Investigatory Powers (Amendment) Bill [HL] Debate
Full Debate: Read Full DebateLord Sharpe of Epsom
Main Page: Lord Sharpe of Epsom (Conservative - Life peer)Department Debates - View all Lord Sharpe of Epsom's debates with the Home Office
(1 year, 1 month ago)
Lords ChamberMy Lords, the number one priority of any Government is to keep our citizens and our country safe. The Investigatory Powers (Amendment) Bill seeks to make a set of targeted amendments to the Investigatory Powers Act 2016, which I shall refer to throughout as the IPA.
The measures in this Bill will support the security and intelligence services to keep pace with a range of evolving threats against a backdrop of accelerating technological advancements. Such advancements provide new opportunities for terrorists, hostile state actors, child abusers and criminal gangs. They also mean that data is generated in more places, in more formats and by more different entities than before. The security and intelligence services need to identify nuggets of threat in increasing quantities of data.
Importantly, the Bill will also ensure that we maintain and strengthen the world-leading safeguards that underpin the use of the powers in the IPA. The measures in the Bill are narrow and relatively modest in scope, which reflects the strength of the existing legislation, but they are none the less critical to the task of protecting national security and countering other serious threats.
It may be helpful to briefly remind the House of the parent legislation that this Bill seeks to amend. The IPA provides a clear legal framework for the security and intelligence services, law enforcement and other public authorities to obtain and utilise communications, and data about communications. These powers and the resulting capabilities are essential in supporting these public authorities in carrying out their statutory functions, including detecting and preventing terrorism, state threats and serious crime.
But since 2016 the nature of the threats we face has evolved, and we need to ensure that the UK’s investigatory powers framework remains fit for purpose. The use of these powers is underpinned by the IPA’s robust and world-leading safeguards—including the double lock for most of the powers, whereby a judicial commissioner must approve the decision by the Secretary of State to issue a warrant under the IPA. All use of the powers must be assessed as necessary and proportionate, with strong independent oversight by the Investigatory Powers Commissioner. The right to seek redress is available to anyone via the Investigatory Powers Tribunal.
I emphasise that this Bill is about delivering focused and targeted changes to the existing regime and not about creating new powers beyond those to which Parliament has previously given its agreement during passage of the IPA.
This Bill follows the publication of a statutory report on the implementation of the IPA in February this year by the previous Home Secretary, and a subsequent independent review by the noble Lord, Lord Anderson of Ipswich, which was published in June this year. These reports set out the operational case for change and have informed the contents of the Bill. I thank the noble Lord, Lord Anderson, for his considered review of the IPA; he was instrumental in its initial design as the author of A Question of Trust during his tenure as the Independent Reviewer of Terrorism Legislation.
Building on the areas of focus identified in the Home Office review, the noble Lord’s report focused on: the effectiveness of the bulk personal dataset regime; criteria for obtaining internet connection records; the suitability of certain definitions within the Act; and the resilience and agility of warrantry processes and the oversight regime. His review helpfully highlighted several areas in which the IPA could be improved, and we are pleased to say that this Bill aligns nigh on entirely with his recommendations.
Your Lordships may note that there is one area of the Bill that the review by the noble Lord, Lord Anderson, did not touch on: the changes to the notices regimes. This was subject to a separate public consultation, and the Government are grateful to those who responded for helping to shape this element of the Bill.
I will turn now to the main elements of the Bill. Part 1 deals with bulk personal datasets, more commonly known as BPDs, and makes changes to the way in which the intelligence services may use them. Building on the findings of the review by the noble Lord, Lord Anderson, the Bill provides a narrow group of provisions to: create a set of new safeguards for the retention and examination of BPDs where there is low or no reasonable expectation of privacy; allow for the extension of the duration of a BPD warrant under Part 7 of the Act from 6 to 12 months; and make clear that agency heads can delegate certain existing functions in relation to BPD warrants. Under the current regime, all BPDs—including those that are publicly or commercially available—must be subject to the double-lock warrantry process and strict examination safeguards.
While these safeguards are in many cases entirely appropriate, that is not always so, particularly where a dataset is publicly available and widely used. This has a detrimental effect on the agility of the agencies, particularly where these datasets could be used to develop new capabilities. It also inhibits their ability to work flexibly with allies and partners in academia or the private sector.
Creating a new regime for datasets that have low or no expectation of privacy will increase operational agility while ensuring that proportionate safeguards are in place, including prior judicial approval. This change will be an important step in preventing our agencies falling behind our adversaries.
The Bill also seeks to insert a new statutory oversight regime for examination by the intelligence services of third-party BPDs. Under the new measures, an intelligence service may examine a dataset on a third-party’s systems without taking control of the set itself. However, if the dataset is not publicly or commercially available to other users, the new warrantry process and requirements will apply. The regime will be subject to safeguards such as the double lock already in other parts of the IPA.
Part 2 will make changes to the role and remit of the Investigatory Powers Commissioner and their supporting functions. The Bill will enhance the world-leading oversight regime in the Act, including the role of the IPC. The changes will ensure that the regime is resilient and that the IPC can effectively carry out their functions. This will maintain and enhance the robust, transparent safeguards in the regime.
In addition to putting oversight of third-party BPDs on a statutory basis, the proposed amendments to the oversight regime aim to increase resilience and ensure that it remains fit for purpose. As highlighted in the then Home Secretary’s review, the IPA does not provide an easy mechanism to manage change. This has caused issues regarding the resilience and flexibility of the IPC and the wider IPA oversight regime, such as during the Covid-19 pandemic. The Bill therefore seeks to place the ability to appoint deputy investigatory powers commissioners and temporary judicial commissioners on to a statutory footing, to provide resilience where there is a shortage of judicial commissioners.
The Bill will also formalise some of the IPC’s non-statutory oversight functions—for example, their oversight of compliance by the Ministry of Defence of the use and conduct of surveillance and covert human intelligence sources outside the UK. The measures also provide greater legislative clarity in respect of the error-reporting obligations imposed on public authorities. The IPC has been consulted on all these measures and has endorsed the approach to ensuring that the oversight regime remains fit for purpose.
Part 3 makes changes to Part 3 of the IPA, which relates to powers for public authorities listed in Schedule 4 to the IPA to acquire communications data. CD is the data around the communication rather than the content of that communication. Section 11 of the IPA made it an offence for a relevant person within a relevant public authority to “knowingly or recklessly” obtain CD from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority. This will provide greater clarity to public authorities that they are not committing a Section 11 offence when acquiring CD from a telecommunications operator under those routes.
The Bill will additionally make targeted amendments to ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data in order to meet their statutory duties and obligations when administering public services or systems. Part 3 also makes a clarificatory amendment to the definition of CD in Section 261 of the IPA, to make it clear that subscriber data or data use to identify an entity will be CD.
Part 3 also makes changes to allow bodies with regulatory functions to acquire communications data. The use of regulatory powers under the IPA is limited to organisations such as Ofcom and the Information Commissioner’s Office for their regulation of telecoms operators. The Bill seeks to amend the IPA to expand the definition of regulatory powers to include public authorities with wider, lawfully established and recognised regulatory or supervisory responsibilities. The effect of this change will be such that authorities will be able to acquire CD using their own statutory powers and not rely on IPA powers. However, where the CD is being acquired with a view to using it for a criminal prosecution, authorities must use their IPA powers to acquire that CD.
Targeted changes will also be made to support the use of internet connection records by the NCA and intelligence agencies. The Bill will add a further condition which allows the service in use and time period to be specified within the application without the requirement that they are unequivocally known. This will enhance the ability of the NCA and the intelligence services to identify serious criminals, including paedophiles and people traffickers, helping to protect victims and counter threats to the UK’s national security.
Part 4 will ensure the efficacy of the existing notices regimes in the face of technological changes and the complex commercial structures associated with the modern digital economy. These measures have been carefully calibrated to address these issues in a proportionate way. Furthermore, the notices regimes have existed since the 1980s, and these reforms are just the latest iteration of that regime. This is not about introducing any new powers. The Bill will create a notification requirement which will allow the Secretary of State to place specific companies under an obligation to inform the Secretary of State of proposed changes to their telecommunications services or systems that could have an impact on lawful access. I wish to be clear that this is not a blanket obligation on the tech sector. It will be placed on companies on a case-by-case basis and with full consideration of the necessity and proportionality justifications of doing so each time.
Furthermore, the notification requirement does not give the Secretary of State any powers to intervene in the rollout of a product or a service or to veto such a rollout. It is intended to ensure that there is time for appropriate consideration of the operational impact and potentially for discussion with the company in question about possible mitigations. This notification requirement has replicated the existing notices standards wherever possible and is itself already part of the wider notices regime, where the Government are able to require companies under notice to inform us of relevant changes which affect their ability to provide assistance under any warrant, authorisation or notice.
The Bill also amends the effect of a notice during the review period. A notice must go through the full double-lock process before it may be issued to a company. On receipt of that notice, a company may request a review of that notice. Currently, the notice has no legal effect during the review period. The Bill amends this to require the company to maintain the status quo during the review period. This will mean that the company does not have to take any steps to comply with elements of the notice, other than to maintain its existing services at the point it is given the notice. The result will be that the company cannot take any action that will negatively affect the level of lawful access for our operational partners during the review period. This is without prejudice to the final outcome of the review and ensures that this outcome cannot be pre-judged.
The Bill also makes a clarificatory amendment to the definition of a telecommunications operator. This makes clear that large companies with complex corporate structures which together provide or control telecommunications services and systems fall within the remit of the IPA. It also clarifies that a notice may be given to one entity in relation to the capability of another entity. It does not seek to bring new companies into the scope of the IPA. Furthermore, the Bill creates a new safeguard for the renewal of notices. This will require a notice to be put through the full double-lock process after two years, if it has not been varied, renewed or revoked in that time.
Finally, Part 5 includes several minor changes to the IPA to ensure sufficient clarity and resilience within the regime. This includes increasing the resiliency of the triple lock, which is the additional safeguard for targeted interception and equipment interference warrants relating to members of relevant legislatures, such as this Parliament. Clauses in Part 5 will allow for the Prime Minister—in the event that they are unavailable—to delegate their responsibility for providing the triple lock to named Secretaries of State. This change is purely about ensuring resilience in the authorisation process and does nothing to alter the existing power or introduce any new power.
I conclude by highlighting the opportunity that the Bill affords us and the impact it will have on the safety and security of the UK and its citizens. Without making changes now, the ability of our agencies to tackle evolving threats—including terrorism, state threats, and serious crime—will be increasingly constrained. In the face of greater global instability and technological advancements, now is not the time for inaction. I welcome the further scrutiny that noble Lords will provide. From looking at the list of speakers, I am in no doubt that they will start with a typically insightful debate today. I beg to move.
My Lords, I thank all noble Lords who have spoken. There have been many expert and valuable contributions to today’s debate. I particularly thank the noble Lords, Lord Coaker, Lord Ponsonby and Lord Fox, for their broad and very constructive support for the Bill. Obviously, I very much thank—again—the noble Lord, Lord Anderson, for his work. I also thank the noble Lords, Lord Murphy and Lord Evans, and particularly the noble Lord, Lord Carlile, who I thought was very eloquent, for their contributions. I thank the noble Baroness, Lady Bennett, for provoking the noble Baroness, Lady Manningham-Buller—a thing I am always very reluctant to do.
The support was more qualified from the right reverend Prelate the Bishop of St Albans, but I hope to assuage his concerns in my remarks and will certainly endeavour to deal with some of the concerns of the noble Lord, Lord Strasburger, who asked whether we were trying to avoid detailed scrutiny. The answer is: absolutely not. The Bill was ready, having followed the detailed and expert scrutiny of the noble Lord, Lord Anderson—as noted by the noble Lord, Lord Carlile—and, of course, we could not pre-empt what might be in the King’s Speech. In the case of this Bill, parliamentary time currently allows. We have engaged extremely extensively and, frankly, the country needs it. That is a very compelling set of circumstances behind introducing the Bill now.
I feel I ought to take issue with the fact that the noble Lord, Lord Strasburger, said that the country, or all countries, “need a Snowden” occasionally. As I understand it, it has been alleged that people died because of the activities of Snowden, so I am not sure that that is a generally fair point.
I will deal with the questions raised in as much detail as I can in the time available and will start with bulk personal datasets and, in particular, privacy. I thought the noble Lord, Lord Carlile, gave an excellent speech on this subject, but obviously there are concerns so let me do my best to assuage them. The Bill creates a new regime for the retention and examination of bulk personal datasets where there is a low or no reasonable expectation of privacy. The nature of these datasets means that individuals to whom the data relates would have low or no reasonable expectation of privacy in relation to the datasets so, for example, an individual may have consented to the data being made public or the data has already been manifestly made public by the individual. That includes categories of datasets such as public and official records, news articles, content derived from online video-sharing platforms, and publicly available information about public bodies.
For example, a dataset that is likely to meet the test of having no or only a low expectation of privacy is the Companies House register, a government register of company information that is open to the public to search online and download. I have noted the recommendation of Big Brother Watch and I read it in some detail. I think it is based on a misunderstanding but perhaps it is worth going back into the reason why we are making these changes now. The way the existing regime was designed did not foresee the exponential increase in the use of, complexity of and changing nature of data. The scale and different kinds of data that are now available is unrecognisable in comparison to the picture in 2016. It did not foresee the extent to which cloud and commercially available tools would make analysis of datasets possible, the extent to which publicly available data would increase in value for the intelligence agencies compared to sensitive data which used to be obtained through traditional covert powers, and the extent to which intelligence agencies would need vast quantities of publicly available data to train machine learning models.
The intelligence agencies have been inhibited from maximising opportunities when compared with the private sector and academia, as well as our adversaries, as a result of the gold-plating of some of the Part 7 regime. It is important to note that the datasets would not necessarily be authorised under the new regime in Part 7A solely by virtue of their being publicly or commercially available, and that is particularly important when considering datasets which have been hacked and/or leaked.
On the subject of safeguards, there are of course safeguards in place to prevent misuse of the powers in the Bill. The safeguards that will apply to bulk personal datasets with low or no expectation of privacy will be calibrated to reflect the intrusion that is likely to arise from their retention and examination, ensuring that the rights of the individuals to whom the data relates is adequately protected while also enabling the intelligence services to make more effective use of these datasets. This will include requiring prior judicial authorisation on whether a category of datasets or an individual dataset can be considered to meet the test for authorisation under the new Part 7A regime; that is, that they meet the test for low or no expectation of privacy.
In answer to the noble Lord, Lord Fox, the Bill creates an obligation on the head of an intelligence service to stop any activity that relies on any data discovered in a BPD where the low or no reasonable expectation of privacy assessment no longer applies. The safeguards are being recalibrated to ensure that the regime better reflects the threats and opportunities of the modern world, but they remain robust, with the important protection of judicial approval at their heart.
Internet connection records were referred to by the noble Lords, Lord Coaker and Lord Strasburger, among others. They asked why there are no specified time limits for the period that internet connection records can be sought under the new condition. The driver for this change is to enable the intelligence services and the National Crime Agency alone—I will come back to the National Crime Agency—to carry out target detection to identify previously unknown high-harm offenders. The current requirement for unequivocal knowledge of the time a service is accessed, which service is accessed, or the identity of a person, before an internet connection record can be sought is preventing this from happening. So, it is important we do not create similar conditions under this proposal which will continue to restrict this critical investigative work.
These investigations will be targeted and case-specific, so it is not possible to include a time limit which could work across the range of investigations being undertaken. However, I can reassure noble Lords that requests will be time-bound based on the specifics of the case and they will be driven by intelligence, not used as speculative fishing exercises. Furthermore, the new condition is also limited in terms of the purposes it can be utilised for. It can, and I stress this, be used only for national security and serious crime purposes. It is important to note that there are several other safeguards in place, including a requirement for the request to be both necessary and proportionate. A request that sought records over a very long period of time is highly likely to be neither necessary nor proportionate, and all ICR requests are subject to independent ex post facto oversight. All ICR requests are valid for only one month and an application must be renewed at the end of that period.
The noble Lord, Lord Coaker, asked why this is being extended to the NCA. I recognise that the noble Lord, Lord Anderson, initially proposed that the new condition should extend only to the intelligence services, although I understand that he now sees value in it being extended to the NCA because the NCA plays a vital role in protecting children from sexual exploitation and abuse, so it is essential that it has all the tools at its disposal to counter that particular threat.
The noble Lord, Lord Fox, asked about roaming data, and in particular subjects of interest using a foreign SIM card. On that example, in the circumstances where a subject of interest was using a SIM card obtained in a third country and was therefore using international roaming while in the UK, under the proposed amendments an exception for this data will be made, allowing UK telecoms operators to retain it under a retention notice which has been double locked. This will then allow operational partners with the appropriate authorisation to access the retained data when necessary for the purpose of prevention and detection of crime and, again, protecting national security.
On the subject of the notices reforms and the tech companies, which I think most noble Lords referred to, some tech companies have expressed concerns in public fora in advance of the Bill’s publication that these measures may place onerous or burdensome obligations on an operator, could undermine security or could allow the Secretary of State to prevent technical or relevant changes. I assure all noble Lords that these concerns are misplaced. The Bill does not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures by companies, contrary to what some tech companies have incorrectly speculated. Rather, we are making a series of adjustments to ensure that the notices regime continues to be effective in the face of modern technologies and the structures of companies in the modern digital economy.
None of the measures in the Bill seeks to reduce the competitiveness of UK tech firms, or indeed to discourage innovation. Careful consideration has been given with regard to these measures, striking a balance to ensure that the law enables us to mitigate the risks posed by changing technology, while still promoting technological innovation and the legitimate interest in increased privacy of the majority of our citizens.
These measures do not create any new acquisition powers but will maintain the efficacy of long-standing powers. We therefore do not anticipate that they will put disproportionate burdens on businesses. Rather, they formalise processes that are already in place.
The Government support technological innovation and advances and have always been clear that we support strong end-to-end encryption, as long as it does not come at a cost to public safety. Together with our international partners, we believe that tech companies have a moral duty to ensure that they are not blindfolding themselves and law enforcement to abhorrent crimes such as child abuse and terrorism on their platforms. These amendments will not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures.
On a question asked of me by the noble Lord, Lord Fox, with regard to notices and the pre-clearance requirement, these amendments do not introduce a requirement for pre-clearance for the Secretary of State regarding the rollout of new technologies and security measures by companies. Fundamentally, the changes to the notice regime are about ensuring that the decisions on public safety are made by Ministers and are subject to judicial oversight as Parliament intended and as the public would expect, to keep them safe.
On the triple lock, noble Lords—in particular the noble Lords, Lord Coaker and Lord Murphy—asked for clarification as to whether the Prime Minister could delegate an authorisation requiring the triple lock to anyone they wanted to. I can reassure noble Lords that that is not the case. The Bill proposes that the Prime Minister will designate in advance a group of Secretaries of State who could authorise the warrant on his or her behalf. The alternative approver would need to be a Secretary of State and not the same Secretary of State who authorised the warrant at the earlier stage of the triple lock. I hope that provides the necessary reassurance on the restrictions that will be in place under this clause. Restricting the decision on suitable deputies is for the Prime Minister to decide, but it is clear that there needs to be sufficient resilience in the system to ensure that there are enough alternative approvers with the necessary experience.
The noble Lord, Lord Coaker, also asked me about ISC oversight and parliamentary oversight. He will be aware that the Intelligence and Security Committee examines the policies, expenditure, administration and operations of the UK intelligence community, and sets its own agenda and work programme. Obviously, it will maintain that oversight function for the measures in the Bill, but I can tell the noble Lord that the Security Minister will spend some time with him on the subject of the Bill next week, which I hope will assuage any concerns.
I need to go into the subject of safeguards in more detail in light of the speeches given by the noble Lord, Lord Strasburger, the noble Baroness, Lady Bennett, and the right reverend Prelate the Bishop of St Albans. I assure noble Lords that the measures contained in the Bill, and in the IPA, are underpinned by a robust and world-leading safeguards regime. They are not failing.
Numerous safeguards exist to prevent the misuse of investigatory powers, ensuring that they are used in accordance with the law and in the public interest. The Bill contains measures that will introduce new safeguards and improve the resilience of the Investigatory Powers Commissioner. We are improving oversight and increasing safeguards to ensure that powers in the IPA are not misused.
Strong safeguards are already in place to ensure that investigatory powers are used in a necessary and proportionate way. That includes independent oversight by the Investigatory Powers Commissioner’s Office and a right of redress through the Investigatory Powers Tribunal.
The powers can be used only for the statutory purposes set out in the Act, including in connection with the most serious crimes and national security. We are also taking the opportunity to strengthen safeguards in other parts of the regime—for example, by creating a new statutory oversight regime for the intelligence agencies’ access to datasets held by third parties rather than retained by the agencies themselves.
On the subject of retention, the noble Lord, Lord Strasburger, talked about data being held indefinitely. However, retention of data is subject to stringent safeguards under the IPA. It can be retained only provided it is necessary and proportionate, and it is not authorised indefinitely. This is regularly reviewed, and records of holdings are subject to inspection by the Investigatory Powers Commissioner’s Office.
The noble Lord, Lord Strasburger, also referenced the recent TechEn judgment. The investigations carried out by the Investigatory Powers Commissioner and his team in response to TechEn are evidence that the oversight, transparency and safeguarding arrangements provided for in the IPA are working as they should. In the Liberty judgment of 2019, the High Court found that
“The safeguards contained within that Act are capable of preventing abuse”.
While the TechEn case outlined widespread corporate failings between the Home Office and MI5, these issues are historic and the Home Office has taken steps internally to increase collaboration with MI5 and ensure that there is appropriate resourcing in place within the relevant Home Office teams responsible for investigatory powers.
I also wish to be clear that there has been no finding by the tribunal that MI5 misused the data in question nor any suggestion of this at any time during this process. As the then Home Secretary, Sajid Javid, noted in 2019,
“none of the risks identified relate in any way to the conduct and integrity of the staff of MI5”.—[Official Report, Commons, 9/5/19; col. 30WS.].
Finally, I reference the endorsement that the tribunal has provided on the robustness of the oversight regime and safeguards contained within the IPA, including the adequacy of the measures available to the Investigatory Powers Commissioner. TechEn does not, therefore, suggest that the system is fundamentally flawed but shows that it works as intended when non-compliance occurs.
Many noble Lords have made important points about balance in this debate, particularly regarding privacy. I particularly note the noble Baroness, Lady Manningham-Buller, whose comments were spot on. It is fair to express concern about the impact that the Bill will have. Privacy is at the heart of the IPA, and this will remain the case under this Bill. The IPA contains robust, transparent and world-leading safeguards centred around considerations of intrusion into privacy. This includes a requirement for investigatory powers to be used in a necessary and proportionate way, with independent oversight by the Investigatory Powers Commissioner and redress through the Investigatory Powers Tribunal. The Bill builds upon these already world-leading safeguards, further strengthening the oversight regime, as I have just outlined. I also note that in 2018, the then UN special rapporteur on the right to privacy noted that the introduction of the IPA allowed the UK to claim a global leadership role in the protection of civil liberties. I note that this was not referenced by the noble Lord, Lord Strasburger, but I am sure that he would like to read that notification.
The noble Lord, Lord Carlile, made some very good points about codification of the various laws in this space. I defer to his extensive knowledge. I will also ensure that his thoughtful remarks are noted in the appropriate parts of government. Obviously there is very little that I can comment on regarding this now, however.
I have endeavoured to address the contributions made by noble Lords today. I apologise if I have missed any questions that were asked of me. I will scour the record and write if that is the case. I express my commitment to further engagement with noble Lords. I look forward to further discussions as the Bill continues its passage, as we seek to ensure it achieves the crucial objective of making our country and our citizens safer. For now, I commend this Bill to the House.
That the Bill be committed to a Committee of the Whole House, and that it be an instruction to the Committee of the Whole House that they consider the Bill in the following order:
Clauses 1 to 13, The Schedule, Clauses 14 to 31, Title.