Investigatory Powers Bill (Eighth sitting) Debate
Full Debate: Read Full DebateDepartment: Home Office
Christian Matheson
Main Page: Christian Matheson (Independent - City of Chester)Department Debates - View all Christian Matheson's debates with the Home Office
Investigatory Powers Bill (Eighth sitting)
Christian Matheson ExcerptsTuesday 19th April 2016
(8 years ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 19 April 2016 - (19 Apr 2016)
Christian Matheson (City of Chester) (Lab)
I am delighted to see you back in the Chair, Ms Dorries, as I break my couple of sessions’ silence; it is always very reassuring. I certainly do not wish to keep the Committee here all night, but I will reiterate a point that I made earlier in our considerations, and that relates to the retention of certain data. As my hon. and learned Friend the Member for Holborn and St Pancras pointed out, we understand the need for data retention. However, on looking at the Bill, I am still not entirely satisfied that the Government have taken into account the need for additional security for data retention.
I look to the Minister for reassurance that, when telecommunications and internet providers and suchlike are obliged to retain data, there is a consequent obligation on them to maintain it securely. We know that several such providers have problems with internet security: we saw that with the TalkTalk hack, and we believe another large provider has been hacked recently. Those attacks were on personal data; the Solicitor General and I have had exchanges in this room about the potential for charging them as theft—about whether the sanctions against somebody who committed that offence would be contained in existing legislation.
This part of the Bill needs to look at obliging or maintaining a minimum acceptable level of security, to provide security and privacy for people whose data may have been accepted. I realise that it might not necessarily be covered in detail in the new clause, but now might be a good time for the Ministers to consider whether they believe internet security and the security of personal data held under the terms of clause 79 should be considered in the Bill. Do they believe guidance should be given to telecommunications providers to maintain that security, or do they feel that it is not relevant and that they are quite satisfied with the status quo? I must say that I am not. Notwithstanding the need for the retention of individual data, as described so eloquently by my hon. and learned Friend, it remains a major concern of mine that individual privacy and data are at risk: it puts a question mark over the whole clause and over the areas we are discussing.
The Solicitor General
I am grateful to hon. Members for a wide-ranging debate. I would first like to reiterate on behalf of the Government the position adopted by the Joint Committee on the draft Investigatory Powers Bill, which quite clearly indicated its conclusion that the case was made for a retention period of up to 12 months for relevant communications data. In the report from David Anderson QC, “A Question of Trust”, recommendation 14 is:
“The Home Secretary should be able by Notice (as under DRIPA 2014 s1 and CTSA 2015 s21) to require service providers to retain relevant communications data for periods of up to a year”.
There we have it: the Government are acting upon the specific endorsement of an independent reviewer and a Joint Committee of this House. There is an element of the waving of the proverbial shroud when it comes to the retention of data, because the word “relevant”, which is contained in the second line of clause 78(1), is the governing word here. It is very important to remember that this is not carte blanche for the Secretary of State to authorise communications service providers to retain everything for 12 months. That is not the case. Where there is no case of necessity and proportionality for a 12-month period, a shorter period must be adhered to. Indeed, if the material is not relevant, it falls outwith the ambit of any such authorisation.
I reassure the hon. Member for City of Chester, who makes quite proper points about the integrity of data, that he is right to make them. That issue affects all those in this room and beyond. He is also right to allude to the criminal law. I reassure him that communications service providers have to comply with the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, which together contain those requirements that the data is appropriately secured. When he has the time—which I am sure is as precious to him as it is to the rest of us—chapter 16 of the draft communications code of practice contains an entire set of provisions relating to the security, integrity and, indeed, destruction of retained data, which very much underpin the principles of why CSPs have to operate and will give him the reassurance that he properly seeks about the position with regard to individual data and people’s privacy.
Data retention legislation has existed in this country since the Anti-terrorism, Crime and Security Act 2001, which allowed the Secretary of State to enter into voluntary agreements with telecommunications operators so that they could retain data that otherwise would be deleted. The Data Retention (EC Directive) Regulations 2007 were the first piece of data retention legislation that provided for the Secretary of State to require the retention of such data. We currently have DRIPA 2014 and the data retention regulations of that year. We hope to replace those with the provisions in the Bill. A very important point is that there is nothing new about these proposals. Our data retention legislation has always had the Secretary of State involved in the process and there are very good reasons for that. It has worked successfully until now. As I have indicated, it has been recommended to us by David Anderson.
The amendments that have been tabled seek to drive a coach and horses through all of that. There is a simple and blindingly obvious reason why we wish to maintain the system of data retention. For example, when a crime happens or a child goes missing, it is impossible to know in advance which data would be relevant in any subsequent investigation. It is therefore important that we require the retention of all relevant communications data that matches a certain description wherever it is necessary and important. Because it is impossible to know which data will be the most relevant in advance of any crime, it is impossible to know whether a specific piece of data will be of value to MI5 in locating a terrorist, for example, or to the National Crime Agency in identifying a paedophile, or for any other legitimate purpose. For that reason it does not make sense for those authorities to apply for retention warrants individually. What makes sense is for the requirement of all relevant public authorities to be considered together. The person best placed to do that is the Secretary of State. Public authorities set out their requirements for data retention to the Home Office and they are then carefully considered. As they usually overlap, the Secretary of State is able to identify the specific telecommunications operators and specific data types that it is necessary and proportionate to make subject to data retention notices. As the full costs of data retention are covered by the Secretary of State, only he or she can decide whether or not the benefits of data retention are proportionate to the costs.
There has been some discussion about cost again today. The £170 million figure is based on the cost of our anticipated implementation, which takes into account data that is already obtained under existing legislation. We noted the evidence of BT when it talked about the costs being dictated by its implementation approach, and we continue to discuss implementation with those communication service providers likely to be inspected. Whatever the final cost, however, the important underwriting by the Government is a vital factor in giving reassurance to the industry, not only on the practicability of these measures, but on the importance therefore of involving the Secretary of State.
My worry is that if we went down the road proposed by the amendments, we would end up with a rather confused system that would not allow for the overall benefits of retaining a particular type of data, because the judicial commissioner would only ever be able to consider the benefits to the particular public authority applying for a warrant. It would therefore be impossible to judge the overall necessity and proportionality of requiring a particular company to retain a particular dataset.
We have heard about new clause 10 and its provisions. Given that it is impossible to predict in advance what data would need to be retained, this approach relies on data being retained only after a crime has been committed and/or an investigation has begun. Preservation only works if the data are there to preserve and it is of limited benefit without an existing retention scheme. Without data retention, data protection rules require that the data that are no longer needed for business purposes must be deleted. Without data retention, the data that are needed would not exist. Therefore, the regime of warrantry—the double lock, indeed the proposals put forward by Opposition Members—none of it would matter, because the material would not be there. That is particularly relevant when it comes to the increasing move of criminals and their ilk away from conventional telecommunications to the internet and internet connections.
A number of reports published by the EU Commission show the value of communications data and why the concept of data preservation, as envisaged in new clause 10, is not a viable alternative. In a Europe-wide investigation into online child sexual exploitation, of the 371 suspects identified here in the UK, 240 cases were investigated and 121 arrests or convictions were then possible. Of the 377 suspects in Germany, which does not have a data retention regime, only seven could be investigated and no arrests were made.
I have explained why the existing data retention regime that the Bill replicates is the appropriate model. May I deal with the change proposed by a set of amendments that involve changing the word “may” to “must” in clause 78(2)? That would require a data retention notice to cover certain issues. I am sympathetic to the aim of the amendment, because I am in favour of specific requirements, but the amendment is misconceived because subsection (7) already requires that a retention notice must specify the operator to whom it relates, the data which are to be retained, the period of retention, the requirements and restrictions imposed by the notice, and information on costs. Subsection (2) sets out the scope of what a notice may require and subsection (7) requires that the notice must make clear what is required. The two subsections are therefore aimed at different things.
The effect of this amendment would be to require a notice to cover issues that it might not have any reason to cover. For example, a retention notice may
“make different provision for different purposes”.
With respect, it therefore does not make sense to say it must make different provision for different purposes, because a notice may not relate to those different purposes. I would argue that there is therefore nothing to be gained by moving these amendments. That is all I wish to say, but for those reasons I urge hon. Members to withdraw the amendments.
Keir Starmer
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 80 ordered to stand part of the Bill.
Clause 81
Data integrity and security
Question proposed, That the clause stand part of the Bill.
Christian Matheson
I seek the Minister’s guidance. Throughout our considerations, I have spoken of my fears whether data held under this Act are held securely. I hope that clause 81 will address many of my fears; I seek the Minister’s advice on whether it lays responsibility on communications providers to maintain those data securely. I simply reiterate my concern that when theft does take place, there has to be a consideration of an offence of unlawful possession of stolen data, on the basis that the communications provider that has suffered the theft would also be legally responsible for that theft when the provider is in fact a victim of the theft itself. Bodies that seek to obtain illicitly a person’s private communications data may try to make financial gain as a result. Is the Minister confident that clause 81 gives me the kind of assurances that I have been looking for on internet security? Is there sufficient deterrent, in terms of possession of unlawfully obtained data, that might be included later in the Bill?
The Solicitor General
The hon. Gentleman has been consistent in stating his concerns. I assure him that clause 81 contains the sort of requirements that he would reasonably expect. It sets out the matter clearly. It should be read in conjunction not only with other legislation that I have mentioned, such as the Data Protection Act 1998 and the Privacy in Electronic Communications Regulations 2003, but with clause 210, which provides for the Information Commissioner to audit the security, integrity and destruction of retained data, and the codes of practice to which I referred earlier. The provisions in the communications data draft code of practice go into more detail about the security arrangements.
We had a discussion some days ago about the existence of adequate criminal legislation. The Bill has a number of provisions that relate to those who hold data, and we discussed whether existing legislation could cover those who come into possession of the data unlawfully. I say to the hon. Gentleman that I will take the matter away and consider it, and come up with a proper considered response to his query.
Question put and agreed to.
Clause 81 accordingly ordered to stand part of the Bill.
Clauses 82 and 83 ordered to stand part of the Bill.
Clause 84
Enforcement of notices and certain other requirements and restrictions