(9 months, 1 week ago)
Commons ChamberI reassure the hon. and learned Lady that we will do exactly that.
I turn to the measures in the Bill. We are creating a new regime for bulk personal datasets that have low or no expectation of privacy: for example, certain datasets that are widely publicly or commercially available. Bulk personal datasets are an essential tool to support our intelligence services in identifying fragments of intelligence within a large quantum of data, in order to disrupt threats such as terrorism and hostile state actors. The Bill seeks to create a new statutory oversight regime for how the intelligence services access and examine bulk personal datasets held by third parties. It will place that oversight on a statutory footing, increasing the transparency of the regime. The regime will be subject to strong safeguards, including the double lock.
We are also making changes to the notices regime that will help the UK anticipate and address the risk to public safety of companies rolling out technology that precludes lawful access to data. We want to work with those companies to achieve common goals, but we must have the tools available when collaboration falls short.
I know that the Home Secretary wants to make progress, but I am grateful for the opportunity to comment.
These reforms to the IPA are necessary to upgrade our world-class regime and ensure that our frameworks are kept up to date with evolving threats and, importantly, technology. We know that the terrorists, the serious organised criminals, the fraudsters and the online paedophiles all take advantage of the dark web and encrypted spaces: to plan their terror, to carry out their fraudulent activity and to cause devastating harm to innocent people such as children, in the field of online paedophilia. Does he share my concern and indeed frustration with companies such as Meta and Apple? The former has chosen to roll out end-to-end encryption without safeguards and the latter has rolled out advanced data protection, which will allow these bad actors to go dark, which will severely disable agencies and law enforcement from identifying them and taking action, and will enable—indeed it will facilitate—some of the worst atrocities that our brave men and women in law-enforcement agencies deal with every day.
My right hon. and learned Friend—and immediate predecessor—makes incredibly important points. Digital technology and online technology have been a liberator in so many ways, but, sadly, as has been the case with technology throughout time, it has also been used by those who would do people harm. Indeed, she mentioned in particular the harm done to children. We take that incredibly seriously. We value the important role of investigatory powers and will continue to work with technology companies—both those well established at the moment and those of the future—to maintain the balance between privacy and security, as we have always done, and ensure that these technology platforms do not provide a hiding place for terrorists, for serious criminals and those people taking part in child sexual exploitation.
The three types of notices under the existing IPA are data retention notices, technical capability notices and national security notices. Those notices must be both necessary and proportionate, and they are of course subject to the double lock. The Bill does not introduce any new powers for the acquisition of data. The changes are about ensuring that the system is up to date and remains robust. The Bill will create a notification notice allowing the Secretary of State to place specific companies under an obligation to inform him or her of proposed changes to their telecommunications services or systems that could have an impact on lawful access. This is not a blanket obligation, and it will be used only where necessary and proportionate, and then only on a case-by-case basis.
The notice does not give the Secretary of State any powers to veto or intervene in the roll-out of a product or services. It is intended to ensure that there is sufficient time for appropriate consideration of the operational impact of the proposed changes, and potentially for discussions with the company in question about them. The public, rightly, would want their representatives to know in advance if companies were proposing to do something that would put public safety at risk, and responsible companies will work with Governments to avoid endangering people, who are of course also their customers.
The Bill will also amend the IPA to require the company to ensure that existing lawful access is maintained. That means the company cannot legally take any action that would negatively affect the level of lawful access for our operational partners during the review period. In the other place, the Government tabled an amendment to allow a timeline for review of a notice to be specified in regulations. We also gave the judicial commissioner further powers for managing the review process. Taken together, they ensure that companies are clear on the length of time that a review can take, which reduces uncertainty for their business as well as providing greater clarity for the review process. In the other place, my noble colleague Lord Sharpe of Epsom also committed to a full public consultation before amending the existing regulations on the review of notices, and laying new regulations relating to the notification notices.
The Bill also clarifies the definition of a telecommun-ications operator, to make it clear that companies with complex corporate structures that provide or control telecommunications services and systems in the UK fall within the remit of the IPA. These changes do not directly relate to any particular technology, including end-to-end encryption, but are designed to ensure that companies are not able to unilaterally make design changes that compromise exceptional lawful access.
The Bill makes changes to the powers of public authorities to acquire communications data. Section 11 of the IPA made it an offence for a relevant person in a relevant public authority to knowingly or recklessly obtain communications data from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority outside the IPA, giving greater clarity to public authorities that they are not inadvertently committing an offence. Further targeted amendments will ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data. Further changes will allow bodies with regulatory functions to acquire communications data.
The Bill also creates a new condition for the use of internet connection records—ICRs—by the intelligence services and the National Crime Agency. The IPA currently requires certain thresholds to be met on the known element of an investigation, such as exactly when a website has been accessed. That limits the ability of operational partners to use the ICRs to detect previously unknown criminals, terrorists or state threat actors who are acting online. The proposed measure will allow greater detection of high-impact offenders by removing the requirement to unequivocally know a specific time or times of access and service in use, and instead will allow these factors to be specified within the application.