part of an existing operation, and whether it was tangential. It is absolutely inconceivable that the chief of whichever agency it was would not be aware and therefore not part of that conversation.
With this it will be convenient to discuss the following:
Clause stand part.
Clause 23 stand part.
New clause 1—Requirement for the Prime Minister to appear before the Intelligence and Security Committee—
“After section 26 of the Investigatory Powers Act 2016, insert—
‘26A Requirement for the Prime Minister to appear before the Intelligence and Security Committee
(1) The Prime Minister must appear before the Intelligence and Security Committee of Parliament to provide oral evidence on the matter set out in subsection (2).
(2) The matter is decisions made by the Prime Minister or an individual designated under section 26 to—
(a) give approval to issue warrants to intercept and examine communications of Members of Parliament;
(b) interfere with equipment belonging to Members of Parliament;
(c) other relevant decisions relating to Members of Parliament in the interests of national security
(3) The duty in subsection (1) applies once every session of Parliament.
(4) Subsection (1) does not apply if the Intelligence and Security Committee does not require the Prime Minister to attend.’”
This new clause would require the Prime Minister to appear before the Intelligence and Security Committee to provide oral evidence on decisions made to approve warrants to intercept and examine communications of MPs or to interfere with equipment belonging to MPs, and other relevant decisions relating to MPs.
New clause 4—Interception notification for Members of Parliament etc.—
“After section 26 of the Investigatory Powers Act 2016 (Members of Parliament etc.) insert—
‘26A Interception notification for Members of Parliament etc.
(1) Upon completion of conduct authorised by a warrant under section 26, or the cancellation of a warrant issued under that section, a Judicial Commissioner must notify the subject of the warrant, in writing, of—
(a) the conduct that has taken place, and
(b) the provisions under which the conduct has taken place.
(2) The notification under subsection (1) must be sent within thirty days of the completion of the conduct or cancellation of the warrant.
(3) A Judicial Commissioner may postpone the notification under subsection (1) beyond the time limit under subsection (2) if the Judicial Commissioner assesses that notification may defeat the purposes of an ongoing serious crime or national security investigation relating to the subject of the warrant.
(4) A Judicial Commissioner must consult the person who applied for the warrant in order to fulfil an assessment under subsection (3).’”
This new clause would require members of a relevant legislation who are targets of interception to be notified after the fact, as long as it does not compromise any ongoing investigation.
Clauses 22 and 23 will increase the resilience and flexibility of the warrant system. They will ensure the effective processing of warrants that authorise the interception of, or the use of equipment interference to obtain, the communications of a Member of a relevant legislature when the Prime Minister cannot fulfil their duties due to medical incapacitation or a lack of access to secure communications. The changes will enable the authorisation process to function in an agile manner, thereby enabling the important work of the intelligence agencies to continue while maintaining a high bar for the authorisation of some of the most sensitive warrants.
I rise to speak to new clause 1, which relates to oversight by the Intelligence and Security Committee of warrants to intersect and examine the communications of Members or the interference with equipment relating to Members. The context of the new clause will be clear to those who followed the debates in the other place about the role of the ISC. To be absolutely clear, I am not seeking to debate the Wilson doctrine—I know that Members will be relieved to hear that.
The purpose of the new clause is to probe and seek further safeguards for the ISC to provide essential oversight of this extremely sensitive matter, codified by the 2016 Act as part of a wider context of decisions made by the Prime Minister in the interests of national security. Members of this Bill Committee who also serve on the ISC will know that successive Prime Ministers have, unfortunately, not appeared in front of that Committee since, I believe, 2014. As a result, there has been no opportunity for direct accountability over prime ministerial decision making on warrants to intercept and examine Members’ communications, or on interference with equipment relating to Members.
I shall speak to new clause 4. We are discussing our very important role as legislators—people who have to scrutinise the Government to represent our constituents. Any interference with that role, and any surveillance of us, is a matter of great significance and some controversy, so there should be as much oversight and transparency as possible. I am not a member of the ISC, and I do not know whether this is something the Minister will be able to tell us, but I would be interested to know how often powers have been used to institute surveillance on MPs in each and every of the past few years.
New clause 4 allows us to debate the possibility of post-surveillance notification. That proposal was debated in the House of Lords, but I think it is something that MPs should be alive to as well. Post-surveillance notification would give judicial commissioners a mandatory duty to notify parliamentarians subject to surveillance once a particular operation or investigation had ended. That would typically introduce a further safeguard to protect democracy and our role as legislators, and would ensure the Government are complying with their obligations under article 8 of the European convention on human rights.
Various objections were made to that line of argument in the House of Lords. For example, it was argued that notification would risk revealing sources or methods. That does not have to be the case; post-surveillance notification can inform an individual of the fact of past surveillance without having to disclose such information. Such a post-surveillance notification regime works in Germany, for example.
In particular, there would be no risk—this was alleged by the Government in the House of Lords—of affording judicial commissioners any operational decision-making power. That is because notification would occur only when a surveillance operation was no longer active and, secondly, any such notification regime could allow the judicial commissioner to consult whomever applied for the warrant in the first place. I am absolutely open to a discussion with the Government about the safeguards that would needed to allow such a measure to be implemented.
The other line of argument pursued by the Government in the House of Lords was that redress is already available to parliamentarians thorough the Investigatory Powers Tribunal. As we all know, however, if someone does not know that they have been subject to surveillance, they have no reason to go to the tribunal in the first place.
This proposal is not without some difficultly, but it is worthy of discussion. The Government’s resistance to it has not always stacked up so far, so I look forward with interest to hearing what the Minister will say.
On the point about notification: forgive me, but it is inconceivable that it should be required in law to inform somebody that they have been subject to an investigation by the intelligence services in such a way. I would be delighted to discuss with the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East in a more secure environment why, for a whole series of reasons, that may not be such a good idea. On the question of the Prime Minister appearing before the ISC, my friend the hon. Member for Barnsley Central knows my views—I have expressed them on many occasions—but that is way above my pay grade.
For now!
Question put and agreed to.
Clause 22 accordingly ordered to stand part of the Bill.
Clause 23
Equipment interference: Members of Parliament etc
Amendment made: 4, in clause 23, page 48, line 15, leave out from “and” to end of line 17 and insert—
“(b) has the necessary operational awareness to decide whether to give approvals under subsection (3) or (6).”—(Tom Tugendhat.)
This amendment replaces the reference to an individual being required in their routine duties to issue warrants under the Investigatory Powers Act 2016 with a reference to an individual being required to have the necessary operational awareness to decide whether to give approvals under section 111 of that Act.
Clause 23, as amended, ordered to stand part of the Bill.
Clause 24
Issue of equipment interference warrants
Question proposed, That the clause stand part of the Bill.
The Bill makes minor changes to the equipment interference regime, specifically in relation to the warrantry processes associated with its authorisation. The purposes behind those changes are to correct minor drafting errors in the IPA to provide greater clarity, and to improve the efficiency of the warrantry process for equipment interference.
Question put and agreed to.
Clause 24 accordingly ordered to stand part of the Bill.
Clauses 25 and 26 ordered to stand part of the Bill.
Clause 27
Bulk equipment interference: safeguards for confidential journalistic material etc
I beg to move amendment 19, in clause 27, page 50, line 9, at end insert—
“(2A) Where a senior official acts on behalf of the Secretary of State under subsection (2), they must inform the Investigatory Powers Commissioner of the selection for examination of BEI material as soon as reasonably practicable.”
This amendment would require a senior official acting on behalf of the Secretary of State who has selected BEI material for examination when there has been an urgent need to do so to inform the Investigatory Powers Commissioner as soon as reasonably practicable.
Amendment 19 would require a senior official acting on behalf of the Secretary of State who has selected bulk equipment interference material for examination, when there has been an urgent need to do so, to inform the Investigatory Powers Commissioner as soon as is reasonably practical. It would ensure that every reasonable oversight arrangement was in place concerning the Bill’s investigatory powers provisions.
The amendment does not suggest that the Investigatory Powers Commissioner retrospectively reviews the approval, but instead proposes that they be informed to ensure that there are the most comprehensive and effective oversight arrangements on investigatory powers. We intend not to burden the police and the security services with additional duties, but to ensure that there is the maximum possible oversight with the minimum possible additional work. I hope that the Minister will at least agree with the intentions of the amendment and consider its merits in further strengthening the Bill’s oversight arrangements.
I welcome the amendment, and not only do I agree with it, but I feel that we have already done it. My understanding is that the provision duplicates what already occurs in practice under the current regime, as well as the changes made by clause 27. Currently, the Investigatory Powers Commissioner is already effectively notified when a senior official acting on behalf of the Secretary of State, in urgent circumstances, approves the selection for examination of journalistic material derived from bulk equipment interference. Clause 27 already inserts into the IPA new section 195A(2), which will ensure that the Investigatory Powers Commissioner is notified as soon as is reasonably practical by the Secretary of State when a senior official approves the use of criteria to select for examination journalistic material in reliance on an urgent approval. Effectively, the senior official is informing on behalf of the Secretary of State, or indeed the Secretary of State is informing on behalf of the senior official. We all very much hope it is the former of the two.
Clause 27 enhances the safeguards already afforded to journalistic material within the IPA, and the Government recognise the importance of journalistic freedom within free and democratic societies, which is why we are introducing this measure. Under the current regime, the Investigatory Powers Commissioner must be informed when a communication that contains confidential journalistic material or sources of journalistic material is retained following its examination for purposes other than its destruction. The clause introduces a requirement for prior independent approval by the IPC before any search criteria are used to select such material. Prior independent approval is also required before it is removed.
I am grateful to the Minister for that clarification. On that basis, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 27 ordered to stand part of the Bill.
Clause 28
Exclusion of matters from legal proceedings etc: exceptions
Question proposed, That the clause stand part of the Bill.
Clause 28 will amend schedule 3 to the Investigatory Powers Act 2016 to provide exceptions for disclosures of intercepted materials to inquiries or inquests in Northern Ireland or Scotland into a person’s death. The clause will create parity with existing provisions for coroners in England and Wales. It also adds an exception to enable panel members of the Parole Board in England and Wales to access intercepted materials when considering parole applications and any subsequent appeals. It will also enable relevant coroners in Northern Ireland and sheriffs investigating deaths in Scotland to access intercepted material in connection with their inquiry or inquest.
Question put and agreed to.
Clause 28 accordingly ordered to stand part of the Bill.
Clause 29
Freedom of information: bodies dealing with security matters
Question proposed, That the clause stand part of the Bill.
Under the Freedom of Information Act 2000, the Investigatory Powers Commissioner’s Office is not, and never has been, a public authority within the scope of the Act. The lack of control over the onward disclosure of information related to the functions of the judicial commissioners raises security concerns and has the potential to compromise the IPC’s inspections, which are often, by their very nature, intrinsically sensitive. The clause would prevent sensitive intelligence being further disclosed under the FOIA once such information is supplied by IPCO to a public body.
Question put and agreed to.
Clause 29 accordingly ordered to stand part of the Bill.
Clause 30
Power to make consequential provision
Question proposed, That the clause stand part of the Bill.
With this it will be convenient to discuss the following:
Clauses 31 and 32 stand part.
Government amendment 5.
Clause 33 stand part.
Clauses 30 to 33 are typical clauses that are included in the vast majority of legislation. Clause 30 allows the Secretary of State, by regulations made by statutory instrument, to make provision that is consequential on this Act. Clause 31 details the extent of the Bill. The Bill extends and applies to the whole of the United Kingdom, with the exception of measures contained in clause 28, in which subsection (2) applies to England and Wales only and subsection (3) applies to Northern Ireland and Scotland only.
As national security is a reserved matter, a legislative consent motion is required from Scotland only in relation to a small number of clauses in part 2—the oversight aspect—of the Bill. I am pleased that the Scottish Government have recommended that legislative consent be given.
Clause 32 details when the Bill commences. Part 6 comes into force on the day on which the Bill is passed; the other provisions come into force on such day as is appointed by regulations made by the Secretary of State.
Question put and agreed to.
Clause 30 accordingly ordered to stand part of the Bill.
Clauses 31 and 32 ordered to stand part of the Bill.
Clause 33
Short title
Amendment made: 5, in clause 33, page 56, line 1, leave out subsection (2).—(Tom Tugendhat.)
This amendment removes the privilege amendment inserted by the Lords.
Clause 33, as amended, ordered to stand part of the Bill.
New Clause 2
Report on the Prime Minister’s engagement with the Intelligence and Security Committee
“After section 240 of the Investigatory Powers Act 2016 insert—
“240A Report on the Prime Minister’s engagement with the Intelligence and Security Committee
(1) The Secretary of State must publish a report about the Prime Minister’s engagement with the Intelligence and Security Committee in relation to the investigatory powers regime and lay the report before Parliament.
(2) The report must be published within six months of the passage of the Investigatory Powers (Amendment) Act 2024, and annually thereafter.””—(Dan Jarvis.)
This new clause would ensure the Secretary of State publishes a report on the engagement, including any meeting held, between the Prime Minister and the Intelligence and Security Committee in relation to the investigatory powers regime.
Brought up.
I recognise that we have already had an extensive debate on this matter. I do not intend to detain the Committee any longer, and there is therefore nothing further I wish to say about new clause 2, so I do not wish to move it.
New Clause 3
Impact of Act on EU data adequacy decisions
“Within six months of the passage of this Act, the Secretary of State must publish a report assessing the potential impact of this Act on EU data adequacy decisions relating to the United Kingdom.”—(Dan Jarvis.)
This new clause would require the Secretary of State to publish a report on potential impact of the provisions within this Bill on the requirements necessary to maintain a data adequacy decision by the EU.
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
New clause 3 relates to the impact of the Act on EU data adequacy decisions. When a similar measure to this new clause was proposed by my noble Friend Lord Coaker during the Bill’s passage through the other place, the response from the Minister, Lord Sharpe, confirmed the UK Government’s regular contact with the European Commission about the Bill to ensure that any changes are understood. We welcome that but, as I hope the Minister will understand, such engagement is a continuous process, not a single event or even a series of events. As part of this continuous process, we believe that the Secretary of State should publish a report assessing the potential impact of the Act on EU adequacy decisions.
As Lord Coaker said in the other place:
“The adequacy agreement is dependent on the overall landscape of UK data protections”.—[Official Report, House of Lords, 23 January 2024; Vol. 835, c. 688.]
That is even though the UK protections require some further work. However, given the time pressures, Mrs Cummins, that is all I will say about new clause 3.
First, I welcome the interactions we have had on this point, as well as the work of Lord Coaker and Lord Sharpe to ensure that this is widely understood. The work that has been done is important. We face the challenge that although we obviously commit to fulfilling our side of the TCA and the various agreements we have struck, this is really a matter for the European Commission to determine, so it is not one that we can pass into UK law. It is really a matter for them.
I have nothing further to add. I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
On a point of order, Mrs Cummins. I would like to express my extreme personal thanks to Tom Ball and the Bill team, Phoebe, the Lucys, and the many others who have contributed brilliantly to ensure that this Bill has proceeded with speed and professionalism. I thank not only the members of the Committee, but all Members of many parties, and particularly the ISC, which has contributed so much to this Bill, despite what the right hon. Member for North Durham claims. May I say a particular thanks to my very good friend and shadow, the hon. Member for Barnsley Central? It is an enormous pleasure to think that we have gone from fighting the Queen’s enemies to passing the King’s laws together.
Further to that point of order, Mrs Cummins. I join the Minister in warmly extending my thanks on behalf of Labour to all members of the Public Bill Committee and all the officials, both in the Department and in the House, who have done a sterling job in getting us to this point. I am grateful to the Minister for his collegiate approach, which I very much hope we will be able to maintain during the further passage of the Bill. Thank you, Mrs Cummins.