Investigatory Powers (Amendment) Bill [ Lords ] (First sitting) Debate
Full Debate: Read Full DebateLord Beamish
Main Page: Lord Beamish (Labour - Life peer)Department Debates - View all Lord Beamish's debates with the Home Office
(9 months, 2 weeks ago)
Public Bill CommitteesIt is good to see you in the Chair, Mrs Cummins.
I echo what the shadow Minister says. We are all here to assist the brave personnel in our security and intelligence services, but that does not mean that we will not closely scrutinise this legislation. We did not oppose the Bill on Second Reading. Some parts are good, but we have indicated our serious concerns about other parts because we think the powers go too far. They have not been shown to be necessary and proportionate; rather, they are more for the convenience of the security and intelligence services. How these powers are drafted also causes us concern, because they seem to allow behaviours beyond what we were told the powers were going to be used for. At other times, it is the nature of the oversight that is a concern, as the Bill introduces potentially intrusive powers.
I have one other brief point to make, which I indicated I would make at last night’s meeting of the Programming Sub-Committee. I had hoped that this morning we could perhaps have had some witnesses to guide us through this process. I think that would have been very helpful. It was very helpful in 2016, when we were looking at the original legislation, and I regret that we do not have such an opportunity this morning.
The provisions on bulk personal datasets and so-called low/no datasets are an area where we fear that the legislation is rather more a matter of inconvenience than something that has been shown to be a necessity. That will emerge in the debate about clause 2, which contains quite a lot of the detail about how the regime is supposed to work. Basically, we have been told that there will be a significant increase in the use of bulk personal datasets. We have been told that scrutiny is too slow, so we will either have to remove it or, perhaps more accurately, water it down in relation to these so-called low/no datasets. Fundamentally, I do not like that argument. The Minister will need to make a compelling case.
When we discuss clause 2, it would be useful if the Minister told us how many bulk datasets are retained and examined each year currently; how many datasets it is envisaged will be retained and examined after these powers come into force; what percentage of the datasets he thinks would be considered low/no datasets; how long authorisation processes take currently and why they take that length of time; and why cannot we improve or accelerate that process in some way, rather than having to water it down in the way that this Bill suggests. We will ask the Minister for that sort of evidence, because he is asking us to do away with parts of the oversight system that were put in place in 2016, and we want to understand how that oversight system is causing a problem at the moment. If he cannot explain that, we cannot support this new regime.
It is a pleasure to serve on this Committee with you in the Chair, Mrs Cummins.
My hon. Friend the Member for Barnsley Central said very clearly that there is general support for the Bill. The need for it is self-evident: things have moved on since the passage of the 2016 Act—indeed, they have moved on very quickly in terms of the amount of data there is, not only data that the security services have to deal with but data in general life.
Bringing the legislation up to date is important, but if we look at the Hansard reports of the debates in 2016, when the right hon. Member for South Holland and The Deepings took the original legislation through the House, we see that there was then, quite rightly, concern that the state acquiring bulk data was intrusive into people’s private lives.
Having read those Hansard reports a couple of days ago, I accept that some of the concerns expressed in 2016 were overblown, as are some of the concerns expressed about this Bill. Frankly, if the accusations regarding what our security services are able to do were true, they would be 10 times, if not 100 times bigger than the actual security services we have today. Nevertheless, it is important in a democracy to ensure that the security services act proportionately—I am confident that they do—and that there is the necessary oversight of their actions and how they deal with the data they have. It is not just parliamentarians who need reassurance in that regard, but the public. The public need reassurance about the data that the state is holding.
Examples have been given, but frankly, they are a bit silly, because things such as the electoral register, which you, Mrs Cummins, I and everybody else can access, fall under the existing regime. The expectation that the data will not be made public is ridiculous, and the same is true of some of the other examples that have been given. For instance, some datasets for machine learning are open on the internet for everybody to see. I do not have any problem with that and I do not think that anybody else does.
Oversight, which we will discuss later, is important. We are giving the security services the powers to determine what is low and what is no. Do I trust that they will have the protocols in place to ensure that that process is done fairly? Yes I do, but I have been on the Intelligence and Security Committee for the last seven years; I know exactly how the protocols work internally in those organisations. To reassure the general public, we need a definition of how this process will take place. I will not touch on that now, but later I will raise the question of how we will have independent oversight of that process.
Neither I nor anyone else is saying that we distrust how the security services will handle those datasets, but one thing the ISC has been very clear on is that if we are going to extend the security services’ powers, there needs to be a corresponding extension of oversight to balance that. I do not want to put in place oversight that prevents operational effectiveness; it would be silly to give the security services powers and then make it impossible or too onerous for them to operate in practice, but striking a balance is important in a democracy.
We broadly got that balance right in the 2016 Act. Looking at international comparisons, we are way ahead of many other democracies in how we deal with oversight of those potentially very delicate issues.
I will not detain the Committee unduly, my Whip will be pleased to know. However, I feel it is important at this juncture—in part because, as the right hon. Member for North Durham says, I was responsible for taking the 2016 legislation through the House, and in part because of my current role on the ISC—to make some comment on the first part of this Bill, which deals with bulk powers. There are misassumptions about bulk powers. The Minister will be aware of how vital they are to the security and intelligence services and to the police. These powers are used in almost all investigations —95% of them—and they are critical if we are to deal with the changing character of the threat we face.
Contextually it is important to note that when the 2016 Act was passed, the nature of the threat was metamorphosising, and that is even more the case now. The scale and character of the threats are altering all the time, so the legal powers available to those we mission to keep us safe need to be fit for purpose and up to date. We knew that when we passed the 2016 Act; we knew that the legislation was dynamic and that it would be supplemented over time to take account of that metamorphosis, which takes two forms. First, the threat now is probably greater from state actors, and secondly, it is greater from those inspired to do harm via the internet in particular. That situation makes an implicit case for the kind of measures the Minister has brought before us today.
Furthermore, there is a paradoxical change in the methodology used by those who seek to do us harm. Because of the nature of technology, those people are now able to do things that they were not able to do when we debated the original Act that this Bill amends. I describe the change as paradoxical because those people have simultaneously learned that they can do immense harm with a vehicle and crude weapon; we know that from some tragic cases in recent years. Those inspired people do not need a sophisticated organisation with all kinds of capabilities; they simply need the perverse, indeed perverted, will to do damage. All of those factors legitimise the case for the measures in the Bill, which we will consider over the coming hours and days—but not weeks I am pleased to say, unless something goes badly wrong.
My hon. Friend the Member for Barnsley Central has been trying to put a definition around this. That needs to happen. If it is not to be in the Bill, the Minister needs to put on the record exactly what his expectations are, because I can see this being challenged in court. Courts are very good at looking back at what is said and what is actually meant in Parliament, so it is quite important.
There are certain categories that no one has any problems with: open Companies House registers are available to anybody, for example, and so is the open electoral register. But how will the closed electoral register be dealt with? I would argue that people who want to be on the closed register would think that there was a reasonable expectation that that data would not be shared. We know that it is, but somebody might challenge that.
Likewise, there are telephone directories. I am not sure whether they are produced any more. Perhaps I am old-fashioned—I am showing my age now. [Interruption.] Well, I am sure they still exist in a digital format. Those who are old enough to remember will know that there was an ex-directory option for people who did not want their name published; someone could make a conscious decision that they did not want their private phone number to be in the public record. Now it must be all online, but how will that be dealt with? With a directory on which everyone’s number is publicly available, I would think that there was a reasonable expectation that that was public data; I think everyone would assume that. Where they are ex-directory, however, I think most people would reasonably expect their data not to be shared with anybody.
“No expectation of privacy” is very clear—it means things that are publicly available—but “no reasonable expectation” is a dance on the head of a pin. People’s interpretations of what is reasonable will be different. I am reassured that the agencies have protocols for dealing with that, and I am not suggesting for one minute that they will be on fishing expeditions, but we need some clarity on what it all means.
The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East made a point about Facebook and other types of social media. For those who are interested, my “North Durham morning” posts are on Instagram, Facebook and Twitter, or X. I have been doing them for many years.
I have no reasonable expectation that those posts are private. I am not suggesting that the security services will want to look at North Durham mornings, but those posts are something that I have put in the public domain. That is fine, but it is different from what the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East was talking about. We might share a photograph or information on a small Facebook group, but do we expect everyone to have access to it? I am not sure that we do. Where does that fit into the definition of “reasonable expectation”? Would the individual think that it was available? That is the point.
The right hon. Gentleman is making a persuasive argument about public expectations of what is reasonable versus what the Bill says and what the agencies do. He is right that there are good operational validations through the agencies’ protocols, but perhaps the best way of explaining the marriage between expectation and what is real would be by example. It would be helpful to hear some examples from the Minister of how the powers that are currently used, and those that will be used under the Bill, are necessary and proportionate; for all these things are about necessity and proportionality. By example, we can probably put this matter to bed.
Yes. A point was also raised about leaked data. If something is leaked on the internet or any other portal and everyone has access to it, do we then assume that the security services think that it comes under “reasonable expectation”, even though the individual whose data it was perhaps did not want it out there?
I accept that under proposed new section 226B(4)(b),
“the authorisation is necessary for the purpose of the exercise of any function of the intelligence service”,
which is fine. I do not think that people will go on fishing expeditions—we will come on to that issue later— but I note that the phrase “economic well-being” appears later in the Bill, but not in this part. When I have raised the point before, the Government have argued that the phrase is used in other legislation and that they want to be consistent.
If nothing is to be changed in the Bill today or on Report, the Minister needs to put something on the record so that it when somebody challenges this provision in future, which they will, the Government’s intention is clear now and can be interpreted later.
I will be brief. I back up the comments of the right hon. Member for North Durham: much more needs to be done to define clearly what we mean by “low or no”. In many ways, separating the two out would make everything clearer. Everybody can tell what “no expectation of privacy” means. It is when we get to low expectation of privacy that we have debates: “Is it this or is it that?”
The factors considered in determining whether something qualifies as low or no include
“the extent to which…the data has been made public”.
If there is no expectation of privacy, that is obvious, so I do not understand why we cannot have more clarity and say, “This is what we mean by no expectation of privacy, and this is what we mean by low.” It might be fine for us in this room to have an understanding of what we mean, but there needs to be public understanding.
We all know that every time we go on any website, we are asked to click to accept the cookies, and sometimes we cannot progress any further unless we do. Data is being gathered left, right and centre. With the best will in the world, not everyone reads every single line of the terms and conditions. We need to be absolutely clear about exactly what we mean so that legal challenges do not occur down the line.
Before I address those points, I want to address the shadow Minister’s somewhat contentious argument that learning French is not a security issue —that was a bold innovation from him.
The points that have been raised are essential to understanding exactly why the Bill is so important. I will cover the “no” and “low” areas separately, for the reason that the hon. Member for Midlothian touched on. We all know what no expectation is; that has been largely covered, and the reality is that even the slightly more restricted version of the electoral register is shared with political parties, as the right hon. Member for North Durham knows.
That is what I was going to say. Although the register is not publicly available and therefore would not fit in this category, that is where we get to the line. The “no” is for publicly available data, and that is relatively clear.
The “low” comes in areas such as the idea of leaked papers, which somebody raised—forgive me, I cannot remember who. That is where the Bill sets out terms under which datasets should be considered, because of course it is impossible for me to give an answer that applies to every single dataset into the future. One example that came up recently, as right hon. and hon. Members will remember, is the Panama papers. One would not argue for a second that the people listed in those papers had an expectation of openness initially. However, after those papers had been published and republished over many years, at what stage do we really think the expectation of privacy is maintained?
That is where the dataset becomes low expectation. We have set out the oversight regime in another area of the Bill, but I will touch on it. The Investigatory Powers Commissioner has a range of responsibilities, the judicial commissioners have other responsibilities for approving warrants and IPCO has responsibility for overseeing the regime. That is where that is addressed—in slightly ways at each moment of influence and each moment of power, but everything is covered.
The issue of closing the gap between adding a bulk personal dataset to an existing category authorisation was raised on Second Reading by my right hon. Friend the Member for North Durham, who has a long-standing interest in these matters. I agree with the argument he made on Second Reading and the simple solution he proposed to close the gap: a one-line email to the Investigatory Powers Commissioner as soon as reasonably practical.
Any such email would not be seeking real-time approval and would not necessarily be reviewed by the Investigatory Powers Commissioner in isolation, but rather as part of a wider trend of what is being added to existing category authorisations. Labour does not seek to create additional work for the men and women who serve in our police and security services. On the contrary, a simple arrangement —to send a single-line email—would enhance wider oversight arrangements, while keeping extra requirements for the police and security services to an absolute minimum. In response to my right hon. Friend on the matter on Second Reading, the Minister said the IPA 2016
“allows the collection… with prior authorisation”
and that
“This is intended to speed the process up.”—[Official Report, 19 February 2024; Vol. 745, c. 556.]
We do not intend to slow the process down through the amendment, as any such notification would be made after it had happened. I therefore ask the Minister whether the problem is the act of notifying the Investigatory Powers Commissioner as soon as reasonably practical, or the potential volume of notifications, that mean he deems it an unworkable arrangement. I would appreciate if he could be as open as possible in answering those questions. If the Government do not accept the amendment, perhaps a conversation could take place between my right hon. Friend the Member for North Durham, the Minister and myself to agree a practicable solution.
As my hon. Friend the Member for Barnsley Central said, I raised the matter on Second Reading. In no way do I or other members of the ISC want to slow down the process or give more work to the hard-working men and women of our security services. However, as I understand it, the only reason put forward by the Government was that it would impair operational agility.
The amendment proposes, and what I proposed, is not for the security services to go through an authorisation, as my hon. Friend just said; it is literally an email saying, “This is what we are doing.” Members might ask why that is important. It is important because we are giving the security services new powers in the Bill and for IPCO to be informed in real time. I accept the retrospective look at them, but at least if there was a trend, we could see it.
The Government have also tried to argue that there is no need for more oversight because it is a low or no dataset, much lower than those governed by the existing section 7 of the IPA. We have just had the argument about the definition of “low” and “no”, but it means that we are giving the security services additional powers here. I am not for one minute suggesting that the internal protocols within those security services will lead to things that are just a free-for-all, as some might suggest, but it gives that assurance that there is oversight of what is happening in real time.
If we were asking for authorisation of each one, I would accept that it would be too burdensome and would slow down the process, but this is literally a one-line email so the IPCO knows what is needed. I do not understand why the Government are resisting that, except that—let us be honest, Minister—we have form on this. With the National Security Bill, there was an idea that it would be a weakness on the Government’s part to accept any amendments from the ISC. However, there was one slight change made with Lord West’s amendment, so there is possibly a change of attitude. I accept that the Minister respects the ISC—I am not sure it is the same for many people higher up in Government. But that should not be a reason not to accept this very simple amendment, which I think would give people reassurance that there is some real-time oversight of this. If an election was called in the next few weeks, this Bill—
I endorse what the right hon. Gentleman said. It is a straightforward matter. The Government could give way on this—because they already have the power to ask for it under existing arrangements—by making it a routine, light-touch process. I take the point that we do not want to impair the alacrity that is necessary for the agency. However, I think a simple change would satisfy the right hon. Gentleman, me, and many others.
I agree entirely with the right hon. Gentleman. If the amendment goes into the wash-up of the Bill, things like that will have to be included anyway. I do not understand why the Government are dying in a ditch on quite a small amendment that would make no practical difference at all to the operation of this Bill. There are certain people—not including the Minister, who is quite a reasonable individual—who want to make sure that the ISC cannot claim credit for doing anything, which I think is quite sad. If the Minister cannot agree to the amendment as drafted, I echo the suggestion of my hon. Friend the Member for Barnsley Central that we draft an amendment that the Government are happy with on Report that fulfils our ambitions on oversight, but that is also practically and technically correct. [Interruption.]
I remind members of the public to please turn their electronic devices to silent as well.
If I may, I will come to the last point first. The information going to the ISC on this basis would be, as far as possible, the same as that going to the Secretary of State. Obviously, the operational data may not be included, depending on the relevant operational case. I hope that will reassure this Committee and, indeed, the ISC that the intention is to make sure that the ISC is as fully informed as possible.
On the point made by the right hon. Member for North Durham, he will know that the Bill, in many ways, has been a joint project between the Government and the ISC. I have spent many hours with members of the ISC, including the Chair, my right hon. Friend the Member for New Forest East (Sir Julian Lewis), and with various members of the Committee. Their input has been exceptionally important to me and has been included in many areas of drafting on this.
Turning to amendment 15, the right hon. Member for North Durham and the hon. Member for Barnsley Central, in many ways, have both been the Occam’s razor of the Bill process, not just here, but in other areas. They have been rightly keen that we should not include powers or requirements that would otherwise constrain or block processes or confuse the law. I understand the argument that hon. Members are making about a one-line email, but the reason that I am not convinced—though I am very happy to have the conversation suggested—is that the reality is that it is possible for IPCO to investigate at any point, and it must investigate at 12 months. Therefore, if we ask for a legal requirement on the services, that would force an extra legal duty into the various elements and it will be an extra change.
I disagree with the Minister. Yes, IPCO can look back and can go in at any time to look at things, but if it does not know where the needle in the haystack is, how is it going to actually find it in the first place? This is not an onerous proposal, and I do not understand why the Minister is resisting it, to be honest. This measure would just send another reassurance to the public that, again, the extra powers being given to the security services, which I fully support, at least have some oversight. We need to address the Bill in detail and in such a way that we cannot be accused of handing over powers without also providing very light-touch reassurance that there is outside oversight. I accept that, in most cases, IPCO would not actually look at any of these.
In the spirit with which the right hon. Gentleman has approached this, may I commit to meeting him and the hon. Member for Barnsley Central to discuss this?
Well, the right hon. Gentleman could make a virtue of a necessity if he wishes. I certainly will. I shall enjoy meeting him to discuss this, and I hope that he will take that commitment in the spirit with which it is made.
This is as good a time as any to raise this point. If we are going to give the powers to the security services, which nobody objects to with the appropriate oversight, and ask them to do more assessments, more dataset investigations and so on, does my hon. Friend agree that the Minister should give us assurances on resources? Given that we are asking the services to take on additional tasks in one fashion or another, does he agree that we have to set aside the resources? Perhaps, during his meeting with the Minister, he could tease that out a little bit more, because I do not want these powers and responsibilities to be given to the services without them having the appropriate resources— financial and staffing—to do their job.
I am grateful to my hon. Friend the Member for Bootle. I am happy to give way to the Minister if he wants to respond directly to that point.