(11 months, 3 weeks ago)
Lords ChamberMy Lords, if I suddenly fall over, it is not excitement over my amendments but that I have a brand new starboard knee, which is still slightly wobbly, so I might look a little wobbly at times.
Noble Lords will recall that the Investigatory Powers Act was introduced as a result of the Intelligence and Security Committee of Parliament’s 2015 report, Privacy and Security, which recommended that a new Act of Parliament be created to
“clearly set out the intrusive powers available to the Agencies, the purposes for which they may use them, and the authorisation required”.
However, as the noble Lord, Lord Anderson, recognised in his recent report, which he referred to, there have been a number of changes since the Act was introduced. We now face a very different threat picture from that which we did in 2016, with an increased threat from state actors such as China, Russia and Iran, and a significant rise in internet-enabled crime, including ransomware and child exploitation. The pace of technological change has been incredible. Developments in the fields of data generation, cloud services, end-to-end encryption, artificial intelligence and machine learning have all created challenges, as well as opportunities, for law enforcement and the intelligence community.
The Intelligence and Security Committee, of which I am a member, therefore welcomes the introduction of this Bill. The ISC has considered classified evidence relating to the Bill and questioned all parts of the intelligence community and Ministers on the need for change. However, as ever, the devil is in the detail. The committee considers that there are several areas in which the Bill must be improved and, in particular, safeguards strengthened.
Parliament must ensure that the balance between privacy and security is appropriate, and that there is sufficient independent oversight of the work of the intelligence community, given the potential intrusiveness of its powers. The Bill seeks an expansion in the investigatory powers available to the intelligence services. While this expansion is warranted, any increase in investigatory powers must be accompanied by a concomitant increase in oversight. I have previously spoken about the refusal of the Government to update the remit of the ISC, or to provide the necessary resources for its functioning, such that it has
“oversight of substantively all of central Government’s intelligence and security activities to be realised now and in the future”,—[Official Report, Commons, Justice and Security Bill Committee, 31/1/13; col. 98.]
as was the commitment given by the then Security Minister in the other place during the passage of the Justice and Security Act.
The House has made known its views on this long-standing failure during debates on several recent national security Bills, including the National Security and Investment Act, the Telecommunications (Security) Act and the National Security Act. However, despite repeated attempts by this House to ensure effective oversight, this has been ignored by the Government. The Government cannot continually expand and reinforce the powers and responsibilities of national security teams across departments and not expand and reinforce parliamentary oversight of those teams as well. The committee expects the Government to take this opportunity to bolster the effective oversight they say they value. If they do not, then they should expect that Parliament will. I therefore call upon the Government once more to update the ISC’s memorandum of understanding to ensure sufficient oversight of all intelligence and security activities across government. Indeed, this was the quid pro quo that Parliament expected during the passage of the Justice and Security Act 2013, and I trust that Parliament will take the same view now.
I turn to Amendment 10, which is designed to close a gap in oversight. Proposed new Section 226DA requires that each intelligence service provide an annual report to the Secretary of State detailing the individual bulk personal datasets that they retained and examined under either a “category authorisation” or an “individual authorisation” during the period in question. My amendment would ensure that there is independent oversight of this information, rather than just political oversight. The amendment would provide that the annual report be sent also to the Intelligence and Security Committee of Parliament and the Investigatory Powers Commissioner. IPCO has a degree of oversight included in the Bill already, since judicial commissioners approve both individual and category authorisations at the point of issue and approve the renewal of any authorisations after 12 months. This is not full oversight. Further, there is currently no democratic oversight at all of category authorisation, which is not appropriate. My amendment would ensure that IPCO and the ISC have oversight of the overall operation of this new regime.
Noble Lords will note that I have also tabled an amendment to notify IPCO of any new individual datasets that are added to category authorisations by the intelligence services. That amendment would work alongside this, and the ISC considers that the combination would provide an appropriate balance of real-time and retrospective oversight for these new powers. It is vital that the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation are not watered down by the changes under this new Bill. Instead, they must be enhanced in line with the increasing investigatory powers. This is what the ISC seeks to achieve by the amendments I have tabled today.
Amendment 12 is consequential on the amendments that I have just talked about.
I speak now to Amendment 13. Part 7A of the Bill provides for a lighter-touch regulatory regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of the data is deemed to have a low or no reasonable expectation of privacy. Approval to use such a dataset may either be sought under a category authorisation—which encompasses a number of individual datasets that have similar content or may be used for a similar purpose—or by an individual authorisation, where the authorisation covers a single dataset that does not fall neatly within a category authorisation or is subject to other complicating factors. In the case of a category authorisation, a judicial commissioner will approve the overall description of any category authorisation before it can be used. A judicial commissioner will also approve any renewal of a category authorisation after 12 months and the relevant Secretary of State will receive a retrospective annual report on the use of all category and individual authorisations.
This oversight is all retrospective. What is currently missing from the regime is any form of real-time oversight. Under the current regime, once a category authorisation has been approved, the intelligence services then have the ability to add any individual datasets to that authorisation through internal processes alone, without any political or judicial oversight. This would mean relying on the intelligence service to spot and rectify any mission creep, whereby datasets might be added to a category authorisation in a way that was not consistent with the definition of the original authorisation, which lasts up until the 12-month marker for renewals.
While we have every faith in the good intentions of the intelligence services—and I do not mean that in a joking way, because we have been amazingly impressed by them—no legislation should be dependent on the good will of its subjects to prevent misuse of the powers granted therein, particularly where those powers concern national security. The ISC therefore seeks to fill that very worrying gap.
My amendment proposes a new section in Clause 2—proposed new Section 226DAA—which would ensure that the IPCO was notified whenever a new individual bulk personal dataset was added by the agencies to an existing category authorisation. Notification would simply involve the agencies sending to the Investigatory Powers Commissioner the name and description of the specific bulk personal dataset as soon as reasonably practicable after the dataset was approved internally for retention and examination by the intelligence services.
The amendment would require not that the use of the dataset be approved by the IPCO but merely that the commissioner be notified that it had been included under the authorisation. It therefore does not create extra bureaucracy or process. Indeed, it provides for a flow of real-time information between the intelligence services and IPCO, to allow for the identification of any concerning activity or trends in advance of the 12-month renewal period. Any such activity could then be investigated by the commissioner as part of its usual inspections. The ISC believes that this amendment strikes the right balance between protecting the operational agility of the intelligence services and safeguarding personal data at any level of sensitivity.
Noble Lords have already considered my related amendment, to provide the annual report to the IPCO and the ISC, as well as to the Secretary of State. The committee believes that this combination of real-time oversight through the notification stipulated in this amendment and retrospective oversight, through the involvement of judicial and political oversight bodies, is necessary to provide Parliament and the public with the reassurance that data is being stored and examined in an appropriate manner by the intelligence services.
I repeat my entreaty to the House: the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation must not be watered down by the changes under this new Bill; they must be enhanced in line with the increasing investigatory powers.
My Lords, I have added my name to Amendments 3 and 15 in the name of the noble Lord, Lord Anderson. I have nothing to add to what he said in support of Amendment 15, but I shall add a word about Amendment 3, which was the subject of the Christmas present of the noble Lord, Lord Anderson. It requires one to look a little more carefully at proposed new Section 226A(2), which provides as follows:
“In considering whether this section applies to a bulk personal dataset, regard must be had to all the circumstances, including in particular the factors in subsection (3)”.
What the noble Lord, Lord Anderson, is seeking to offer the Minister the invitation to include is the use to which the datasets are to be put. He draws strength for that proposition from what one finds in new Section 226BA(3), in which express reference is made to the use to which the datasets will be put. It can be said in support of this proposal that it seems a little strange not to include the use to which the datasets are to be put, if they are mentioned expressly in new Section 226BA(3). I suppose that one could say that, since new Section 226A(2) is very widely phrased and includes all the circumstances, that the Christmas present of noble Lord, Lord Anderson, is already there as already there as one of the circumstances, but it is probably happier to include it expressly, just for the avoidance of doubt. It is for the avoidance of doubt that the strength can be found in the proposal that he has put forward.