Julian Huppert
Main Page: Julian Huppert (Liberal Democrat - Cambridge)Department Debates - View all Julian Huppert's debates with the Home Office
(10 years, 4 months ago)
Commons ChamberI beg to move,
That the draft Data Retention Regulations 2014, which were laid before this House on 21 July, be approved.
The Data Retention and Investigatory Powers Act 2014, which passed into law last week, was a necessary response to a European Court of Justice judgment that called into question the legal basis on which we require communications service providers in the UK to retain communications data. The judgment was handed down in April this year, not August as the explanatory memorandum accompanying the regulations incorrectly states—an administrative error for which I apologise to the House.
Communications data—the who, where, when and how of a communication, but not its content—are crucial for fighting crime, protecting children and combating terrorism. Indeed, Members will have seen the recent reporting on the National Crime Agency’s child abuse investigation, which led to more than 600 arrests and the protection of more than 400 children. The NCA has confirmed that much of the operation would have been impossible without access to communications data. Where an investigation starts with an internet communication, as in online child sexual exploitation cases, for example, communications data will often be the only investigative lead. The loss of such data would have been potentially devastating and would have impacted seriously on the ability of the police, law enforcement agencies and security and intelligence agencies to investigate crime, uncover terrorist links, protect children, solve kidnappings and find vulnerable people in danger. I am therefore extremely grateful for the support shown in both Houses for the passage of the Act. I put on the record my thanks to right hon. and hon. Members—and in particular to the Opposition—for the constructive way in which they engaged in the debates.
However, as was made clear last week, secondary legislation is required to cover the detail of the operation of the data retention regime and to ensure that the appropriate processes and safeguards can be applied to the retention of such data. That approach mirrors the existing position, in which the detailed data retention regime is set out in secondary legislation. That has worked well for a number of years. It is to those regulations that our attention must now turn.
Members will be aware that a provisional draft of the regulations was published before the legislation was introduced. The regulations before the House today are substantially the same as those which have been available for scrutiny and examination. I am grateful to the Joint Committee on Statutory Instruments for considering and reporting on them. I put on record my thanks to the hon. Member for Leeds East (Mr Mudie), the Chairman of that Committee, for arranging an exceptional meeting to consider the regulations.
Before turning to the content of the regulations, let me deal with the discussion that took place during the passage of the Act about the speed at which the legislation was being passed. Without revisiting those debates today, I will briefly explain why we consider it necessary for the regulations to be passed before the summer recess.
To ensure a strong legal basis for continued retention by service providers, we need to get the regulations in place before the House rises. The regulations ensure that the data to be retained are subject to appropriate safeguards, and the communications service providers concerned will welcome the certainty that the regulations bring.
The Act gives the Secretary of State the power to issue a data retention notice to a communications service provider, if he or she considers the retention to be necessary and proportionate. The regulations made under the Data Retention and Investigatory Powers Act 2014 revoke and replace the 2009 data retention regulations. In large part the regulations replicate the obligations placed on providers under the 2009 regulations. In particular, they set out the types of data that can be retained. As was made clear during the debates on the Act, the list goes no further than the existing regulations. Crucially, the regulations set out the nature of the controls that must be placed on the data, both to ensure that they are adequately protected while they are being retained and to ensure that they are appropriately deleted at the end of that period.
The regulations also ensure that service providers are not penalised financially as a result of complying with a notice or the regulations. That is in line with previous practice and is a fair way of ensuring that the data are retained effectively and that there is no distortion of the communications market, given that obligations may be placed selectively. The regulations contain transitional provisions for the continued effectiveness of a notice under the 2009 regulations, until a new notice is given under the new regulations. We will work closely with providers in the coming months as they make the transition to the new regime.
As I highlighted to the House, the regulations contain additional safeguards. They differ from the 2009 regulations only in the context of those additional safeguards. They provide for data to be retained for a maximum of 12 months and allow the notice to specify that different types of data may be retained for shorter periods, where appropriate. If it is not proportionate to retain certain data for a full 12 months, a lower period can be chosen. The 2009 regulations provided for a blanket 12 months, although the directive on which they were based allowed for periods between six and 24 months.
The regulations also provide for a number of issues which must be considered before a retention notice is issued. I wish to assure the House that my right hon. Friend the Home Secretary and I take our responsibilities seriously, scrutinising in detail any case for imposing a data retention notice to ensure that it is necessary and proportionate. It is with equal care and attention that we will approach our obligation to keep such notices under review.
The Home Office has always worked closely with communications service providers prior to serving a data retention notice, and the regulations enshrine this existing best practice in law by requiring the Secretary of State to take reasonable steps to consult the provider affected. As I have previously explained, the regulations will ensure that the data are subject to appropriate safeguards and controls. Those who followed the scrutiny of the draft Communications Data Bill, including some Members in the House this afternoon, will be aware that there was some uncertainty as to the extent to which the Information Commissioner would oversee the integrity and deletion of retained data, as well as their security. The regulations therefore clarify that the Information Commissioner will oversee all elements of the protection and security of the data. We have discussed this with the commissioner and will provide him with the necessary additional resources to carry out this vital role.
Finally, the regulations amend the Regulation of Investigatory Powers Act 2000 to enable the creation of a data retention code of practice. That will allow us to provide further guidance to communications service providers on how to implement their obligations under a mandatory data retention notice and the regulations.
The House may wonder why certain other changes that we agreed to make are not given effect in the regulations. Separately, we will also update the data acquisition code of practice under RIPA to make it clearer that the officer authorising access to the data should be independent of the operation, and to ensure that consideration is given to the level of intrusion where there may be concerns relating to professions that handle privileged information. I know that that has been of concern to hon. Members on both sides of the House.
The House will have the opportunity in due course to review and comment on both draft codes of practice. In addition, we have announced that a number of public authorities will lose their access to communications data under RIPA and we will bring forward secondary legislation in the autumn in this regard. Hon. Members who followed the discussions about the draft Communications Data Bill will be aware that communications service providers are also able to retain communications data on a voluntary basis under a code of practice made under the Anti-terrorism, Crime and Security Act 2001. The regulations apply the same security safeguards and access restrictions to data retained under that code.
As right hon. and hon. Members know, the Data Retention and Investigatory Powers Act will be repealed on 31 December 2016. Any notices made under the Act and the regulations will similarly fall away. The Government have begun the process of a wider review of investigatory powers and it is right that there should be a full and proper debate on the threats, capabilities and, of course, safeguards that govern the use of such powers. I am sure the House will agree that that should include a wider public debate on the issues.
I am sure the Minister will agree that for that public debate and a review to take place, we need good statistics and information. One of the few things that seems to be missing from the previous regulations and the new ones is a section about statistics. Will he confirm that there will be the same or stronger requirements on public communications providers to keep good statistics on such data and how they are used? How will those will be provided to the Government, who will then publish them?
I am grateful to my hon. Friend for highlighting this aspect. As he knows, in the debates last week we underlined the need for greater transparency and reporting of information about the use of the powers under the Act. I can assure him that we will take that forward. He will be aware, too, of the requirement on the interception of communications commissioner to report on a six-monthly basis—I know that was of concern—to assure the House and the public about the use of the powers under the new Act. Therefore, I expect that providers of information and communications service providers retaining that information would provide data to facilitate transparency and to ensure that the public are informed about the use of the powers under the Act.
As has been made absolutely clear over the past week, this legislation merely preserves the status quo. The Act passed last week and the regulations before the House today do not extend or create any new powers or obligations on communications companies that go beyond those that already exist; they simply ensure that the communications data that have been retained by the communications service providers will continue to be available to ensure that the police, the law enforcement agencies and the security and intelligence agencies have the capabilities they need to protect the public and keep us safe. I commend the regulations to the House.
I will speak to the regulations only briefly. I think that there are a couple of points worth making. It is interesting to compare the debate we are having now with the one in 2009. Back then, no time at all was given to discuss the regulations, which were moved without debate by the hon. Member for Kingston upon Hull North (Diana Johnson). Some Members who have expressed concern about these regulations voted in favour of the previous ones, even though they covered rather more. There was a debate in a Committee that lasted for 62 minutes, and it is very interesting to see how roles have changed. The hon. Member for Gedling (Vernon Coaker), who was then the Minister, said that they did not go far enough and that we needed to collect much more information from communications providers—he mentioned Facebook, but we can date the debate by his references to Bebo and Myspace as the other key providers. He was essentially calling for the Communications Data Bill—the snooper’s charter—that part of the Government, or at least the Home Secretary, wanted to see.
In 2009 there was also a very nice speech from the hon. Gentleman who is currently the Minister. He took a very strong stance that RIPA should be used only to combat serious crime and for the protection of national security. I do not know whether he has told the Home Secretary that that is the Conservative position, because it seems to have changed somewhat—we have moved on very slightly. We also heard my right hon. Friend the Member for Carshalton and Wallington (Tom Brake) saying, “Yes, communications data are important, but we need some more safeguards.” In fact, the safeguards he itemised have largely been delivered in these new regulations, so I am glad that we have made progress.
There is concern, as expressed in the debate we had last week and by the public, about the idea that more information could be collected. For example, there is a concern that this could open the door to the collection of web logs and many other elements. It is worth having a look at the schedule to these regulations, which lists all the things that can be collected, and comparing it with the previous regulations. They are exactly the same—not a single word in the current regulations was not in the regulations introduced five years ago. On that basis, it is fairly clear that there are no new powers and that no new information—web logs, for example—can be collected.
However, there have been a number of other changes. The Minister highlighted the fact that we have taken the opportunity to move from saying that all data must be collected for 12 months to saying that it must be collected for up to 12 months. I very much welcome that, because I think that there are a lot of data that can be of great use the next day, the next week or perhaps the next month, but which are not needed for the full 12 months. We also have—I do not think that the Minister referred to this—a higher standard of data integrity and security required. The wording has been changed from requiring data to be stored in a way that is as good as it had been stored to requiring the best that is available, so the requirement for data integrity and security is actually tighter. Of course, the Secretary of State is required to keep that under review.
The one thing that there is not enough of—this is why I am pressing the Minister—is the idea of transparency. I want him to ensure throughout that as much information as possible is available. He and I have discussed how long the data can be kept for and how much of it is used in the 11th month available and so forth. That information must be available for all usages throughout the year so that we can make the right decisions. Wherever we draw the line, there will be some information on the other side of it. We want to make an informed and rational decision. I hope that he will ensure that all the notices make sure that those data are collected, as the interception of communications commissioner has also called for.
These regulations represent a step forward from the previous regulations. They collect no new information, but they tighten it very slightly. I hope that the House will pass them so that we can continue to collect the data that protect our security, with that slight extra tweak on civil liberties.