(6 years, 9 months ago)
Lords ChamberMy Lords, I am happy to support the Minister in everything she has said about these regulations. A few years ago I had the privilege of chairing the Joint Select Committee on the draft of the Investigatory Powers Bill. The committee made around 80 recommendations which were all accepted by the Government, and I think that few Bills in the past couple of Sessions have been subject to as much scrutiny as this one. It was considered for many days in this House and in the other place, as well as in the Joint Committee. It was right that that was the case because the powers given by the Bill to the intelligence agencies are very wide and deep—rightly so, but safeguards have been built into the Act and now, of course, they are built into the regulations as well. That is necessary because we have to strike a balance between the liberty of the individual on the one hand and the safety of our citizens on the other.
I welcome in particular the regulations on the codes of practice, which were central to the thinking of the Joint Committee. The Minister in the other place, Mr Ben Wallace, indicated that they are “user friendly” in terms of their language, and certainly they are more user friendly than the regulations themselves, which are phrased in gobbledegook, to say the least. The Technical Advisory Board, something that the committee recommended, has now been set up. It is an important development along with, as the Minister has said, the appointment of the new Investigatory Powers Commissioner, Lord Justice Fulford. On behalf of the Opposition, my successor as the Member of Parliament for Torfaen, Nick Thomas-Symonds, supported these recommendations and I do not doubt that my noble friend Lord Kennedy is likely to do the same. As a former chair of the Intelligence and Security Committee, I support them too because these regulations are vital to implementing the Act. I also congratulate the services on their work in ensuring that our children are safe from paedophiles and our citizens are safe from terrorists.
My Lords, if the House will allow me, I should like to make a few comments about what happened during Oral Questions yesterday. Perhaps I may say that the decision of the Prime Minister, the right honourable Theresa May, to refuse the resignation of the noble Lord, Lord Bates, was one of her better decisions. I also commend the noble Lord, Lord Taylor of Holbeach, on how he picked up the loose ball and ran with it. It just shows what the Government can do if they work together rather than against each other. The noble Baroness, Lady Smith of Basildon, reflected the views of the overwhelming majority in the House in indicating genuine respect and affection for the noble Lord, Lord Bates. We are very pleased that he is having a couple of days of well-earned rest before he resumes the fray. However, I fear that is the end of me being nice.
I thank the Minister for introducing these regulations, which, if the House will allow me, I will take in the order set out on the Order Paper rather than in the order in which the Minister spoke to them. The regulations have been introduced against a background of two linked and significant matters. First, the 16th report of the Secondary Legislation Scrutiny Committee states:
“Because bulk interceptions in particular have the potential to include communications of people who are not suspects as well as those who the security services are targeting, this legislation is likely to be of interest to the House”.
In other words, this important committee of the House has given these regulations a red flag, not least because the codes of practice run to several hundred pages. Again I quote:
“We were therefore disappointed with the obscurity of the original Explanatory Memorandum which gave the reader no indication of the potential effects of these Codes.”
Secondly, the Home Office is having to make late changes to the Investigatory Powers Act in an attempt to comply with the European Court of Justice ruling on the UK’s mass surveillance powers following the decision of the Appeal Court this week. We had long debates, as the noble Lord has just said, during the passage of the Investigatory Powers Bill. We on these Benches argued that the bulk acquisition of communications data treated everyone in the UK as a suspect. We drew a distinction between mobile phone data that is routinely kept by communications services for billing purposes—such as where was the call made and where was the person calling, so that the person can be charged the right amount on their bill—and new communications data that CSPs do not routinely collect; for example, so-called internet connection records, where CSPs will be required to keep a record of the first page of every website that every user of the internet in the UK visits on a rolling 12-month basis. The Investigatory Powers Act allows police and other organisations to self-authorise access to such data. The Appeal Court ruled on Tuesday that the Data Retention and Investigatory Powers Act 2014, many of the powers in which are incorporated in the Investigatory Powers Act, is inconsistent with EU law because of a lack of safeguards and the absence of a prior review or an independent administrative authority.
Noble Lords may wonder what this has to do with the regulations before the House today. The Investigatory Powers (Codes of Practice) Regulations 2018 include a draft code of practice on bulk acquisition of communications data. My understanding is that the Government claim that the judgment does not affect bulk acquisition of communications data because this is limited to the intelligence services—the Security Service, the Secret Intelligence Service and GCHQ—and that these organisations are concerned with national security, which is outside EU data protection law. The first problem with this is that GCHQ, in particular, is involved in accessing data in relation to serious crime; for example, working jointly with the National Crime Agency on child sexual exploitation, which is not within the normal definition of a national security issue.
The second problem is that, after Brexit, the UK will be treated as a third-party country by the EU 27. National security issues will no longer be exempt from scrutiny and compliance with EU law if the UK wants to continue to exchange data with the EU 27. Will the Minister explain what impact the UK’s need to secure an adequacy certificate from the EU in relation to compliance with EU data protection standards once we exit the EU will have on the bulk acquisition draft code of practice? Will she also explain what advice Ministers are receiving about the likelihood of success of Liberty’s other challenge to the Investigatory Powers Act, due to be heard in the High Court later this year, and what effect that will have on these codes of practice? The bulk acquisition draft code of practice also talks about communications operators receiving public funding and support to ensure that they can provide an effective and efficient response to the security services’ requests for data. Can the noble Baroness tell the House how much public funding will need to be provided, particularly in relation to ICRs that are not collected and stored at the moment?
On the second code of practice, in relation to equipment interference, we pointed out in debate on the Investigatory Powers Bill the anomaly that while requests from the security services for equipment interference—downloading the contents of a mobile phone or exploiting weaknesses in software to enable remote accessing of a computer, for example—had to be authorised by a Secretary of State, requests by law enforcement agencies for equipment interference could be self-authorised by a law enforcement chief. The interception of communications warrants, covered by the third code of practice, has to be authorised by a Secretary of State whether the request comes from the security services or law enforcement agencies, but a Secretary of State’s authority is not required in the case of equipment interference warrants for law enforcement agencies. Surely, in the light of the decision of the Court of Appeal, such self-authorisation should no longer be permitted.
Targeted equipment interference warrants can be issued against equipment belonging to or in the possession of an organisation or equipment in a particular location. Can the Minister explain, if warrants allow interference with the equipment of innocent people within that organisation or at that location—collateral damage, if you will, in pursuit of the real criminals and terrorists—how that is compliant with the ruling of the High Court and the ECJ?
The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations are straightforward and we support them. The Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations deal with appeals against technical capability notices, national security notices and data retention notices, which include consultation with the Technical Advisory Board. These regulations set out the composition of the TAB and the process and timing of appeals. We support these regulations as well.
Finally, we come to the Investigatory Powers (Technical Capability) Regulations, setting out what may be contained in technical capability notices, which impose obligations on a relevant operator in order that the operator can deliver what is required if served with an interception warrant, equipment interference warrant, or warrant or authorisation for obtaining communications data. In the tech sector, techUK represents 900 companies, employing about half of all those employed in that sector in the UK, and it has raised concerns about technical capability notices arising from these regulations.
Clearly, communication service providers must have the technical capability to be able to comply with lawfully authorised warrants. But these regulations also require CSPs,
“to notify the Secretary of State, within a reasonable time, of—
(a) proposed changes to telecommunications services or telecommunication systems to which obligations imposed by a technical capability notice relate;
(b) proposed changes, to existing telecommunications services or telecommunication systems, of a description specified in the notice, and
(c) the development of new telecommunications services or telecommunication systems”.
In her opening remarks, the Minister said that these regulations do not create new powers. But techUK claims that these notifications of innovation were not listed on the face of primary legislation, albeit that the primary legislation states:
“The obligations that may be specified in regulations under this section include, among other things”.
I emphasise “among other things”. It goes on to express concern that these provisions could force tech companies half way through development to notify the Home Secretary about what they were doing and that the Home Secretary could then come back and demand changes, extending the tight deadlines under which they operate and risking information about commercially sensitive developments being made public to the benefit of competitors. These provisions could be a barrier to innovation and drive tech companies overseas beyond the reach of these regulations. Can the Minister provide some reassurance to the House that these additional provisions will not stifle innovation and drive tech companies overseas?