Investigatory Powers (Amendment) Bill [HL] Debate
Full Debate: Read Full DebateLord West of Spithead
Main Page: Lord West of Spithead (Labour - Life peer)Department Debates - View all Lord West of Spithead's debates with the Home Office
(11 months, 2 weeks ago)
Lords ChamberMy Lords, if I suddenly fall over, it is not excitement over my amendments but that I have a brand new starboard knee, which is still slightly wobbly, so I might look a little wobbly at times.
Noble Lords will recall that the Investigatory Powers Act was introduced as a result of the Intelligence and Security Committee of Parliament’s 2015 report, Privacy and Security, which recommended that a new Act of Parliament be created to
“clearly set out the intrusive powers available to the Agencies, the purposes for which they may use them, and the authorisation required”.
However, as the noble Lord, Lord Anderson, recognised in his recent report, which he referred to, there have been a number of changes since the Act was introduced. We now face a very different threat picture from that which we did in 2016, with an increased threat from state actors such as China, Russia and Iran, and a significant rise in internet-enabled crime, including ransomware and child exploitation. The pace of technological change has been incredible. Developments in the fields of data generation, cloud services, end-to-end encryption, artificial intelligence and machine learning have all created challenges, as well as opportunities, for law enforcement and the intelligence community.
The Intelligence and Security Committee, of which I am a member, therefore welcomes the introduction of this Bill. The ISC has considered classified evidence relating to the Bill and questioned all parts of the intelligence community and Ministers on the need for change. However, as ever, the devil is in the detail. The committee considers that there are several areas in which the Bill must be improved and, in particular, safeguards strengthened.
Parliament must ensure that the balance between privacy and security is appropriate, and that there is sufficient independent oversight of the work of the intelligence community, given the potential intrusiveness of its powers. The Bill seeks an expansion in the investigatory powers available to the intelligence services. While this expansion is warranted, any increase in investigatory powers must be accompanied by a concomitant increase in oversight. I have previously spoken about the refusal of the Government to update the remit of the ISC, or to provide the necessary resources for its functioning, such that it has
“oversight of substantively all of central Government’s intelligence and security activities to be realised now and in the future”,—[Official Report, Commons, Justice and Security Bill Committee, 31/1/13; col. 98.]
as was the commitment given by the then Security Minister in the other place during the passage of the Justice and Security Act.
The House has made known its views on this long-standing failure during debates on several recent national security Bills, including the National Security and Investment Act, the Telecommunications (Security) Act and the National Security Act. However, despite repeated attempts by this House to ensure effective oversight, this has been ignored by the Government. The Government cannot continually expand and reinforce the powers and responsibilities of national security teams across departments and not expand and reinforce parliamentary oversight of those teams as well. The committee expects the Government to take this opportunity to bolster the effective oversight they say they value. If they do not, then they should expect that Parliament will. I therefore call upon the Government once more to update the ISC’s memorandum of understanding to ensure sufficient oversight of all intelligence and security activities across government. Indeed, this was the quid pro quo that Parliament expected during the passage of the Justice and Security Act 2013, and I trust that Parliament will take the same view now.
I turn to Amendment 10, which is designed to close a gap in oversight. Proposed new Section 226DA requires that each intelligence service provide an annual report to the Secretary of State detailing the individual bulk personal datasets that they retained and examined under either a “category authorisation” or an “individual authorisation” during the period in question. My amendment would ensure that there is independent oversight of this information, rather than just political oversight. The amendment would provide that the annual report be sent also to the Intelligence and Security Committee of Parliament and the Investigatory Powers Commissioner. IPCO has a degree of oversight included in the Bill already, since judicial commissioners approve both individual and category authorisations at the point of issue and approve the renewal of any authorisations after 12 months. This is not full oversight. Further, there is currently no democratic oversight at all of category authorisation, which is not appropriate. My amendment would ensure that IPCO and the ISC have oversight of the overall operation of this new regime.
Noble Lords will note that I have also tabled an amendment to notify IPCO of any new individual datasets that are added to category authorisations by the intelligence services. That amendment would work alongside this, and the ISC considers that the combination would provide an appropriate balance of real-time and retrospective oversight for these new powers. It is vital that the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation are not watered down by the changes under this new Bill. Instead, they must be enhanced in line with the increasing investigatory powers. This is what the ISC seeks to achieve by the amendments I have tabled today.
Amendment 12 is consequential on the amendments that I have just talked about.
I speak now to Amendment 13. Part 7A of the Bill provides for a lighter-touch regulatory regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of the data is deemed to have a low or no reasonable expectation of privacy. Approval to use such a dataset may either be sought under a category authorisation—which encompasses a number of individual datasets that have similar content or may be used for a similar purpose—or by an individual authorisation, where the authorisation covers a single dataset that does not fall neatly within a category authorisation or is subject to other complicating factors. In the case of a category authorisation, a judicial commissioner will approve the overall description of any category authorisation before it can be used. A judicial commissioner will also approve any renewal of a category authorisation after 12 months and the relevant Secretary of State will receive a retrospective annual report on the use of all category and individual authorisations.
This oversight is all retrospective. What is currently missing from the regime is any form of real-time oversight. Under the current regime, once a category authorisation has been approved, the intelligence services then have the ability to add any individual datasets to that authorisation through internal processes alone, without any political or judicial oversight. This would mean relying on the intelligence service to spot and rectify any mission creep, whereby datasets might be added to a category authorisation in a way that was not consistent with the definition of the original authorisation, which lasts up until the 12-month marker for renewals.
While we have every faith in the good intentions of the intelligence services—and I do not mean that in a joking way, because we have been amazingly impressed by them—no legislation should be dependent on the good will of its subjects to prevent misuse of the powers granted therein, particularly where those powers concern national security. The ISC therefore seeks to fill that very worrying gap.
My amendment proposes a new section in Clause 2—proposed new Section 226DAA—which would ensure that the IPCO was notified whenever a new individual bulk personal dataset was added by the agencies to an existing category authorisation. Notification would simply involve the agencies sending to the Investigatory Powers Commissioner the name and description of the specific bulk personal dataset as soon as reasonably practicable after the dataset was approved internally for retention and examination by the intelligence services.
The amendment would require not that the use of the dataset be approved by the IPCO but merely that the commissioner be notified that it had been included under the authorisation. It therefore does not create extra bureaucracy or process. Indeed, it provides for a flow of real-time information between the intelligence services and IPCO, to allow for the identification of any concerning activity or trends in advance of the 12-month renewal period. Any such activity could then be investigated by the commissioner as part of its usual inspections. The ISC believes that this amendment strikes the right balance between protecting the operational agility of the intelligence services and safeguarding personal data at any level of sensitivity.
Noble Lords have already considered my related amendment, to provide the annual report to the IPCO and the ISC, as well as to the Secretary of State. The committee believes that this combination of real-time oversight through the notification stipulated in this amendment and retrospective oversight, through the involvement of judicial and political oversight bodies, is necessary to provide Parliament and the public with the reassurance that data is being stored and examined in an appropriate manner by the intelligence services.
I repeat my entreaty to the House: the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation must not be watered down by the changes under this new Bill; they must be enhanced in line with the increasing investigatory powers.
My Lords, I have added my name to Amendments 3 and 15 in the name of the noble Lord, Lord Anderson. I have nothing to add to what he said in support of Amendment 15, but I shall add a word about Amendment 3, which was the subject of the Christmas present of the noble Lord, Lord Anderson. It requires one to look a little more carefully at proposed new Section 226A(2), which provides as follows:
“In considering whether this section applies to a bulk personal dataset, regard must be had to all the circumstances, including in particular the factors in subsection (3)”.
What the noble Lord, Lord Anderson, is seeking to offer the Minister the invitation to include is the use to which the datasets are to be put. He draws strength for that proposition from what one finds in new Section 226BA(3), in which express reference is made to the use to which the datasets will be put. It can be said in support of this proposal that it seems a little strange not to include the use to which the datasets are to be put, if they are mentioned expressly in new Section 226BA(3). I suppose that one could say that, since new Section 226A(2) is very widely phrased and includes all the circumstances, that the Christmas present of noble Lord, Lord Anderson, is already there as already there as one of the circumstances, but it is probably happier to include it expressly, just for the avoidance of doubt. It is for the avoidance of doubt that the strength can be found in the proposal that he has put forward.
My Lords, I stand to address the clause stand part notice for Clause 13 and also Amendments 21, 22, 24 and 26. The aim of looking at the clause relates to the communication data disclosure powers. The current IPA wisely restricted the number of public authorities that are able to compel the disclosure of communications data from telecommunications operators, given the potentially intrusive nature of this power. Consequently, authorities such as the Environment Agency or Health and Safety Executive are currently required to take further procedural steps in order to compel disclosure of communications data. They must obtain either an authorisation under the current IPA, a court order or other judicial authorisation, or regulatory powers in relation to telecommunications or postal operators, or they must obtain the communications data as secondary data as part of a valid interception or equipment interference warrant.
However, the Bill before us seeks to remove these restrictions for a wide range of public regulatory authorities and restore their ability to compel the disclosure of communications data from telecommunications operators in service of their statutory regulatory or supervisory functions. The Government’s argument for removing these restrictions is that a broader array of communications now fall into the category of communications data, and that a wider number of organisations now constitute telecommunications operators. As a result, the current restrictions prevent some regulatory authorities from acquiring the information necessary to exercise their statutory functions, in a way that was not anticipated at the time of the original legislation.
It is argued that this is particularly relevant to bodies with a recognised regulatory or supervisory function, which would collect communications data as part of their lawful functions but would be restricted under the current Act if their collection was not in service of a criminal investigation. In particular, the change is focused on improving the position of certain public authorities responsible for tax and financial regulation, whose powers were removed in 2018 as a result of the rulings of the European Court of Justice.
Clearly, such bodies must be able to perform their statutory functions effectively, but we have been told that this Bill delivers only “urgent, targeted changes needed”. That is not the case here. These sections represent a sweeping restoration of powers across a wide number of public bodies, most of which have no national security or serious crime function.
The original Act was very particular about the purposes for which communications data could be gathered under the legislation and by which bodies. It ensured that this power was tied to national security and serious crime purposes only, to avoid impinging on the right to privacy without very good reason. Clause 13 and its related schedule fly in the face of this very deliberate policy in the original Act, and overturn Parliament’s careful deliberation of the point.
Will the Minister confirm which bodies will have their powers restored under this legislation? Which of those bodies have reported a significant reduction in their ability to perform statutory functions as a result of the IPA? Have some bodies been more effective than others? Might it be possible and appropriate to significantly pare back this list of organisations?
At present, the case has not been made. We need to be satisfied that these powers are given to those bodies which cannot adequately function without them. It cannot be the case that some are simply given these powers back by default. I am prepared not to take this amendment to a vote if the Minister can assure the House the Government will bring forward their own amendment, which restores these powers in a more limited and targeted way.
The next stand part notice is consequential on that one being taken.
I move on to Amendments 21, 22, 24 and 26. These seek to remove the ability of the agencies to internally authorise the use of a new broader power to obtain internet connection records for target discovery. The agencies would instead be required to seek approval from IPCO, thereby creating an element of independent judicial oversight.
As I noted previously, Clause 14 creates a new broader power for the agencies and the NCA to obtain ICRs for the purpose of target discovery. It represents a significant change from the current position, removing the current demand that the exact service used and the precise time of use be known. Instead, the agencies will be able to obtain ICRs to identify which persons or apparatus are using one or more specified internet services in a specified period—a far broader formulation.
After consideration of the relevant classified evidence, the ISC agrees with the intent. However, the newly expanded power is potentially very intrusive. It allows the agencies to obtain ICRs from a range of internet services over a potentially long period of time and could, therefore, potentially intrude on a large number of innocent people. Parliament must therefore ensure that there are appropriate safeguards in place.
The ISC acknowledges that there are safeguards in place relating to the obtaining of ICRs. However, in all cases relating to national security and economic well-being, the agencies are able to authorise use of this newly expanded power internally. They make the assessment as to whether it is necessary and whether it is proportionate. There is no independent oversight of the agencies’ assessment.
The Government may argue that the ability of the agencies to authorise use of this power internally replicates the existing provisions when authorising the obtaining of ICRs for target discovery or target development. They will also no doubt refer to how the noble Lord, Lord Anderson, said in his report that “arguably” the potential intrusiveness of this newly expanded target detection power is no greater than the existing provisions for obtaining ICRs.
In the ISC’s view, the new provision—which is considerably broader than the existing target discovery power, removing the need to know the exact service used and the precise time of use—is significantly more intrusive than existing provisions. Consequently, greater oversight is required to ensure that the power is always used appropriately. This is not because we expect the agencies to act in bad faith but because independent oversight is essential, acting as a counterbalance to the intelligence community’s intrusive powers and providing vital assurance to Parliament and the public.
This amendment and the two linked Amendments 24 and 26 therefore remove the ability of the agencies to authorise use of this power internally. The agencies would instead be required to seek the approval of an independent judicial commissioner from IPCO in order to authorise the obtaining of ICRs under this new broader power.
Incorporating this independent judicial oversight would ensure that use of this power is always necessary and proportionate and strikes the right balance between security and privacy. It also aims to minimise any burden on the agencies. It does not, for example, incorporate the “double lock” mechanism, which is used for the most intrusive powers under the Investigatory Powers Act.
We recognise that the Government may wish to bring forward their own amendment to include provision for urgent cases; therefore, I do not propose to move this amendment to a vote at this stage. It should, however, indicate to the Government the ISC’s firm view that independent judicial oversight in this area is essential.
I will say a little more about Amendment 22. This amendment seeks to limit the purposes for which the new, broader target discovery power, which has been introduced under Clause 14, could be used. Clause 14 creates a new, broader power for the agencies, and the NCA, to obtain internet connection records for the purposes of target discovery. Target discovery is a great deal more intrusive than target development, potentially intruding on the privacy of a great number of innocent individuals. This is why we must tread very cautiously in this area and be quite satisfied of the need for the power, and that it is tightly drawn and properly overseen.
Currently, in order to obtain ICRs for target discovery, the agencies must unequivocally know the precise service used and the precise time of use by the unidentified individual. It is, therefore, very tightly drawn. The new target discovery power removes these requirements, allowing the agencies to obtain ICRs to identify which persons or apparatuses are using one or more specified internet services in a specified period. Noble Lords will recognise how potentially broad this is by comparison.