Investigatory Powers Bill (Eighth sitting) Debate
Full Debate: Read Full DebateGavin Newlands
Main Page: Gavin Newlands (Scottish National Party - Paisley and Renfrewshire North)Department Debates - View all Gavin Newlands's debates with the Home Office
(8 years, 7 months ago)
Public Bill CommitteesI cannot double check on my feet, but that sounds like the further evidence that was put before the Joint Committee when it was in the middle of its deliberations. In fairness, the Home Office did go beyond websites to include some, maybe all, of the matters to which the hon. and learned Lady just referred.
The way this will operate in practice is a cause of real concern. The Secretary of State, without the double check of a judicial commissioner, and operating against a low-level threshold—clause 53(7)—can issue a retention order that will permit the retention of a record of all the websites that somebody has visited. That record will then be kept for 12 months, albeit with a different test if it is to be accessed later.
The amendments—I think you have called them the first set of amendments, Ms Dorries—are intended to construct in the first instance a different framework around this power, because it is so extensive, and put it in the hands of a judicial commissioner rather than the Secretary of State. That would provide a greater safeguard in relation to clause 78, with independent oversight through the function of the judicial commissioner. Alternatively, amendments 152, 153 and 222 would give the Investigatory Powers Commissioner some oversight. In other words, the intention behind these amendments is to put some rigour and independence into the exercise of what is a very wide power that, in fact, is the starting point for the exercise of all the other powers under the parts of the Bill that we are now concerned with.
Anxiety has been expressed on a number of occasions about cost. Huge amounts of data could be required for retention under clause 78. The Government have estimated the cost at £170 million. That is considered to be a gross underestimate by those who will no doubt be called upon to actually retain the data. For those reasons, these amendments are intended to tighten up a clause that is very wide and very loose. It permits a huge amount of data to be retained, including websites visited by you, by me, or by our constituents.
It is a great pleasure to rise as part of this ongoing scrutiny, and to offer my hon. and learned Friend the Member for Edinburgh South West brief respite in this Committee. It is also a great pleasure to serve under your chairmanship, Ms Dorries. It is great to follow the hon. and learned Member for Holborn and St Pancras, who in his customary fastidious and engaging manner has covered in a short space of time all the aspects of many amendments. Some of that bears repeating, and I will speak to new clause 10, which is tabled in my name and that of my hon. and learned Friend the Member for Edinburgh South West.
My hon. and learned Friend spoke at length about the important role that the judiciary, in the form of judicial commissioners, should bring to this process. We do not think it is good enough that the Bill only proposes to use judicial commissioners to review the process used by the Secretary of State in making a decision. The Government may claim that it is important that the Home Secretary retains the power to issue retention notices to internet service providers, as it will ensure that democratic accountability is a salient feature of the process, but I do not accept that to be the case. In fact, I would argue that because of the political arena that any Home Secretary operates in, it is right that this power is handed to and delegated to an independent official such as a judicial commissioner.
It is also worth noting that we know very little of the various notices that the Home Secretary issues, and as such there is no possible opportunity to hold her to account for them. Building the role of judicial commissioners into this part of the process will help to ensure that we have appropriate checks and balances when it comes to the retention of communications data. This is vitally important, because it is the proper constitutional function of the independent judiciary to act as a check on the use of intrusive and coercive powers by state bodies, and to oversee the application of law to individuals and organisations. Liberty rightly points out that judges are professionally best equipped to apply the legal tests of necessity and proportionality to ensure that any surveillance is conducted lawfully.
I turn now to new clause 7. Schedule 4 provides a lengthy list of bodies that are able to access or retain data, including several Government Departments, such as the Department for Transport, and a range of regulatory bodies, such as the Food Standards Agency and the Gambling Commission. This suggests that access to communications data may be allowed for a range of purposes which may be disproportionate and inconsistent with the guidance offered by the European Court of Human Rights.
I draw the hon. Gentleman’s attention to clause 79, which we are not debating at the moment but which is directly relevant to the point he made about proportionality. Clause 79(1)(a) states:
“(1) Before giving a retention notice, the Secretary of State must, among other matters, take into account—
(a) the likely benefits of the notice”.
To me, that would be a pretty strong way of enforcing proportionality. Yet the hon. Gentleman is in his peroration claiming that that would not be taken into account, or not sufficiently so.
I am grateful for the Minister’s intervention. I appreciate that that is a safeguard, but we must ask whether those Departments should be getting access in the first place.
I do not want to be unnecessarily brutal with the hon. Gentleman, but either he is making an argument about proportionality or he is not. If he is saying that nothing is proportional, then it should not happen at all, that is hardly an argument about proportionality. Those of us who take a more measured view of these things are considering whether such collection and access to data are proportionate. Proportions by their nature require an assessment of balance, do they not? Yet the hon. Gentleman is suggesting that the scales are weighted all on one side.
The Minister did not actually address why these Departments need access to these data in the first place. I appreciate the point that he is making, but these Departments should not, in my view, require access to this information.
The Minister talked about the duty to take into account the likely benefits of the notice, but does my hon. Friend agree that something may be beneficial without being necessary?
I agree with my hon. and learned Friend. We are not opposed to every measure in the Bill. There are benefits, but unfortunately they are not covered by enough safeguards and are not drawn tightly enough. I would like to make progress but I will give way once more.
I apologise if I missed the hon. Gentleman outlining the Departments, but could he tell me which ones should be excluded and not have access to this?
That has been dealt with at length. I have already mentioned the Food Standards Agency as one of the regulatory bodies. Schedule 4 does currently provide a lengthy list of bodies that should be able to access the data. New clause 7 would ensure that only the police forces and security agencies may request a communications data warrant, except where the warrant is issued for the purpose of preventing death, in which circumstances emergency and rescue services also fall within the definition.
New clause 10 outlines the requirements that must be met by warrants.
As, for example, the Food Standards Agency cannot itself bring a prosecution, may I conjure in the hon. Gentleman’s mind a situation whereby a criminal gang, as part of its activities, seeks to bring into the United Kingdom for sale to the British public a contaminated food source? Is that not something to which the Food Standards Agency should have access to information in order to ensure that citizens and consumers are safe?
I understand the hon. Gentleman’s point, but surely the police would be interested in that scenario and would have access.
In the abstract—by golly, isn’t this debate being held in the abstract?—the hon. Gentleman is absolutely right, but we invest the powers with the agency. The police are not an infinite resource. If we have the many who are charged with multiple areas of our lives—
These powers are very large and we should limit who has access to them. The police can pass on the relevant information to the agencies that can deal with that particular incident, but in my view, only the police and security forces should have access. I want to finish my point on new clause 10 but I will allow one last intervention.
Order. May I just ask that interventions be kept short, please, or we will be here all night? Mr Newlands.
I appreciate what the hon. Lady says but, as I am not a lawyer, I am struggling to distinguish the difference between Scottish and English law. Perhaps my colleague could address that.
My hon. Friend will no doubt agree that, in Scotland at least, it is the police who investigate serious crime, under the direction of the Lord Advocate.
The point has been dealt with, and I think we need to move on. The effect of new clause 10 —[Interruption.] I will finish, amid the chuntering. These new clauses require data retention notices to be issued only for specific investigative or operational purposes, to obtain specified data where those data are believed to be of substantial value. We do not believe, however, that the role of communications data in the investigation of crime justifies the Secretary of State’s mandate for blanket retention of historical communications data for the entire population for 12 months.
Clause 78 is important for all the reasons that I have set out, but at this stage, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 303, in clause 78, page 61, line 12, leave out—
“of all data or any description of data”
and insert
“of specified relevant communications data”.
With this it will be convenient to discuss the following:
Amendment 304, in clause 78, page 61, line 14, leave out paragraph (2)(d).
Amendment 305, in clause 78, page 61, line 16, leave out paragraph (2)(e).
I will not detain the Committee for too long; these issues have already largely been addressed. Amendments 304 and 305 seek to remove paragraphs (d) and (e) from clause 78(2). In a Bill replete with vagueness, those two subsections stand out as being particularly vague. The new clause that I will come to in a moment would require a data retention notice—or warrant, as we would wish—to be issued only for a specific investigative or operational purpose. The SNP has tabled amendments that will bring greater clarity to when and why a warrant would be issued.
As we know, communications data are defined as data that would be used to identify, or assist in identifying, the who, where and how. However, instead of allowing a blanket surveillance approach that treats everyone as a suspect, the amendments would allow the police to apply to a judicial commissioner for targeted retention warrants, in which data are required for the purposes of a specific investigation into serious crime, or for the purpose of preventing death or injury. I trust that these amendments are acceptable to the Government.
I rise to address the concerns of the hon. Gentleman. It is good to hear from him; I should have said that during the last group. He has made the point about his concerns of vagueness. However, I would argue that it is very important that a notice can have a degree of flexibility within it, because a single telecommunications operator may provide a number of different communications services, such as mobile telephony and internet access. However, there may be different complexities and sensitivities about the different types of communications data that are generated by those services. Considerable preliminary work is carried out between the Government and telecoms operators in advance of the service of a retention notice. That covers a number of issues, including the type of data that will be retained, the complexities of the operator’s systems, and the relevant security requirements. Flexibility is needed to ensure that the notice can appropriately reflect those issues, and that it imposes the minimum requirements necessary to meet the operational requirements.
What we are counter-intuitively getting at is to make sure that there is necessary give and take within the system to prevent what the hon. Gentleman and I would regard as an overweening approach from the Secretary of State, which would impede the ability of communications service providers to carry out their operations. For that reason, I respectfully urge him to withdraw the amendment.
I hear what the Solicitor General has said, but I do not wholly agree with him. I reserve the right to bring this back at a later stage. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I beg to move amendment 306, in clause 78, page 61, line 18, at end insert—
‘(2A) A retention notice may not require a telecommunications operator to retain any data belonging to a third party data, unless that third party data is retained by the telecommunications operator for their own business purposes.”
I beg to move amendment 317, in clause 78, page 61, line 34, leave out “(or description of operators)” and insert “or operators”.
With this it will be convenient to discuss the following:
Amendment 315, in clause 78, page 61, line 37, leave out “(or description of operators)” and insert “or operators”.
Amendment 319, in clause 78, page 61, line 42, leave out “(or description of operators)” and insert “or operators”.
Amendment 328, in clause 79, page 62, line 33, leave out “(or description of operators)” and insert “or operators”.
Amendment 338, in clause 80, page 62, line 42, leave out subsection (3).
Amendment 361, in clause 83, page 64, line 16, leave out “(or description of operators)” and insert “or operators”.
Amendment 374, in clause 83, page 65, line 1, leave out “(or description of operators)” and insert “or operators”.
Amendment 375, in clause 83, page 65, line 8, leave out “(or description of operators)” and insert “or operators”.
The SNP has tabled the amendments to provide for clear, appropriate and limited grounds on which data retention warrants may be issued. The amendments require that the data to be retained are specified and that organisations served with warrants to retain communications data should be identified rather than merely described.
Amendments 315 and 317 affirm that organisations that have been served a notice or warrant to retain the communications of their customers are properly and explicitly identified. The term “description of operators” is far too vague and we urge that it is changed to “or operators”. Amendment 328 ensures that those organisations are defined and named before a retention notice can be issued. Amendment 338 removes the possibility of the Home Secretary being able merely to describe the telecommunications operators that she wants to target. Amendments 361, 374 and 375 provide the basis for a concrete description to be included when there is any variation of a notice.
The amendments attempt to bring to the Bill some clarity, which is sadly lacking. It is not good enough that the Home Secretary can sign a notice that merely describes who is impinged on or directly affected by these intrusive powers, because that approach opens up the space for the powers to be abused. We need to act to ensure that, as much as possible, we operate a targeted approach.
I understand the purpose behind the amendment in that, in the opinion of the hon. Member for Paisley and Renfrewshire North, it would ensure greater specificity in the giving of notices. However, I shall give a brief example of what a “description of operators” might be. With this provision we would have been able to give the same retention notice to all wi-fi providers supplying wi-fi to the Olympic park in London during the 2012 Olympics. In these circumstances the operators are providing precisely the same kind of communications service and the data required to be retained are the same. Whether a notice relates to a description of operators or to a single operator, it can only contain what the Bill’s provisions allow and the Secretary of State must consult with the operators to which it relates. Operators also have the opportunity to refer the notice back to him or her in relation to any aspect of it. Therefore, on that basis, I invite the hon. Gentleman to withdraw his amendment.
I am content to withdraw the amendments at this stage. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I rise to speak to amendment 152, in clause 78, page 61, line 36, at end insert “, and
(c) only when approved by the Investigatory Powers Commissioner.
(5A) In deciding whether to approve a notice, the Investigatory Powers Commissioner must determine whether a notice is—
(a) that the conduct required by the notice is necessary for one or more of the purposes in section 53(7); and
(b) that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct.”
I beg to move amendment 320, in clause 78, page 62, line 13, leave out subsection (9) and insert—
“(9) In this Part ‘relevant communications data’ means—
(a) communications data of the kind mentioned in the Schedule to the Data Retention (EC Directive) Regulations 2009 (SI 2009/859), or
(b) relevant internet data not falling within paragraph (a).
(9A) In this part ‘relevant internet data’ means communications data which may be used to identify, or assist in identifying, the sender or recipient of a communication (whether or not a person).”
Thus far while debating the clause we have covered providing for the judiciary, in the shape of judicial commissioners, to issue data retention warrants rather than notices, and removing the Secretary of State from the role, making it clear on the face of the Bill who is eligible to apply for a warrant; limiting the grounds for the issuing of warrants; ensuring that all targets are identified and not described; and that the data to be retained should be specified. The fact that we in opposition have had to table so many amendments highlights the main problem in the drafting of the Bill: vagueness. The Bill is wholly lacking in specificity and clarity and nothing highlights that more than the issue of internet connection records.
As trailed by my hon. and learned Friend the Member for Edinburgh South West during the debate on clause 54, the SNP has significant reservations about the provisions on internet connection records as drafted in the Bill. Not only are the definition and legality of the provisions unclear, but the Government's case for ICRs has simply not been made. Amendment 320, which stands in my name and that of my hon. and learned Friend, would effectively remove ICRs from the Bill and replicate the Data Retention and Investigatory Powers Act 2014 in its original form, to ensure that the definition of “relevant communications data” is consistent with current legislation. That will help provide the legal certainty and clarity that the industry needs to understand its legal obligations appropriately. At the moment the industry is having difficulty in understanding what exactly the Government want and require it to do. Although the industry is willing to work with the Government to try to implement their vision for ICRs, it does not know what ICRs are, and it looks as though the Government do not altogether know either.
Despite the significance of ICRs, very little detail about them has been provided, with the Government consistently saying that the detail can be worked out later. That lack of clarity is simply not good enough when the Government are asking us to sign off on legislation that will have a significant impact on the industry and impinge significantly on the right to basic privacy that our constituents, quite rightly, expect. Indeed, the Internet Service Providers Association says:
“The Investigatory Powers Bill deals with highly complex technical matters, however, our members do not believe that complexity should lead to a Bill lacking in clarity.”
I could not agree more. As has been mentioned already, the clearest definition of an ICR is not in the Bill itself but in the document “Operational Case for the Retention of Internet Connection Records” from the Home Office. That describes ICRs as
“a record of the internet services that a specific device connects to – such as a website or instant messaging application – generated and processed by the company providing access to the internet.”
A concrete definition of what specific data form an ICR, exactly who has access, precisely what for and exactly who must retain the data must be on the face of the Bill.
The Home Office may want to have a “flexible” definition, as typified in clause 54(6), but given that we are dealing with a Bill that may have the biggest impact on civil liberties than any other Bill for generations, that simply will not cut the mustard. The Intelligence and Security Committee helpfully referred to ICRs as providing information on the “who, when and where” of someone’s internet use. The Government claim that they have no plans to acquire the content of the said communications, but DRIPA and RIPA suggest that that does not matter, given that acquiring the sort of information that is going to be held under an ICR can provide important details on the date, time, location and type of communication used. Liberty suggests that ICRs will provide a detailed and revealing picture of somebody’s life in the digital age. That point was highlighted by the Information Commissioner when he said that ICRs can reveal a great deal about the behaviours and activities of an individual. In fact, Stewart Baker, former senior counsel to the United States National Security Agency, stated that it
“absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”
Based on those statements alone, it is important to assess the proportionality and necessity of ICRs, but also question whether they are in accordance with the law. We live in a digital world and, quite rightly, our constituents place a lot of importance on their right to privacy as they use the internet. We accept that the security authorities need adequate powers to keep us safe and it is only proper that the Government consider what new powers they need for the digital age. However, like most people, I am deeply concerned about the complete lack of specifics about ICRs. In publishing such widely drafted legislation and telling the sector that the detail will come shortly, the Government are asking us all to trust them. They are asking us, as Members of this House, to pass and approve legislation without knowing what its full impact, costs or consequences—unintended or otherwise—will be. In effect, they are asking us to sign a blank cheque on much of the communications data powers. Is that really a proper and effective way to devise and develop legislation that has such civil liberty repercussions?
The SNP is not opposed to certain authorities having the power to obtain communications data or internet connection information critical to their investigations. We fully accept that some power is not only necessary, but crucial, for law enforcement in the 21st century. However, rather than a blanket collection of the websites that everyone in the UK has visited in the last 12 months, we prefer a specific, targeted solution. We agree that intercepting someone’s communication data can be an important part of any criminal investigation and it is important that we do that for those suspected of being engaged in criminal activity. There is an obvious difference, though, in intercepting the communications of those suspected of criminal activity and those of the vast majority of our constituents, who are, by and large, law-abiding citizens.
The Government are asking companies to hold and retain information on all the internet sites that an individual visits. It is unclear how much information the Government want those companies to hold, but it is clear that it is going to be a huge amount of data and we still do not know about the feasibility or costs involved. The sort of information that the Government want companies to retain could be sites that the person has mistakenly accessed; it could be a website that the person has spent only a few seconds on; it could also be an internet site that a person has accessed for deeply personal reasons, such as receiving advice on domestic violence or on health matters. Putting the sensitivity and privacy argument to one side, we need to consider whether the Government are going to have too much information at their disposal and thus, inadvertently, make it harder for our security services to complete their investigations.
During the evidence session I made a point about mobile devices always being connected to the internet via various apps, following a similar point made by the hon. and learned Member for Holborn and St Pancras. Those applications are constantly creating ICRs and that will increase as phones become even more advanced and able to process more information more quickly, with bigger memories.
It is unclear how many automatic ICRs are being created by my phone alone, but the Government are demanding that the various communications companies retain these ICRs for a period of 12 months. Conversations with people in the industry have shown that companies have yet to figure out how they will separate the automatic data that are generated through a third-party app from the data that are generated manually by a user. According to the definitions in the Bill, both will generate the same data, showing that the user has accessed an app and recording the date, location, time and so on of that use.
Another industry expert told me that a single app could generate up to 100 ICRs per minute—that is just one single app. I am unsure of the figures for over here, but in America there is an average of 27 apps on every smartphone. If it is the same in the UK, and taking into account the average number of apps and possible connections, this could lead to 2,700 ICRs per phone per minute, or 100,000 ICRs per phone per day. Well over 3 million ICRs could be generated just by the phones in this room. The third party app issue has been raised by the industry time and time again, but it has not been properly addressed by the Government. In evidence given to this Committee, the CEO of BT security, which has been working with the Government, said in response to the third party app issue:
“We are considering whether to propose an amendment to the Home Office on the third party data question, which is the case in point here, and how that should be approached. We think that the principle is that other providers who have that data are the ones who should be subject to it, and that it should be explicit in the Bill”.
I then pressed him on whether at the moment the Bill was not clear enough on that aspect. He replied:
“It could be clearer, and we are thinking about proposing an amendment specifically to over-the-top providers, making it clear that they are responsible for that”.––[Official Report, Investigatory Powers Public Bill Committee, 24 March 2016; c. 49, Q137-138.]
I have to say, if BT are unsure who is involved, how are the rest of the industry supposed to know? We have to ask whether or not it is necessary or proportionate for the Government to have information and data on the apps that I or anyone else has on their phone. Given these points, among others, I can understand why so many people are calling ICRs a Home Office solution to a police problem, instead of being a police solution to a police problem. This point was articulated during the evidence session by Sara Ogilvie of Liberty, who said:
“It seems clear that, given the bulk nature of these powers, they will not deliver that kind of information in a helpful manner. If anything, it seems more likely to drive criminals to use bits of the internet that will not be captured by the service”.––[Official Report, Investigatory Powers Public Bill Committee, 24 March 2016; c. 15, Q31.]
We also need to be mindful of the amount of information that we want to expose and the potential for this to be targeted by criminal hackers. When a similar plan to collect web logs was proposed in 2012, the Joint Committee on the draft Communications Data Bill concluded that it would create a
“honeypot for casual hackers, blackmailers, criminals large and small from around the world, and foreign states”.
This wealth of data in the wrong hands could be used for identity theft, scamming, fraud, blackmail and even burglaries, as connection records can show when internet access occurs in or out of the house, representing a daily routine. This is an unacceptable level of risk to inflict on innocent internet users. The Chair of the Science and Technology Committee said:
“There remain questions about the feasibility of collecting and storing Internet Connection Records (ICRs), including concerns about ensuring security for the records from hackers. The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs, which are confusing communications providers. This must be put right for the Bill to achieve its stated security goals”.
Furthermore, not to be outdone, the Joint Committee tasked with scrutinising the draft Communications Data Bill said in its final report that,
“storing web log data, however securely, carries the possible risk that it may be hacked into or may fall accidentally into the wrong hands, and that, if this were to happen, potentially damaging inferences about people’s interests or activities could be drawn”.
Surely with these warnings, which were issued by such influential and important Committees, the Government should have listened and addressed some of their concerns, but it would seem not. With regard to some of the case studies laid out in “Operational Case for the Retention of Internet Connection Records”, the likelihood of ICRs proving vital in identifying criminals has been questioned by ISPs and technologists. The justification for ICRs being helpful relies on the assumption that online criminals offend using a regular browser or public file sharing service on their own device, using personal internet connections, without employing the most basic of the widely available anonymity tools to avoid detection. The use of VPNs or Tor helps anonymise users of the internet. As such, ICRs will be unusable and, in fact, misleading where such privacy tools have been used. It is obvious for all to see that the more information that is retained, the greater the costs entailed to either the industry or the taxpayer.
When I spoke to people at TechUK last week, they explained that the introduction of ICRs will be a significant change to the industry and that all organisations will have to re-adapt to meet the new expectations and responsibilities that are being put on them. In addition, they are concerned about the new types of technology that they will need to install to allow them to cope with the new demands from Government. For example, they are concerned that many in the industry will have to install new filtering systems to help companies deal with the vast amount of data they now have to retain. It is difficult even to question the feasibility of such demands due to the limited information and detail provided by the Home Office.
This is the first speech I have made in this place that has required an intermission. It has been suggested that I start from the beginning as I cannot remember where I had got to. I am nothing but a crowd pleaser, Ms Dorries, but I have found the place where I left off, so I shall continue.
I was saying that the question whether the Bill is in accordance with the law is up for debate. If this part is left unchanged, Liberty and others suggest that it will be in conflict with human rights law, including breaching the EU charter of fundamental rights and freedoms. In July 2015, the High Court upheld its challenge and struck down sections 1 and 2 of the Data Retention and Investigatory Powers Act 2014, finding them incompatible with the British public’s right to respect for private life and communications, and protection of personal data under articles 7 and 8 of the EU charter of fundamental rights.
In addition, we should be mindful that the challenge against DRIPA is ongoing and that the outcome will have an impact on whether this part of the Bill is lawful, although I suspect not. On that basis, I question whether ICRs will do the job the Government intend them to do. The Home Office has become entrenched with regard to ICRs and its fixation with them is clouding its ability not only to look at alternatives, but to assess whether ICRs are proportionate, necessary or in accordance with the law. The SNP believes that ICRs fail those three basic assessments.
I want to quote an unlikely ally, who, in 2009, said in Committee:
“Our consideration of the regulations comes against the backdrop of an increasingly interventionist approach by the Government into all of our lives, seemingly taking the maxim ‘need to know’ to mean that they need to know everything. Certainly, we need to know what the Government’s intentions are in relation to the creation of a new central database, which would create a central store of our electronic communications.”—[Official Report, Fourth Delegated Legislation Committee, 16 March 2009; c. 6.]
That ally was none other than the right hon. Member for Old Bexley and Sidcup (James Brokenshire), now Minister for Immigration at the Home Office, speaking in a Delegated Legislation Committee on an EC directive with very similar provisions to parts of this Bill. That statutory instrument was passed by the House, but notable opponents included Members who are now Scottish Secretary, Home Secretary and Minister for Security—the Minister in charge of this Bill.
We in the SNP are mindful of the evidence that has been presented and submitted to the Committee, but it is our opinion, backed up by case law, that the power to retain ICRs is incompatible with the right to privacy and the protection of personal data, and I urge hon. Members to amend the Bill and ask the Government to think again.
I am grateful to hon. Members for this important debate, which, although it relates to an amendment, inevitably strayed into what is, in effect, the stand part debate on communications data.
The hon. Member for Paisley and Renfrewshire North set out his case comprehensively, but his arguments relate to measures and proposals that are not before the Committee. We have moved a long way from 2009, and certainly from 2012, when the original draft Bill was considered by a predecessor Joint Committee. We are not in the situation where the Government will hold a centralised database. That sort of measure was rightly opposed by my right hon. Friend the Minister for Immigration and other of my hon. Friends at that time, because we are naturally suspicious of an organ of Government directly blanket-holding such data.
That is why this provision is not remotely like that. It does not contain anything like the provisions that the hon. Gentleman rightly cautions against, most importantly because the retention of that data is not in the hands of Government. That arm’s length approach is a key difference, which I am afraid undermines all the seeming quality of his argument.
Will the series of private databases under the Bill be any safer from hacking than a central Government database?
The hon. Gentleman makes a proper point about security. This, in respect of the code of practice and in collaboration with the industry, will be at the forefront of everybody’s mind. What is important is that the Government do not have a pick-and-mix or help yourself avenue within which they can mine data for their own capricious purposes.
The framework of the Bill quite properly severely circumscribes the circumstances within which the Government can seek access to that material. Most importantly, when it comes to content, the warrantry system—the world-leading double lock system we are proposing—will apply. An internet connection record is not content; it is a record of an event that will be held by that telecommunications operator. It relates to the fact of whether or not a customer has connected to the internet in a particular way. If it goes further into content, the warrantry provisions will apply. It is important to remember that framework when determining, and describing and putting into context, what we are talking about. The Committee deserves better than indiscriminate shroud-waving about prospects and concerns that simply do not arise from the measures in the Bill.
The hon. Gentleman quite properly raised the Danish experience. The Danish Government and authorities are in regular conversation with the United Kingdom Government. That dialogue goes on because they are naturally very interested to see how our model develops, although there are important differences that should be set out briefly. The Danish legislation was not technology neutral, unlike these proposals, because it specified two options that proved unworkable. We work with operators case by case so that the best option for their network at the appropriate time will be determined. The Bill builds on existing data retention requirements, such as the retention of data necessary to resolve IP addresses, which regime already exists under the Counter-Terrorism and Security Act 2015. The full cost recovery underpinning by the Government means that there is no incentive for communications service providers to cut corners, as I am afraid happened in Denmark. There are important differences between the two.
The hon. Gentleman rightly talks about IPV6. Although it is a great aim and something that all of us who have an interest in this area will have considered carefully, it still is, with the best will in the world, a way away, I am afraid. It will take a long time for all service providers to implement in full, and until then, there will be both types of system. Even with IPV6, CSPs may choose to implement address sharing or network address translation, meaning that it is not the guaranteed solution that perhaps has been suggested. Servers who host illegal material are much less likely to move to that system, meaning that, in practice, IPV4 may well remain with us. We therefore have to act in the interim, because, as has been said, the drift away from what I have called conventional telecommunications to the internet carries on whether we like it or not. We have to face up to the world as it is, rather than the world as we would love it to be, and therefore take into account the fact that we are in danger of being unable to detect criminality and terrorism.
I hear what the Minister has to say but I am not assuaged by his comments, so this shroud-waver would like to press the amendment to a vote.
Question put, That the amendment be made.