Investigatory Powers (Amendment) Bill [Lords] Debate
Full Debate: Read Full DebateLord Beamish
Main Page: Lord Beamish (Labour - Life peer)Department Debates - View all Lord Beamish's debates with the Home Office
(9 months, 1 week ago)
Commons ChamberWe looked at that. There is a balance to be struck, and actually the bulk of those Secretaries of State to whom the function could be delegated in those two exceptional circumstances do have warranting powers—I think the Secretary of State for Defence is the only one who does not. My right hon. Friend’s point is a fair one, but the scope of the Bill is not much greater than that.
As a member of the ISC, I welcome the Government’s acceptance of our recommendation. However, I would like to understand why they are not accepting our other, simple proposal: that when a delegation takes place, the Prime Minister would be informed about that afterwards.
I think it is inconceivable that the Prime Minister of the day would not be informed of the use of a delegated authority.
It is not about the Prime Minister not being informed about the delegation; it is about the Prime Minister looking at the case afterwards—they would not be second-guessing it, obviously, because it would already have been agreed. We suggested that, as a matter of course, the Prime Minister should be informed afterwards of the contents of that warrant. For some reason, the Government are resisting that. I cannot understand why.
I understood the point that the right hon. Gentleman was making—perhaps my answer was not clear—but I suggest that it is inconceivable that the Prime Minister would not routinely be informed of the exercise of this power. Ultimately, that is a level of granularity that would add complexity to the Bill without utility. But, as I have said, through the passage of the Bill thus far, we have listened carefully to the Committee’s suggestions, and although we may not always agree, I can reassure him, other members of the Committee and Members of the House that we will continue to act in listening mode in relation to the Committee’s suggestions.
My right hon. and learned Friend—and immediate predecessor—makes incredibly important points. Digital technology and online technology have been a liberator in so many ways, but, sadly, as has been the case with technology throughout time, it has also been used by those who would do people harm. Indeed, she mentioned in particular the harm done to children. We take that incredibly seriously. We value the important role of investigatory powers and will continue to work with technology companies—both those well established at the moment and those of the future—to maintain the balance between privacy and security, as we have always done, and ensure that these technology platforms do not provide a hiding place for terrorists, for serious criminals and those people taking part in child sexual exploitation.
The three types of notices under the existing IPA are data retention notices, technical capability notices and national security notices. Those notices must be both necessary and proportionate, and they are of course subject to the double lock. The Bill does not introduce any new powers for the acquisition of data. The changes are about ensuring that the system is up to date and remains robust. The Bill will create a notification notice allowing the Secretary of State to place specific companies under an obligation to inform him or her of proposed changes to their telecommunications services or systems that could have an impact on lawful access. This is not a blanket obligation, and it will be used only where necessary and proportionate, and then only on a case-by-case basis.
The notice does not give the Secretary of State any powers to veto or intervene in the roll-out of a product or services. It is intended to ensure that there is sufficient time for appropriate consideration of the operational impact of the proposed changes, and potentially for discussions with the company in question about them. The public, rightly, would want their representatives to know in advance if companies were proposing to do something that would put public safety at risk, and responsible companies will work with Governments to avoid endangering people, who are of course also their customers.
The Bill will also amend the IPA to require the company to ensure that existing lawful access is maintained. That means the company cannot legally take any action that would negatively affect the level of lawful access for our operational partners during the review period. In the other place, the Government tabled an amendment to allow a timeline for review of a notice to be specified in regulations. We also gave the judicial commissioner further powers for managing the review process. Taken together, they ensure that companies are clear on the length of time that a review can take, which reduces uncertainty for their business as well as providing greater clarity for the review process. In the other place, my noble colleague Lord Sharpe of Epsom also committed to a full public consultation before amending the existing regulations on the review of notices, and laying new regulations relating to the notification notices.
The Bill also clarifies the definition of a telecommun-ications operator, to make it clear that companies with complex corporate structures that provide or control telecommunications services and systems in the UK fall within the remit of the IPA. These changes do not directly relate to any particular technology, including end-to-end encryption, but are designed to ensure that companies are not able to unilaterally make design changes that compromise exceptional lawful access.
The Bill makes changes to the powers of public authorities to acquire communications data. Section 11 of the IPA made it an offence for a relevant person in a relevant public authority to knowingly or recklessly obtain communications data from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority outside the IPA, giving greater clarity to public authorities that they are not inadvertently committing an offence. Further targeted amendments will ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data. Further changes will allow bodies with regulatory functions to acquire communications data.
The Bill also creates a new condition for the use of internet connection records—ICRs—by the intelligence services and the National Crime Agency. The IPA currently requires certain thresholds to be met on the known element of an investigation, such as exactly when a website has been accessed. That limits the ability of operational partners to use the ICRs to detect previously unknown criminals, terrorists or state threat actors who are acting online. The proposed measure will allow greater detection of high-impact offenders by removing the requirement to unequivocally know a specific time or times of access and service in use, and instead will allow these factors to be specified within the application.
I understand the use of the measure for the security services, but the Bill broadens the scope of how many people could be dragged into it. There is no judicial oversight of the Security Service or whoever is using it. The Bill states that the measure is for national security and economic wellbeing—that is a catch-all for quite a lot of things. Although the intent is right, there need to be some safeguards to prevent innocent people being dragged into that potentially broad measure.
I understand the right hon. Gentleman’s point. Innocent people’s data is often acquired in dataset capture, and it is always deleted. Economic wellbeing merely reflects the language that is used in other parts, for consistency across our various strands of work.
I thought we were here today to scrutinise the Bill. It should not be a chore for the Home Secretary to be asked questions. The definition of wellbeing could be quite broad. I understand the meaning of national security, as I think he does, and the House, but wellbeing could have quite a broad definition and I am not convinced that I have seen what it is. I am not sure that consistency with other legislation is a great argument for including it in this Bill.
The simple truth of the matter is that I disagree. In legislation of this nature, maintaining consistency of language with previous relevant legislation, including the Intelligence Services Act 1994, is incredibly important to clarity of intent. I recognise that the right hon. Gentleman has given thought to this, and we do not disregard his point, but we have thought through the importance of consistency of language, which is why we have maintained it.
The hon. Lady makes an important point, but the powers could be applied to any bulk dataset collection, of which she knows there are many across Government. Provisions are in place to ensure that innocent people’s data is not held but deleted, and that our security services and other organisations that will utilise these powers always do so carefully and cautiously. There are relevant safeguards in place, as I have made reference to—the Investigatory Powers Commissioner and the tribunal—if there is wrongdoing. The proposals are put forward for a very specific reason. The Government have given thought to mission creep and broader expansion, and we feel that this is a modest extension that will give significantly greater protection to the British people.
As my hon. Friend the Member for Wallasey (Dame Angela Eagle) just said, we need to give confidence to the public that what we are rightly doing to protect ourselves has that level of security in it. There is no judicial oversight of internet connection records. If we are to give these powers to the Security Service—which I approve of—we should be able to say to the public that they are proportionate and that there is an independent process to ensure that they cannot be abused. Surely, judicial oversight throughout should be important.
The right hon. Gentleman specifically spoke about judicial oversight, but there is oversight—
There is oversight by the Secretary of State through the warrant process, and oversight of the whole process by the Investigatory Powers Commissioner. Through the Committee on which the right hon. Gentleman sits, there is oversight of the Secretary of State’s function.
I agree, and I support that oversight, even though this Government have not made our job on the ISC easy. Unless I am missing something, there is no judicial oversight of internet connection records in the Bill. If we want to give people confidence, that backstop of judicial oversight should be important.
As I said, I noticed that the right hon. Gentleman specifically said that there is no judicial oversight—
I am not disagreeing, but there is oversight. The Committee on which the right hon. Gentleman sits is part of that oversight process.
In common with all the speakers who have made their contributions thus far on Second Reading of the Investigatory Powers (Amendment) Bill, I will not say that I oppose the Bill or that these powers should not exist or be updated in this rapidly developing area of technology. As others have observed, the rapidly evolving technology is creating threats about which we could not have dreamed when the original Act was introduced after an ISC report on privacy and security in 2015. Although the issues are evolving, some things stay the same, namely that in a democracy it is important that the security services and all the agencies, whether they relate to police or security, can be held to account by the democratic structures that are created to make our democracy real.
I emphasise a point that has not been stressed by others: we are living through an era during which authoritarian governments across the world are beginning to challenge the openness of democratic structures and test whether those who live in a democracy have the political will to maintain their democracy, keep it vibrant and protect it from threats. Against that background of being challenged—we do not have to look much further than Europe and the borders of Ukraine to see how some of those challenges are beginning to develop—we are being asked whether we rate the health and strength of our democracy enough to protect it. We are also being asked, which is the nature of this debate, to justify the powers we are giving to the security and police services to our constituents and those citizens of our country who wish to see their democracy protected, as well as having a proper balance between democratic oversight safety and the powers we give our security services to do their jobs.
As others have mentioned, there is a balance between the effectiveness and speed of those powers and the safeguards that this Parliament puts in place in order to ensure that there is proper oversight and use of them. We have heard how that balance and safeguarding has been developed in law. We are looking now at amendments to the existing law in order to update and modernise those powers to make them more effective, efficient and easier to use, and to ensure protecting our security, be it from criminality, terrorism, paedophilia or state actors who wish to our country harm, is balanced correctly with safeguards, openness and transparency oversight. Then we can protect our society and values, while respecting the privacy of every individual citizen who enjoys the freedom of living in our democracy.
The Bill seeks an expansion in investigatory powers and some of those powers available to agencies to deal with the evolution of this area. Our job, not only in the debate tonight, but in the scrutiny of this Bill in Committee, is to test and ask the appropriate questions about whether the right balance has been struck by Ministers and the relevant agencies in the extra powers that they want to introduce. As the newest member of the ISC, I believe that, as the investigatory powers evolve, it is also important that the powers of the Intelligence and Security Committee to do its job in these new areas are properly developed and resourced. I shall just leave that on the record. It is not a surprise to those who have read the Lords debates that this is an issue.
I draw attention to an area of the Bill where amendments were agreed in the Lords: what is known as the triple lock, rather than the double lock. That is the mechanism that protects the communications of Members of this Parliament and other relevant legislatures from being arbitrarily intercepted by agencies for no reason. In fact, it is part of the protection that one would expect in a robust democracy for those people who are elected to represent their constituents. They have a reasonable expectation, I think, to be allowed to go about their business without being subjected to that kind of intrusive power, unless there is an extremely good reason for it. Members will know that the underlying principle is that the communications of Members of this Parliament and other relevant legislators should be intercepted and read only where it is absolutely essential to do so—in the most serious of circumstances. In the Investigatory Powers Act 2016, which this Bill will change, Parliament recognised that that was an issue by adding a third layer of safeguards to the approval process for warrants for targeted interception and targeted examination of communications. Those warrants are issued only by a Secretary of State and reviewed by a judicial commissioner, which is the double lock, but they are also approved by the Prime Minister personally. As my right hon. Friend said from the Dispatch Box, there is an issue if the Prime Minister is unavailable to do that. It is important that there is not a gap in security protection, which would happen if the Prime Minister is unable to be the third part of that triple lock.
Nobody disagrees with the idea that that process should be made more robust, but there is also an issue about how wide the power to issue that final approval—currently, that final approval rests only with the Prime Minister—should go. There were debates about that when the Bill went through its stages in the other place. The question of balance is how the new Bill deals with ensuring that the triple lock is robust while not creating a lacuna should the Prime Minister be indisposed and unable to issue warrants without that power going too wide. The ISC supports the intention behind this, which is to provide resilience around the current arrangements. It is important that the Prime Minister is the person who approves these things, but this may affect the operations of the intelligence agencies when they are seeking a targeted interference or a time-sensitive warrant. None the less, there was agreement that, in truly exceptional circumstances, it may be appropriate for a Secretary of State to temporarily deputise for the Prime Minister. The Committee considered that it was important that decisions in this area should be delegated only in the most exceptional circumstances, and delegated only to a limited number of Secretaries of State who are already responsible for authorising relevant warrants. We want the Prime Minister to retain sight of all warrants relating to Members of a relevant legislature. Most of that was agreed in the other place, although there is an issue about whether the relevant Secretaries of State—there can be up to five of those—are ones that already issue warrants.
I was a little taken aback that the Home Secretary just assumed that, once these had been agreed by a substitute, they would automatically be reviewed by the Prime Minister. Clearly, that is a big assumption. Does my hon. Friend not think that it would be better if we put it in the Bill that the Prime Minister had full oversight of this warrant?
Clearly, putting such things in the Bill is often an important safeguard. Certainly, I do not understand why the delegation of these powers should not be limited to Secretaries of State who also issue warrants. I do not quite understand why there is an obsession with five Secretaries of State. We could have four and still have robust oversight.
Let me start by thanking our security services. I think I am now the longest-serving member of the ISC, and it is a privilege to work with them and scrutinise their work, as our Committee does. They do not get a great deal of publicity—for the right reasons—but when they do, it is sometimes not factual by any stretch of the imagination. They do an invaluable job, and in protecting our democracy, the threat that they face—that we all face—is changing, so the Investigatory Powers Act 2016 needs revising.
As my hon. Friend the Member for Wallasey (Dame Angela Eagle) said, the important point is that any new powers that we give the security services to act on our behalf should come with an equally balanced level of scrutiny and oversight. I see the scrutiny of our security as like a three-legged stool, with the Investigatory Powers Commissioner, the Investigatory Powers Tribunal, and the ISC. Well, actually, I would say that it is more like a two-and-a-half-legged stool, because the Home Secretary has done what most Ministers do; they say how wonderful the ISC is, how much they value our work, and that they want us fully involved—in passing this legislation, for example—but since 2017, when I first sat on the ISC, there has been a marked increase in lip service paid to it, as I think we see again in the Bill. As my right hon. Friend the Member for Normanton, Pontefract and Castleford (Yvette Cooper) said, we have not met the Prime Minister for 10 years—any of them; I think we had one who offered to come in the dying days of her Administration. We have taken evidence from the security services on the Bill, and I have to say that they are not the problem: it is the Government who are the problem all the time. That was the case with the National Security and Investment Act 2021. Frankly, it is an uphill struggle to get things changed in this Bill—changes that would not only improve the Bill, but make sense. One has just been highlighted by the Chairman of the ISC, the right hon. Member for New Forest East (Sir Julian Lewis).
On occasions, it is a bit like going round in circles. I will give an example. We have actually made one little advance in the other place, in terms of acceptance of the changes to do with the triple lock. Now, though, the sensible thing we are asking for—that it should be in the Bill that the Prime Minister should actually see those warrants—is being resisted as though it would somehow stop the world. I am sorry, but I do not think it would. I think the Government believe that they have to be seen to be resisting any changes. I like the Minister, but the passage of the National Security and Investment Act was a pretty dark day for the Government’s relationship with the ISC, because we had to fight tooth and nail to try to get anything changed in that Bill.
I think the Minister was, actually. I think he picked up the tail end of that Bill.
The ISC has looked at this issue in detail. We have taken evidence from the heads of the security services, and we want to be supportive of change, but we also want that important role of scrutiny and ensuring the public are protected from the occasions when things might go wrong. The other thing that struck me today is that, although the Home Secretary can read a good speech, I am not sure he had a great grasp of some of the detail of the Bill. All I ask of the Minister is to please take on board some of the things we are saying, so that we can make progress in Committee. They are not radical things that are going to upturn the Bill; they are things that will improve it. I suspect that in certain parts of the Government there is a hatred of the ISC, and the belief that we have to be resisted at all costs. That will lead to a poorer Bill, because the amendments we will be tabling would actually improve the Bill. Lord West also did a great job in the other place.
I now turn to clause 2 of the Bill, which introduces the bulk personal data regime. There is a worrying gap: oversight of what are deemed low or no privacy datasets added to category authorisations. At the moment, the system does not work, because things like the electoral register have to get special permission. That is silly, frankly, but we need to ensure that these provisions are scrutinised.
New part 7A of the Investigatory Powers Act 2016, introduced by clause 2, provides for a light-touch regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of that data is deemed to have low or no reasonable expectation of privacy. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) said, people are increasingly giving their personal data with little thought to how it is going to be used—not just by the intelligence services, but for commercial purposes. That needs looking at.
Approval of such a dataset will be sought either under a category authorisation, which encompasses a number of individual datasets that have a similar content and may be used for a similar purpose, or by individual authorisation, which covers a single dataset that does not fall neatly into a category authorisation or is subject to a complicating factor. For a category authorisation, a judicial commissioner will approve the overall description of the category authorisation before it can be used. A judicial commissioner will approve renewal of the authorisation after 12 months, and the relevant Secretary of State will receive retrospective annual reports on the use of category and individual authorisations.
However, as the Bill is currently drafted, this oversight is all retrospective. The problem is that what is missing is real-time or even near real-time oversight of changes. Under the present regime, once a category authorisation has been approved, the intelligence services have the ability to add individual datasets to that authorisation through internal processes alone. They examine the dataset without being subject to any political or judicial oversight, and they would be able to use those datasets for potentially a year without anybody being any the wiser.
We do not question why the security services need these powers, but there is potential for mission creep without any oversight of what is being authorised. We are not saying that these powers are not required; they are required. What we are really being asked to do is rely on the good faith of the intelligence services to use the powers in a certain way. I do not think that is strong enough, and no legislation should be solely dependent on good will. We also have to guard against—there are such occasions—situations when mistakes happen or people use powers for purposes that are not in the public interest.
It is important that we fill this 12-month gap, and the ISC thinks that the easiest and simplest way to change this process would be for the Investigatory Powers Commissioner to be notified when an individual bulk personal dataset is added by an agency to an existing authorisation. I understand that Lord Anderson of Ipswich, in his review of 2023, recommended a similar proposal. The argument from the Government—it is similar to what they have used throughout this Bill, as the Committee Chairman has remarked—is that that will be onerous in adding to the work of the intelligence services. Well, it would not, because it would simply mean sending a one-line email to the Investigatory Powers Commissioner containing the name and description of the bulk personal dataset as soon as reasonably practicable.
The decision would be approved internally and then sent to the Investigatory Powers Commissioner, so it is not actually asking for approval. It is just making sure that the Investigatory Powers Commissioner is aware of what is being added, and that the individuals taking such a decision realise that they must inform the Investigatory Powers Commissioner. That would obviously allow the Investigatory Powers Commissioner to look at trends in what is happening. Clearly, after the 12 months, they could look back, but they could also intervene if they thought something was not in touch.
An argument the Government use quite often about this Bill is that it is to have a light-touch approach, and I think this suggestion is for a light-touch approach. I do not know what is onerous about the security services sending an email to the Investigatory Powers Commissioner. I think it would ensure the oversight that is needed. Real-time oversight is what we are suggesting, and I do not think it would add to the administration of the security services, but it would lead to the Investigatory Powers Commissioner at least having some visibility on another layer at which decisions are taken.
The proposal would be a very simple thing to do, and I do not understand why the Government are resisting it. I suggest they are resisting it for the many reasons they have resisted some of the other sensible things we have put forward: just because they want to do that. I do not know how we go forward with the relationship between this present Government and the ISC. Dragging information out of them screaming and kicking is taking a long time, even though we have a legal duty to get information, and the critical point now is the starvation of resources from the Committee which is creating real problems in the way that it can operate.
I hope that things change and that when we table amendments we will not get the usual response that amendments to this type of legislation should only be done in the Lords. Are we here to cause trouble for the security services? No, we are not; we want to ensure we do our job, which is set out in statute, to supervise the security services and improve the powers, but to ensure that the public have the recognised safeguards we should expect in a democracy such as ours.
As my right hon. Friend will know, several powers in the earlier Bill—the one that he took through the House—were indeed overseen in various different ways. The Bill does not seek to undermine any of that oversight; what it seeks to do is clarify, in certain areas, where it is necessary. My right hon. Friend has highlighted individual agencies or bodies, and I should be happy to write to him to ensure he is aware of exactly where that is being covered.
The right hon. Member for North Durham spoke about prior judicial authorisation for ICRs. The purpose of the Bill is to try to streamline operations for the intelligence services in areas where the risk is of, as we are calling it, low or no expectation of privacy. He will have seen in the Bill what the expectation means, including areas where information has already been readily made public. I accept his commentary and I would be happy to enter into further conversations with him, but the reason we are not currently going down that route is simply that the existing law, the IPA 2016, allows the collection of bulk data with prior authorisation. This is intended to speed the process up. If we put in the measures he is referring to, we would effectively remain in the same place that we are now. That would make it harder for the volume of data that is now coming to be considered by the intelligence agencies. That is why we have made the provision for a subsequent approval rather than a prior approval. He is right to say that it involves a maximum of a year, although I think it unlikely that it would go to that maximum. That will be in cases where this is low or no expectation of privacy—after it has already been agreed by a judge to be in the correct category. I think the right hon. Gentleman might be looking at this through the other end of the telescope.
What the Minister has to realise is that the big concern from the public—although let’s be honest, the public are not looking at the detail of this—is that somehow the security services will be getting access to huge amounts of bulk data and just having a free run at it. All that I and the Committee are suggesting is that an email should be sent when there are changes to the Investigatory Powers Commissioner. That would be a simple thing. It would not be onerous, and it would reinforce the point that there was at least some potential oversight of the process.
I think we may be conflating different aspects of the Bill. I do believe that this already has oversight.
Let me answer the point raised by my hon. Friend the Member for Broxbourne, which touches on a similar area. Where people have the right to and expectation of privacy and freedom, this provision does not remove that right. What it does is allow the intelligence agencies to use bulk data to target an individual at a particular point, and the excess collected information will not be able to be used for targeting an individual without the warrant process that would be expected for any initial search. In that sense, this is not undermining anybody’s privacy; it is allowing for the fact that information is now largely in bulk format. The hon. Member for Barnsley Central was talking about steaming open envelopes. It is impossible to steam open a single envelope today; one has to steam open thousands because that is how data comes. Without an amendment such as that set out in the Bill, we would simply be interrupting the work of the intelligence services to the degree that it would hold them back and make the process harder, but I would be happy to take this up with my hon. Friend the Member for Broxbourne later if he wishes.
I thank the hon. Member for Halifax (Holly Lynch), who was here earlier and made an interesting point about the various ways in which the memorandum of understanding should be looked at through the National Security Act 2023. Friends of mine will know my thoughts on that and know that I gave the Conservative party the chance to allow me to change that 10-year absence, but the Conservative party chose somebody else to make that decision so I have sadly lost the ability to have that influence.
My right hon. and learned Friend the Member for Kenilworth and Southam (Sir Jeremy Wright) made a typically insightful speech and typically sensible comments on the ways in which we must consider how the authorisation must not be used to mount general surveillance. Condition D will be used only when an applicant makes a clear and compelling case, based on tangible, reliable intelligence leads, information and analysis, that the resulting data will identify parties involved in a relevant serious crime or national security-related specified operation or investigation. The applicant must explain any anticipated collateral intrusion, and how this will be managed to ensure that the application is necessary and proportionate to the outcomes of the investigation.