Investigatory Powers (Amendment) Bill [ Lords ] (First sitting) Debate
Full Debate: Read Full DebateDan Jarvis
Main Page: Dan Jarvis (Labour - Barnsley North)Department Debates - View all Dan Jarvis's debates with the Home Office
(8 months, 3 weeks ago)
Public Bill CommitteesIt is a pleasure to be here under your chairship, Mrs Cummins. The exceptional growth in volume and types of data across society globally since 2016 has affected the intelligence services’ ability to work and collaborate at the necessary operational pace. The existing bulk personal dataset safeguards do not account for the way that data and its availability have evolved since the Investigatory Powers Act 2016 was passed. This creates a negative impact on operational agility, while making it increasingly difficult for the intelligence services to develop the necessary capabilities.
Clauses 1 and 2 introduce an alternative regime for bulk personal datasets where there is low or no reasonable expectation of privacy—the so-called low/no regime. Clause 1 specifically provides a mechanism for the intelligence agencies to determine whether bulk personal datasets should be authorised under part 7 of the 2016 Act for sensitive datasets, or proposed new part 7A for low/no datasets.
It is a pleasure to serve under your chairship, Mrs Cummins. I rise to speak very briefly to clause 1, and to thank the Minister for his opening remarks.
At the outset of our consideration, we should all take the opportunity to pay tribute to the exceptional men and women who have served in our law enforcement and security services. We owe them a deep debt of gratitude. Let me say that the Opposition support the Bill, which updates aspects of the Investigatory Powers Act 2016. It is imperative that legal frameworks are updated to ensure that our security and law enforcement services keep up with the challenges to communications technology in an increasingly challenging and complex landscape of threats to our safety and national security. None the less, the important provisions proposed in this Bill need to be scrutinised carefully. The shadow Home Secretary and I made it clear on Second Reading that we will work with the Government to improve it in places, following the example of the constructive cross-party work that was done in the other place.
It is good to see you in the Chair, Mrs Cummins.
I echo what the shadow Minister says. We are all here to assist the brave personnel in our security and intelligence services, but that does not mean that we will not closely scrutinise this legislation. We did not oppose the Bill on Second Reading. Some parts are good, but we have indicated our serious concerns about other parts because we think the powers go too far. They have not been shown to be necessary and proportionate; rather, they are more for the convenience of the security and intelligence services. How these powers are drafted also causes us concern, because they seem to allow behaviours beyond what we were told the powers were going to be used for. At other times, it is the nature of the oversight that is a concern, as the Bill introduces potentially intrusive powers.
I have one other brief point to make, which I indicated I would make at last night’s meeting of the Programming Sub-Committee. I had hoped that this morning we could perhaps have had some witnesses to guide us through this process. I think that would have been very helpful. It was very helpful in 2016, when we were looking at the original legislation, and I regret that we do not have such an opportunity this morning.
The provisions on bulk personal datasets and so-called low/no datasets are an area where we fear that the legislation is rather more a matter of inconvenience than something that has been shown to be a necessity. That will emerge in the debate about clause 2, which contains quite a lot of the detail about how the regime is supposed to work. Basically, we have been told that there will be a significant increase in the use of bulk personal datasets. We have been told that scrutiny is too slow, so we will either have to remove it or, perhaps more accurately, water it down in relation to these so-called low/no datasets. Fundamentally, I do not like that argument. The Minister will need to make a compelling case.
When we discuss clause 2, it would be useful if the Minister told us how many bulk datasets are retained and examined each year currently; how many datasets it is envisaged will be retained and examined after these powers come into force; what percentage of the datasets he thinks would be considered low/no datasets; how long authorisation processes take currently and why they take that length of time; and why cannot we improve or accelerate that process in some way, rather than having to water it down in the way that this Bill suggests. We will ask the Minister for that sort of evidence, because he is asking us to do away with parts of the oversight system that were put in place in 2016, and we want to understand how that oversight system is causing a problem at the moment. If he cannot explain that, we cannot support this new regime.
What can I say? We have got a little further on clause 1 than I anticipated. I am grateful to my right hon. Friend the Member for South Holland and The Deepings, the right hon. Member for North Durham and other hon. Members who have spoken. Bulk personal dataset authorisation is clearly an important change, as my shadow, the hon. Member for Barnsley Central, has set out; I was interested to hear the suggestion from my right hon. Friend the Member for South Holland and The Deepings that this was the shadow Minister’s first step on the path to greatness and to leading the Opposition. I am grateful for the points that hon. Members have made.
The type of data that may fall into part 7A is indeed covered—things like news articles, academic papers, public and official records, and the sort of bulk personal data that many people would have access to routinely. The changing nature of the need to hold data has meant that bulk personal data must be authorised in a different way than was previously thought. Paragraphs 4.14 and 4.20 of the draft code of practice set out further details of the datasets that would fall under the section 22A test, of which the hon. Member for Barnsley Central is no doubt aware.
The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East touched on various aspects of data that might fall within this approach. He will remember that Lord Anderson noted in his independent review that MI5 and MI6 estimate that roughly 20% of their bulk personal data holdings would fall into the category of “low and no”; for GCHQ, the figure would be nearer to 8%. Clearly, these things will evolve. To answer the point made by the right hon. Member for North Durham, the simple fact is that our world is producing incomparably greater volumes of data than ever before. The need to understand, handle and triage that data is therefore essential.
It is worth making the point, right at the beginning, that creating and storing huge volumes of data is to nobody’s advantage, and particularly not that of the intelligence services. The only purpose of having or examining data is to enable investigatory operations to get to targets of interest. It is not about anything other than ensuring that investigations can be properly targeted against those who threaten the interests of the British people, under various existing laws. This measure does not change those laws; it merely assists the targeting.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2
Low or no reasonable expectation of privacy
I beg to move amendment 14, in clause 2, page 3, line 18, at end insert—
“(1A) This section does not apply to a bulk personal dataset unless it has been published in accordance with the Data Protection Act 2018.”
This amendment would ensure bulk personal datasets with low or no expectation of privacy have been published lawfully and in accordance with General Data Protection Regulation (GDPR) set out in the Data Protection Act 2018.
With this it will be convenient to discuss amendment 21, in clause 2, page 3, line 34, at end insert—
“(4) By way of example, bulk datasets of images obtained by CCTV and bulk datasets of Facebook posts are not to be considered datasets where the individuals to whom the data relates could have no, or only a low, reasonable expectation of privacy.”
Probing amendment regarding the scope of “low or no reasonable expectation of privacy”.
May I reflect on my gentle amusement at hearing the Minister’s remarks about a former shadow Security Minister and his onward passage to becoming Leader of the Opposition? I know that these are matters on which he speaks with great authority.
We have already had very helpful contributions from two senior Intelligence and Security Committee members. Questions about the meaning of “low or no reasonable expectation of privacy” in relation to BPDs have been raised throughout the Bill’s progress in the other place and on Second Reading in this House, including by members of this Committee. The amendment seeks to probe the meaning of the phrase, but I should be clear at the outset that I do not intend to divide the Committee on this or any other amendment on which I intend to speak.
I will set out two scenarios. It would be genuinely helpful if the Minister could clarify the limits to the factors relating to the Data Protection Act 2018. The first scenario is where the data can be attributed to a leak that, although unintentional, resulted in the unconsented publication of personal information in the public domain. Would a leak of the personal details and working patterns of the staff of Members of this House—a number of hon. Members will remember the one that happened in March 2017—be subject to a low or no reasonable expectation of privacy?
The second scenario is the deliberate and unlawful publication of personal information into the public domain. If there were a hack resulting in the unlawful publication of personal information into the public domain, would that information also be subject to a low or no reasonable expectation of privacy? Data breaches of that nature occur regularly: the personal information of more than 2 million Duolingo users was compromised last year. A user’s mastery of French verb conjugation is unlikely to be of interest to anyone, with the possible exception of our friends over the channel, but other personal information could be. The Duolingo data was put up for sale on the dark web, so it might be regarded as third party BPDs. It is important that the Minister clarifies the meaning of “low or no reasonable expectation of privacy” in relation to those two scenarios.
Labour Members are not opposed to the concept of “low or no reasonable expectation of privacy” in relation to BPDs. We want to ensure that the police and security services are not unnecessarily limited in their intelligence gathering, but there need to be parameters for what is considered fair game. There must be clarity on important definitions relating to personal data. I hope that the Minister will respond in the constructive spirit in which the amendment was intended.
Clause 2 will remove the need for further judicial authorisation for personal dataset retention and examination if the datasets are deemed to fit into the low or no category, for which there is already authorisation, or if there is urgency. Many personal datasets can be contained within one warrant, so we have lots of questions about how proposed new part 7A will work. Amendment 14 demands an explanation of how the regime fits alongside data protection standards and how it applies to leaked and hacked datasets, as opposed to those that are lawfully obtained.
Our amendment 21 simply seeks to push the Minister to give examples of personal datasets that would be considered to have a low or no reasonable expectation of privacy. I refer hon. Members to a letter from the Chair of the Joint Committee on Human Rights, my hon. and learned Friend the Member for Edinburgh South West (Joanna Cherry), which has been shared with us all:
“There is perhaps some ambiguity or confusion as to what data is envisaged to be caught by these provisions. For example, is it merely online encyclopaedias, Companies House registers or news articles; or would it also cover, for example, quite extensive discussions over the internet or mass voice or face images, as has been mentioned in evidence?”
That is the question that we are getting at here.
The whole concept of a reasonable expectation of privacy seems to have been borrowed from the US, where it has been criticised for permitting fairly intrusive surveillance at quite a considerable scale. To my mind, it difficult to grasp the concept or even understand how the test to be applied. It is bad not just for citizens in general, but for people who are having to make these decisions who are not absolutely clear whether or not they can consider a set of data to have a low or no expectation of privacy.
Would bulk datasets of CCTV images or Facebook posts be no/low? How can someone assess whether a bulk personal dataset falls into the category if they do not know all the information within it because they cannot see it until they have a warrant? If the dataset contains information about many thousands or millions of people, with different types of information about different people, how can there be one single level of expectation? People with a low expectation of complete privacy might reasonably have a high expectation that their data will not be retained and processed by the intelligence services.
Why is the sensitivity of the data not expressly mentioned in the Bill? That should surely be pivotal, particularly if the Government want to operate within our human rights obligations. There is no clarity in the Bill to reassure us that sensitive information such as health data would absolutely not be captured by these provisions. Why could that not be on the face of the Bill? Why is publication the important factor instead? Publication in the context of small Facebook groups, for example, does not mean that there are no expectations that security services would not hold that information.
My hon. Friend is absolutely right. The reality is that once papers are effectively public, the argument for privacy somewhat falls away. That is exactly where we are getting to in this area, which is why we have looked at how to oversee it and the different elements within it. Part 7A explains the oversight regime clearly and section 226A really gets to the nub of it.
It is important that we focus there, where the argument comes back to the essential element: when considering whether intelligence services have applied the test correctly, the judicial commissioner will apply the same principles that a court would apply on application for judicial review. We therefore have an internal legal process overseeing this before it would even get to any legal challenge. That is why it is more robust than some voices have gently suggested, and covers many of those internal challenges.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 22, in clause 2, page 4, leave out lines 27 to 30.
This amendment is consequential on Amendment 23.
Again, I get all that, and I do not think that we are really at cross-purposes. However, we are talking about 12 months of access to datasets without necessarily having them before a judicial commissioner.
I do not think that anyone disputes that this is a slightly weaker form of oversight, which is because the services want to access this material at scale and regard the existing oversight mechanisms as cumbersome, slow and whatever else. We still ask the question of whether there is another way to do that that would still involve judicial commissioners but happen much more randomly and at scale. However, we will go away and consider that. I repeat my request—I know it is not easy—for some examples to reassure members of the public on how exactly this will work. That would be useful. In the meantime, I do not intend to push the amendment to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 15, in clause 2, page 5, line 14, at end insert—
“(4) The head of an intelligence service, or a person acting on their behalf, must notify the Investigatory Powers Commissioner as soon as is reasonably practical after a decision has been taken to include a bulk personal dataset within a category authorisation in effect under this section.”
This amendment would require that the Investigatory Powers Commissioner is notified when a new bulk personal dataset is added by an intelligence agency to an existing category authorisation.
With this it will be convenient to discuss amendment 38, in clause 2, page 11, line 21, at end insert—
“(1A) The report provided under subsection (1) must include an annex listing the bulk datasets retained or retained and examined under each category authorisation granted during the relevant period.”
This amendment would require information about the scale and nature of use of category authorisations to be provided to the Intelligence and Security Committee.
The issue of closing the gap between adding a bulk personal dataset to an existing category authorisation was raised on Second Reading by my right hon. Friend the Member for North Durham, who has a long-standing interest in these matters. I agree with the argument he made on Second Reading and the simple solution he proposed to close the gap: a one-line email to the Investigatory Powers Commissioner as soon as reasonably practical.
Any such email would not be seeking real-time approval and would not necessarily be reviewed by the Investigatory Powers Commissioner in isolation, but rather as part of a wider trend of what is being added to existing category authorisations. Labour does not seek to create additional work for the men and women who serve in our police and security services. On the contrary, a simple arrangement —to send a single-line email—would enhance wider oversight arrangements, while keeping extra requirements for the police and security services to an absolute minimum. In response to my right hon. Friend on the matter on Second Reading, the Minister said the IPA 2016
“allows the collection… with prior authorisation”
and that
“This is intended to speed the process up.”—[Official Report, 19 February 2024; Vol. 745, c. 556.]
We do not intend to slow the process down through the amendment, as any such notification would be made after it had happened. I therefore ask the Minister whether the problem is the act of notifying the Investigatory Powers Commissioner as soon as reasonably practical, or the potential volume of notifications, that mean he deems it an unworkable arrangement. I would appreciate if he could be as open as possible in answering those questions. If the Government do not accept the amendment, perhaps a conversation could take place between my right hon. Friend the Member for North Durham, the Minister and myself to agree a practicable solution.
As my hon. Friend the Member for Barnsley Central said, I raised the matter on Second Reading. In no way do I or other members of the ISC want to slow down the process or give more work to the hard-working men and women of our security services. However, as I understand it, the only reason put forward by the Government was that it would impair operational agility.
The amendment proposes, and what I proposed, is not for the security services to go through an authorisation, as my hon. Friend just said; it is literally an email saying, “This is what we are doing.” Members might ask why that is important. It is important because we are giving the security services new powers in the Bill and for IPCO to be informed in real time. I accept the retrospective look at them, but at least if there was a trend, we could see it.
The Government have also tried to argue that there is no need for more oversight because it is a low or no dataset, much lower than those governed by the existing section 7 of the IPA. We have just had the argument about the definition of “low” and “no”, but it means that we are giving the security services additional powers here. I am not for one minute suggesting that the internal protocols within those security services will lead to things that are just a free-for-all, as some might suggest, but it gives that assurance that there is oversight of what is happening in real time.
If we were asking for authorisation of each one, I would accept that it would be too burdensome and would slow down the process, but this is literally a one-line email so the IPCO knows what is needed. I do not understand why the Government are resisting that, except that—let us be honest, Minister—we have form on this. With the National Security Bill, there was an idea that it would be a weakness on the Government’s part to accept any amendments from the ISC. However, there was one slight change made with Lord West’s amendment, so there is possibly a change of attitude. I accept that the Minister respects the ISC—I am not sure it is the same for many people higher up in Government. But that should not be a reason not to accept this very simple amendment, which I think would give people reassurance that there is some real-time oversight of this. If an election was called in the next few weeks, this Bill—
Well, the right hon. Gentleman could make a virtue of a necessity if he wishes. I certainly will. I shall enjoy meeting him to discuss this, and I hope that he will take that commitment in the spirit with which it is made.
I think that this has been a useful debate. There have been a number of sensible and constructive contributions from both sides of the Committee. The Minister has made a commitment to sit down and discuss this further, and I am grateful for that undertaking. As I have said, we do not intend to push this amendment to a vote.
I am grateful to my hon. Friend the Member for Bootle. I am happy to give way to the Minister if he wants to respond directly to that point.
The point about these powers is indeed to make better use of resources. One challenge is that many intelligence officers are tied up doing things that are no longer genuinely necessary for the protection of personal privacy, but they are following processes that, were they to be working for a private organisation —a company or whatever—would no longer be necessary because bulk personal data could simply be bought. Therefore, what we are actually looking at doing is using resources much more efficiently and therefore helping the protection of the British people, from a better financial position. However, the point made by the hon. Member for Bootle on resources is always one that I welcome.
I have nothing further to add, other than to beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 2 ordered to stand part of the Bill.
Clause 3
Duration of bulk personal dataset warrants
Question proposed, That the clause stand part of the Bill.
I thank my right hon. Friend. Clause 3 amends the duration of bulk personal dataset warrants under section 213 of the IPA from six to 12 months. BPDs tend to be used to support long-term strategic intelligence activities, and a longer warrant duration will enable the value of the BPD to be better demonstrated, which will provide the relevant Secretary of State with a more accurate picture of the necessity and proportionality when an application for renewal is made. The existing part 7 safeguards will remain in place, including the double lock by the judicial commissioner.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4 ordered to stand part of the Bill.
Clause 5
Third party bulk personal datasets
I beg to move amendment 16, in clause 5, page 14, line 34, at end insert—
“(4) A third party BPD warrant may not authorise the examination of a dataset consisting of the contents of the marked electoral register.”
This amendment would prevent a third-party bulk personal dataset consisting of the electoral register, which sets out whether people have voted, from being examined by the intelligence services.
Amendment 16 relates to third-party BPDs, specifically the use of the marked electoral register, which is a copy of the electoral register usually arranged by a polling station area or ward with names crossed off to indicate who has voted. Copies are available for political parties to buy from local authorities and add to their records, which aid with canvassing and voter engagement on the basis that a person who has previously voted has a higher propensity to vote again, and for that purpose alone.
Compared with the electoral register, the marked electoral register contains a record of individuals who have exercised their democratic right at the ballot box. The Opposition understand entirely that it would be appropriate for copies of the marked electoral register to be examined in an investigation into electoral fraud. Any attempts to undermine our democratic process must be dealt with with the utmost seriousness. However, we do not believe that it is appropriate or proportionate for information relating to voting records, contained in such documents, to be authorised as a third-party BPD. That could establish links between individuals or better understand a subject of interest’s behaviour.
More widely, we have concerns about records of democratic activity, such as any relating to trade union membership, being examined as a third-party BPD. Does the Minister agree that copies of the marked electoral register should be used to defend and strengthen our democratic processes, and for those purposes alone, and that safeguards should be in place to protect other data relating to democratic activity from being examined as a third-party BPD?
I thank hon. Members for their points. The examination of third-party bulk personal datasets by the intelligence services is vital to their role of protecting the national security and economic wellbeing of the United Kingdom and preventing and detecting serious crime.
Clause 5 places an explicit statutory regime around the intelligence services’ examination, in situ, of bulk datasets held by third parties. The regime would apply only to the intelligence services, in line with the wider part 7 BPD powers in the IPA. The clause puts in place robust oversight and safeguards. For example, third-part dataset warrants are to be subject to a double lock, and the decision to authorise the warrant will need to be approved by both the Secretary of State and an independent judicial commissioner. The Investigatory Powers Commissioner and his office will oversee the regime to ensure the intelligence services’ examination of third-party datasets is both necessary and proportionate. That relates to the point made by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East about proportionality and need.
To answer the point made by the hon. Member for Barnsley Central, we do not consider it appropriate to exclude specific types of dataset from those for which a third-party dataset warrant can be sought. The reason is, as he knows, that we can begin to go down very tricky routes on this area, as the intelligence services have a requirement to keep safe not just our democracy but our wider nation. Therefore, limiting those different arguments can be problematic. What we are aiming to do is ensure the proportionality requirement is the test applied by both judicial commissioners and the Investigatory Powers Commissioner.
The Secretary of State may issue a warrant authorising the examination of a third-party dataset only where it is necessary and proportionate—that is going to be quite a high bar in some of the areas asked about—for the intelligence service to examine the dataset to which the warrant relates. That decision will be double-locked by an independent judicial commissioner who, among other things, is required expressly to review the Secretary of State’s conclusions in respect of necessity and proportionality when deciding whether to approve the decision to issue a warrant. That is already in the Bill. Each decision will be made on a case-by-case basis and will be subject to prior judicial approval.
I am grateful for the Minister’s response. I have to say, I am struggling to think of a scenario in which it might be necessary and proportionate to examine the marked electoral register. This is something we will reflect on.
I broadly support the Minister’s view of this, but the easiest way to establish the case for this is to be clear about its operational purposes. Clearly, one would not expect the Minister or the agencies to speak about the specifics of operations, but dealing with the operational purposes would help the shadow Minister and the Committee. I am sure the Minister would be happy to do that in broad terms, either now or in writing. It would be really helpful to go through the kinds of operational purposes associated with this inquiry. I do not know what the Minister and the shadow Minister think, but that is how I see it.
That is a helpful and useful suggestion. I am happy to proceed on that basis, if the Minister is.
On that basis, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 5 ordered to stand part of the Bill.
Clause 6
Minor and consequential amendments
Question proposed, That the clause stand part of the Bill.
Clause 6 makes minor amendments to the 2016 Act to reflect the introduction of parts 7A and 7B, including making it clear that the Investigatory Powers Commissioner is responsible for oversight of the part 7B regime.
Question put and agreed to.
Clause 6 accordingly ordered to stand part of the Bill.
Ordered, That further consideration be now adjourned. —(Scott Mann.)