Investigatory Powers (Amendment) Bill [HL] Debate
Full Debate: Read Full DebateLord Ponsonby of Shulbrede
Main Page: Lord Ponsonby of Shulbrede (Labour - Life peer)Department Debates - View all Lord Ponsonby of Shulbrede's debates with the Home Office
(10 months, 4 weeks ago)
Lords ChamberI shall be brief. Not for the first time, your Lordships are in debt to the noble Lord, Lord Anderson, for intervening on an issue that I think all of us failed to note. His request of the Minister is helpful, and I hope the Minister will be able to respond. There is an alternative process which I could suggest to the Minister—I have not had a chance to talk to the noble Lord, Lord Coaker, about this. If the Minister wanted to withdraw this amendment and bring it back at Third Reading, which is applicable in certain circumstances. I am sure we would be very flexible in permitting that as well.
My Lords, we support the introduction of the Government’s amendments. I echo what the noble Lord, Lord Fox, said about the amendment in the name of the noble Lord, Lord Anderson, and I look forward to the Government’s response on that point.
I would also be interested to hear what the Government have to say about my noble friend Lord West’s amendments. He has taken a keen interest in this part of the Bill, and I hope the Government will be able to answer the questions, in particular on data disclosure powers, as I think they can give a more detailed response to the expansion of disclosure powers to regulatory bodies than was given in the original legislation. It is also very likely to be further analysed and looked at as the Bill moves down to the other end of the Corridor. Nevertheless, we support the amendments as they are currently.
My Lords, I thank noble Lords for this short debate and the scrutiny on these important issues. First, I will address Amendments 15 and 16 tabled by the noble Lord, Lord West of Spithead, which seek to remove Clause 13 and the Schedule from the Bill. We have covered some of the same ground as we did in Committee, and I am afraid that much of my response will make similar points to those I made then. However, I can appreciate why he has raised the points he made about these provisions, and I hope that I can still provide him with assurance on why these measures are needed and proportionate.
As the Government have been clear, the purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited from performing the roles expected of them by Parliament. It restores their pre-existing statutory powers to acquire CD in support of those functions. When the IPA was passed in 2016—under the expert stewardship of the noble Lord’s fellow ISC member in the other place, the right honourable Member for South Holland and The Deepings—it made specific provision, at Section 61(7)(f) and (j) respectively, for the acquisition of CD for the purposes of taxation and oversight of financial services, markets and financial stability. The noble Lord and his fellow committee members have queried whether we are “unmaking” these measures in the 2016 Act through Clause 13 of the Bill. I would therefore like to put beyond doubt what has happened since then to lead us to this point of needing to refine rather than unmake these provisions.
Following the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, the Government took the opportunity to streamline the statute book, including but not limited to some changes in response to that judgment. This streamlining included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers, and Section 12 of the IPA had not yet been commenced, removing many of those powers. The relevant data was outside of the provisions of the IPA at this time and therefore not considered to come within the definition of CD.
Since then, businesses have operated their services more and more online. This has meant that many have become, in part at least, telecommunications operators as defined by the IPA. As a consequence, growing amounts of the data that they collect—which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers—now fall within the IPA’s definition of CD. The effect of this is that public authorities are increasingly unable to acquire the CD that they need to perform their statutory civil or regulatory functions.
In summary, the IPA has been changed since it was commenced in 2016 to remove tax-related and financial stability-related powers to acquire CD and to introduce the serious crime threshold. Technology and society have moved on, with the result that more relevant data amounts to CD. Section 12 of the IPA has been commenced to remove general information powers. The combination of these changes has meant that public authorities are experiencing increased difficulty in carrying out their statutory functions. For example, the Financial Conduct Authority, His Majesty’s Revenue & Customs and the Treasury are all examples of public authorities that already have the power to acquire CD using a Part 3 request but that may be unable to do so in the exercise of some of their functions as a result of the issue I have just set out.
These bodies perform a range of vital statutory functions using CD, including tackling breaches of sanctions regimes, enforcing the minimum wage and providing oversight of banking and financial markets. Schedule 4 to the IPA provides a list of public authorities that can acquire CD under Part 3 of the Act. The new definition of public authorities inserted by this clause will apply in the context of the sharing of CD between public authorities. This will include government departments and their arm’s-length bodies, and executive agencies administering public services. While data sharing between government entities is covered under other legislation including the Data Protection Act and GDPR, or under separate data-sharing agreements, its sharing for legitimate purposes should not be discouraged or prevented by the IPA.
Clause 13 is needed to ensure that such bodies can continue to fulfil these existing statutory duties in the context of a world that takes place increasingly online. It strikes an appropriate balance between necessity and proportionality. In particular, I re-emphasise that it makes clear that the acquisition by these regulatory bodies should be only in support of their civil and regulatory functions, and not used in support of criminal prosecutions. Furthermore, the Government have retained the serious crime threshold that applies when acquiring CD for the purposes of a criminal prosecution.
The codes of practice will also provide additional safeguards and clarity on how this should work in practice. The Government published these in draft ahead of Committee to illustrate this. Any changes to the existing codes will be subject to statutory consultation before being made and will require approval from Parliament under the affirmative procedure. I am therefore confident that the changes will be subject to a high level of scrutiny. To be clear, this applies to a limited cadre of public authorities with the necessary statutory powers conferred on them by Parliament and only specifically when in support of regulatory and supervisory functions—it is not creating a way to circumvent the safeguards in the IPA. It ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential and has the most serious potential consequences in terms of criminal prosecutions.
I am happy to provide the reassurance—or I hope I am—that the noble Lord, Lord Anderson, sought. I am grateful to him for his comments regarding government Amendment 14, for engaging with officials to work through the concerns they raised and for his generous comments about the officials.
Our view is that the amended Clause 12 will be narrower in scope than the original drafting, which carried a risk of permitting access beyond the “who” and “where” of an entity. I assure noble Lords that the codes of practice will set out the further safeguards and details on the practical effect of Clause 12 so that operational partners are clear on the lawful basis of CD acquisition. It is appropriate that the technical detail is set out in this way rather than in primary legislation. The codes of practice will be subject to a full public consultation and will be laid in Parliament under cover of an SI, via the affirmative procedure. I reassure the noble Lord that we will consult with partners and the regulators of the IPA to ensure that the high standards of the CD acquisition regime remain world leading. I am happy to continue this conversation, and for my officials to continue with the extensive engagement already undertaken with the users of the CD powers, to see whether any further refinement is needed.
Finally, I confirm that the intention behind the amendment is to include the type of subscriber data that is necessary to register for, or maintain access to, an online account or telecommunication service. Examples of such data would include name, address and email address. It is not intended to include all types of data that an individual might give a telecommunication service that is not necessary for the purpose of maintaining or initiating access to that service.
I turn to Amendments 17, 19 and 20 on internet connection records, also tabled by the noble Lord, Lord West. Much of the argument I have heard relies on a perception that the new condition D is inherently more intrusive than the existing conditions B and C. I will set out why this is not the case.
The safeguards for the new condition D replicate the well-established and extensive safeguards already in place for CD authorisations. The authorisation process for CD varies according to the purpose for which the data is being sought and the type of CD to be acquired. This regime works effectively and has been considered by the Court of Appeal and found to be lawful.
The purpose of new condition D is to enable ICRs to be used for target detection, which is currently not possible under existing Part 3 authorisations. The level of appropriate oversight and safeguards is linked to the sensitivity of the data to be disclosed and the impact that disclosure may have on the subject of interest.
As I have said, the Government do not believe that condition D is inherently more intrusive than conditions B or C. Conditions B and C authorise “target development” work, and as such enable the applicant to request data on a known individual’s internet connections. As an example, this means that the NCA could request records of the connections a known subject of interest has made in a given time period, provided that request was judged to be both necessary and proportionate by the Office for Communications Data Authorisations. In comparison, condition A enables the requesting agency to request who or what device has made a specific connection to an internet service.
Similarly, condition D would enable an agency to request details about who has used one or more specified internet services in a specified timeframe, provided it was necessary and proportionate—for example, accessing a website that solely provides child sexual abuse imagery. The actual data returned with condition D will most likely constitute a list of IP addresses or customer names and addresses. No information concerning any wider browsing that those individuals may have conducted will be provided. Information about that wider activity would be available only under a further condition B or C authorisation. Condition D is therefore no more intrusive than conditions B and C in terms of what data is actually disclosed. As such, we see no benefit or logic to imposing a different authorisation route for condition D when the existing safeguards have proven sufficient in terms of ICRs applications under conditions A, B and C.
I use this opportunity to remind all noble Lords of the importance of this new condition D and how it will support investigations into some of the most serious crimes, as well as supporting the critical work against both state and cyber threats. ICRs could be used to detect foreign state cyber activity. For examples, ICRs could be used to illuminate connections between overseas state actors and likely compromised UK infra- structure. We understand that these actors have an intent to target UK-based individuals and organisations, including government and critical national infrastructure, from within UK infrastructure, which we typically would not see. The ICR data returned from TOs would be highly indicative of the extent of malicious infrastructure and could assist with victim exposure. Furthermore, improved access to ICR data would enable the National Cyber Security Centre to detect such activity more effectively and in turn inform incident management and victims of compromises. Using data to flag suspicious behaviour in this way can lead to action to protect potential UK victims of foreign espionage and attacks.
I now turn specifically to the ability of the intelligence agencies and the NCA to internally authorise condition D applications. The intelligence agencies and the NCA must obtain approval from the Investigatory Powers Commissioner for ICR applications for the purpose of preventing or detecting serious crime, other than in urgent circumstances. In urgent circumstances, such as threat to life or serious harm to an individual, the intelligence agencies and the NCA are able to obtain CD authorisations from internal designated senior officers in the same way that police forces are. In practice, the volumes of non-urgent requests are such that the IPC delegates responsibility for the authorisation of ICR and other CD requests to the OCDA.
In terms of oversight, the IPC could, if he wished to, consider specific types of CD authorisations himself. The IPC also has the power to directly inspect any part of the CD regime. If he wishes to focus attention on condition D applications, he has the necessary powers to do so. The approach we have adopted for condition D authorisations is therefore consistent with the wider CD regime and gives the IPC flexibility in how he exercises his powers and resources.
As is also consistent with the wider CD regime, condition D applications relating to national security will be authorised by a designated senior officer within the intelligence agencies. The CD codes of practice state that the designated senior officer must be independent of the operation and not in the line management chain of the applicant. This independence is declared within each application, and each designated senior officer completes training prior to taking up this role. Furthermore, each agency has one or more single point of contact officer, accredited by the Home Office and the College of Policing, who facilitates lawful acquisition of CD.
My Lords, I will move Amendment 21 and speak to the other amendments in this group in my name.
Amendment 21 specifies that the enforcement of retention notices applies only to UK recipients of such notices. It is one of a suite of amendments in this group that return to the issue of extra-territoriality— I see the Minister blow out his cheeks at the prospect. Amendments 22, 25, 28 and 31 are similarly directed and each largely seeks to limit extra-territoriality by ensuring that operators can make changes to their services for users outside UK jurisdiction.
The reason for tabling the amendments, the others of which I will not move, is that there remains a huge gulf of understanding between the tech companies and the Government when it comes to the interpretation of the Bill with respect to its territorial reach. I am again presenting the Minister with a golden opportunity to set out in clear language the territorial ambitions that the Government have for this Bill. I believe there is some element of miscommunication going on here, though I am not sure in which direction. I hope that the Minister can dispel that.
Clearly, we have international tech companies that are incorporated in another country with subsidiaries all around the world and data residing in many different domains—companies that offer services to customers all over the world. In essence, we need to understand what would happen as a result of this Bill if such a business proposed to change a global service that is used by consumers all over the world, including in the UK. How do the Government use this Bill to deal with such situations? I am looking forward to the response.
Amendments 23, 24, 29 and 30 would raise the threshold for calling in a change from “negative effect” to “substantially limit”. Again, this increases the bar before the Government can start the process. Negative effect is a very low bar which will catch almost everything. It is not in the interests of the authorities to have everything coming through. There needs to be some sense of funnel. This is an opportunity for the Minister to define what negative effect is and what it is not, because it is a very low bar. He would be wise to take our advice and look at the language there, certainly when it comes to the code coming later.
Moving on, my Amendment 27 is a retread of an amendment I tabled in Committee, and it was there as a placeholder. I am pleased to see that it is unnecessary, as government Amendments 26 and 32 very much embrace the spirit of what I was seeking to achieve in that amendment. I thank the Minister for responding, and therefore will not be speaking to or indeed moving Amendment 27.
I now turn to Amendment 35. Currently, while there is a requirement for the Secretary of State to consult the operator before giving notice, there is no requirement on the Secretary of State to consult ahead of making regulations that will specify what “relevant change” includes, and therefore what needs to be notified. My Amendment 35 therefore introduces a requirement for pre-legislative consultation on the definition of “relevant change”. The amendment specifies that the Secretary of State must consult the Technical Advisory Board. There is a precedent for consultation with this board in Section 253(6) of the 2016 Act. As your Lordships know, the Technical Advisory Board is comprised of independent and industry representatives; the amendment also specifies a wider range of consultees.
The amendment then requires the Secretary of State to have regard to the impact on users, including on their privacy and on operators’ ability to innovate. Again, there is precedent for this in the 2016 Act. Such considerations must be taken into account when a public authority is deciding whether to issue a TCN or NSN, or where a judicial commissioner approves a DRN. As such, we feel it is worth while also to consider these factors when legislating for a “relevant change”, because delaying a critical security update could negatively impact users and operators. In a sense, all we are asking for is consultation. We are not asking to change the law, and this gives the Government a power to abide by that consultation or not. But we feel that this is an important definition, and it needs to be more widely consulted on.
I hope the Minister will agree, but in the event that he declines, I will be moving Amendment 35. I beg to move Amendment 21.
My Lords, we have had much welcome interaction from stakeholders on the issues summarised in this group, as well as some useful briefings from the Home Office and the noble Lord’s team, for which we are grateful.
As the noble Lord, Lord Fox, has just said, there appears to be a gulf in both position and understanding between the Government and the tech companies, both on the principle of the notice and its details, which is, in a sense, frustrating scrutiny of the Bill. I understand that there is a disagreement about the introduction of notification notices in general. It is right that we look at the details to ensure that the process takes place in a way that reflects the realities of international law, and the need of the intelligence services to maintain levels of data access and the necessary safeguards.
Concerns raised by stakeholders keep striking at the same places: how this notice would work with access agreements with other countries; why there is no double lock on the notification notice, despite the clear impact it would have on tech companies’ activities; and why the definition of telecoms operator is perhaps in reality wider than the Government intend.
We will not be supporting Amendment 35, in the name of the noble Lord, Lord Fox, although we understand the intent behind it. We encourage the Government to keep talking to stakeholders, and we believe that this part of the Bill will benefit from further discussion in the other place.