Investigatory Powers (Amendment) Bill [HL] Debate
Full Debate: Read Full DebateLord Fox
Main Page: Lord Fox (Liberal Democrat - Life peer)Department Debates - View all Lord Fox's debates with the Home Office
(11 months, 2 weeks ago)
Lords ChamberI rise to speak to Amendment 2 and several others in this group in my name. This amendment probes the extent to which paragraphs (d) and (e) of proposed new Section 226A(3) depart from current privacy laws. Like the noble Lord, Lord Coaker, we seek clarification. Also like the noble Lord, as far as we are concerned the purpose of this Committee is to probe, get information and understand how the Government interpret some of the measures in the Bill.
Bulk personal datasets represent the largest part of the Bill, and this amendment primarily probes the differences in the definitions in the Bill and those set out in Schedule 10 to the Data Protection Act 2018. The Bill creates a new and essentially undefined category of information where there is deemed to be low or no reasonable expectation of privacy: so-called low/no datasets. This is a departure from existing privacy law, in particular data protection law. With regard to low-privacy bulk datasets, the relevant circumstance, in Schedule 10 to the DPA, is that
“information contained in the personal data has been made public as a result of steps deliberately taken by the data subject”.
This is a different standard from the expectation of privacy in the new BPD category, whereby information is considered low privacy according to
“the extent to which the data is widely known about”
and if it
“has already been used in the public domain”.
As your Lordships will observe, there is a big difference between those two definitions. For example, whereas facial images from public CCTV may be considered low-privacy BPD under the Bill, they would be considered personal data and possibly subject to sensitive processing under the DPA. As the Minister knows, this is a contentious area of law, and a real-life example is Clearview AI’s database of 30 billion facial images harvested from social media platforms for highly facial recognition searches. Some could have been classified as low privacy, as the photos have already been made public by the individuals, but the Information Commissioner’s Office found Clearview AI in breach of the DPA.
Similarly, a database of all public Facebook or other social media posts could be argued to be a low-privacy database, despite the fact that it will be a comprehensive database of billions of people’s social networks, sexual orientations, political opinions, religion, health status and so on. Under the DPA, much of this data qualifies as sensitive personal data, incurring extra protections when it comes to retention and processing, regardless of whether the information can be considered to have been made public.
The DPA would still apply to the intelligence agencies in processing—at least, that is our view, and we would like to like the Minister to comment on that—but under the Bill as drafted the contradictory standards would also apply. How do these two standards work together? I assume the department has looked at the likelihood of possible challenges to this new category of data, and indeed the likelihood of such challenges being successful, so it would be helpful if the Minister could enlighten us in that regard.
Schedule 10 to the DPA sets out circumstances in which the agencies can conduct sensitive processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; data concerning health or sexual orientation; biometric or genetic data that uniquely identifies an individual; and data regarding an alleged offence by an individual. Does Schedule 10 apply in the case of data identified as “low” or “no” by the Bill?
An example highlighting the potential divergence is data that has been hacked and then leaked out. While not deliberately made public, as per the DPA requirement, it is arguably public and available in the public domain. What is the Minister’s view as to how the Bill regards that sort of data in a low/no context? To test this, the amendment seeks to strengthen the condition in proposed new Section 226A(3)(b) by aligning it with the test in the Data Protection Act for sensitive processing. Data protection law is currently constructed according to the sensitivity of information rather than the individual’s expectations of privacy concerning personal information. As we know, expectations differ greatly from reality, and from person to person. The central questions this poses are: why does the new Bill deviate from Schedule 10 to the DPA, and how will the DPA and the IP work together using the new definition of this Bill?
We are debating a small number of quite large groups today which, unfortunately, means that quite a number of my amendments appear one after another. I will speak as briefly as I can, but I am afraid there is quite a lot of detail coming up. I will speak first to Amendments 4, 5, 6 and 7. Amendment 4 probes the purpose for which bulk datasets will be used by the intelligence services. Amendments 5 and 6 probe the circumstances in which an authorisation is urgent and therefore not authorised in advance by a judicial commissioner. Amendment 7 would require the person granting an authorisation in urgent cases to immediately notify the judicial commissioner that they have done so.
These amendments are similar in purpose and spirit to Amendment 3 from the noble Lord, Lord Anderson, which I have co-signed and support. The basic explanation from the Government for proposed new Part 7A has been that these datasets are needed to train tools using machine learning and that they already exist and are being used in the commercial world, but the Part 7 process makes them difficult for the intelligence services to use. If training AI tools is the stated prime mover for Part 7A, the inclusion of urgent data as one of the three types of data clearly indicates it is also needed for ongoing investigations.
In that regard, proposed new Section 226BC refers to a “relevant period” of three working days between the acquisition of the urgent data and the granting of full judicial approval, giving the relevant service three days to work with data and information that might eventually be ruled out of bounds by the judicial commissioner. All the amendments are intended to understand how Part 7A is to be used in operations, rather than tool training, and what urgent circumstances are envisioned that would negate the need for prior JC approval of an authorisation.
Amendment 4 seeks to restrict the application of Part 7A powers to training and learning functions of the intelligence services, meaning that operational purposes would be excluded. This is designed to get the Minister to explain the operational needs which define an urgent need.
Amendment 5 removes the ability of a person to grant an authorisation if there is an urgent need. Clearly, this gives the Minister a chance to justify why such data might be operationally needed. Amendment 6 provides a definition of what might be considered “urgent circumstances”. The Minister might want to contribute a different definition, but we feel the definition of “urgent” should be included in the Bill. Amendment 7 provides an additional safeguard by requiring a JC to be notified immediately where an authorisation has been granted in an urgent case. This essentially creates an opportunity to close the potential gap between when the data is deployed and when the JC rules on its admissibility—but not, of course, removing the gap entirely.
My Lords, I do not know whether I can help the noble Lord, Lord Fox, on his question of urgency. One of the things that the Security Service and the other intelligence agencies do is deal with matters of life and death, of imminent terrorist threats, of states pursuing one of their dissidents. There is many an occasion when moving at vast speed outside the hours when IPCO is available is necessary and proportionate. I am out of date, so it is hard to give lots of current examples, but many a time there is an urgent need to move fast to try to save life.
On the point from the noble Lord, Lord Murphy, about the ISC—we will come on to look at these amendments in more detail—as far as my service is concerned, we did not need to get used to the ISC in that we had been demanding its creation for a number of years, with resistance from the Prime Minister of the day until it actually came into being. And when it did, we very much welcomed it.
I have hardly had more pleasure since I have been in this House than from the amendment in the name of the noble Lord, Lord Fox, on seeking to forget stuff. Like some noble Lords, I have difficulty in remembering things—I am sorry, I should speak only for myself—but if I was legislated to forget something, it is almost certain that I would be capable of remembering it.
My Lords, I am grateful for the contributions to this debate, which have been very interesting. I thank all noble Lords for the points raised. I shall do my very best to address all of them and apologise in advance for going into significant detail. I also thank everyone in the Committee for their broad support for the Bill.
I will start with the low/no privacy factors on bulk personal datasets, which I will henceforth call BPDs, and the various amendments relating to the test set out in Clause 2, to be applied when an intelligence service is considering whether a particular dataset is one that can be retained, or retained and examined, under new Section 226A in the new Part 7A. This test requires that regard must be had to all the circumstances, and that particular regard must be had to the factors set out in new subsection (3). The list of factors is not exhaustive and other factors may be considered, where relevant.
Schedule 10 to the Data Protection Act is related to Section 86 of that Act, which is concerned with sensitive processing of personal data by the intelligence services. Schedule 10 sets out a list of conditions which must be met for such processing to be lawful for the purposes of the Data Protection Act. There is a risk that applying these words here, in a different context and for a different purpose, may be seen to create a link, albeit fallacious, between the type of datasets that will be retained and examined under new Part 7A and sensitive processing under the Data Protection Act. For that reason, their inclusion here risks doing more harm than good, as the noble and learned Lord, Lord Hope of Craighead, noted.
In any case, the safeguards in new Part 7A are already sufficient to ensure due regard for privacy. Every dataset proposed to be retained, or retained and examined, must be individually authorised. In addition to the test at new Section 226A, as new Section 226B makes clear, an individual authorisation may be granted only if it is both necessary and proportionate.
The factors have been chosen because they are most relevant to the context in which the test will be applied and have been drawn from existing case law. They provide a guide to the decision-maker in reaching a conclusion as to the nature of the dataset. Furthermore, a form of prior judicial approval will apply to all authorisations so that there is independent oversight of the conclusions reached.
Amendment 1, tabled by the noble Lord, Lord Coaker, seeks to replace factor (b) with language drawn from Schedule 10 to the Data Protection Act 2018. Factor (b) is concerned with the extent to which an individual has made public the data in the dataset, or has consented to the data being made public. The Government do not consider the amendment necessary. I am sure the noble Lord’s aim is to improve the safeguards in the Bill, and he has drawn inspiration from existing precedent to do so in an effort to bring consistency across statute. However, the amendment fails to achieve that aim, and risks creating an unclear and unnecessary link between this Bill and the Data Protection Act, which I have already explained. I will return to the Data Protection Act in due course.
Amendment 2, tabled by the noble Lord, Lord Fox, probes the inclusion of factors (d) and (e), relating to publicly available datasets that are already widely known about or are already used in the public domain—for example, in data science or academia. As I mentioned, the test in new Section 226A is one in which
“regard must be had to all the circumstances”.
The removal of factors from new subsection (3) would not, therefore, fundamentally change the test; it would mean simply that the decision-maker would not be bound to have particular regard to the absent factors. This amendment would, in fact, result in less transparency in the considerations the intelligence services apply when assessing expectation of privacy in relation to Part 7A authorisations.
The Government consider it important that particular regard is had to these factors. I know that noble Lords particularly enjoy the example of the “Titanic” manifest. It is a useful example of where such factors would be relevant, as it is a dataset that is widely known about and widely used, and contains real data about real people who would, unfortunately, no longer have an expectation of privacy. I also point to the helpful example in the independent review by the noble Lord, Lord Anderson: the Enron corpus. This is a large dataset of emails that came into the public domain following the investigation into the collapse of the Enron Corporation. Although initially sensitive, the dataset has been available in various forms for almost 20 years and is widely used in data science. It is right that such datasets are in scope of the new regime.
The noble Lord, Lord Fox, asked specifically about the extent to which these factors depart from existing privacy laws. The law concerning the reasonable expectation of privacy is likely to develop over time, and new Section 226A is intended to be sufficiently flexible to accommodate future changes. Rather than departing from the law, new Section 226A is intended to ensure that the intelligence services can continue to apply the law as it develops.
On Amendment 3, I thank the noble Lord, Lord Anderson, for tabling this helpful probing amendment. I am afraid the Government do not think it is necessary in order to achieve what we understand the intended effect of the amendment to be. The amendment does, however, provide an opportunity to better explain the difference between what the Bill calls “individual authorisations” and “category authorisations”. An individual authorisation will authorise the retention, or retention and examination, of a dataset under the new Part 7A being inserted into the Investigatory Powers Act—which I will henceforth refer to as the IPA—by this Bill.
All datasets that are to be retained under Part 7A must have an individual authorisation. Individual authorisations are subject to prior approval by a judicial commissioner unless the dataset described falls within an existing category. A category authorisation will not authorise the retention, or retention and examination, of a dataset. Instead, it is a mechanism through which a judicial commissioner’s permission may be sought in order to depart from the normal rule on prior approval, but only in respect of datasets that meet a particular description.
If the Minister and indeed the noble Baroness had listened to what I said, they would know that I do not think it is forgettable; I just wanted the Minister to confirm that point.
Thank you; point taken.
Section 226D provides a mechanism to achieve what I understand the intent of the amendment to be. It is clear that remedial action must be taken if it is discovered that Section 226A does not apply or no longer applies to part of a dataset authorised under Part 7A. Anything in the process of being done must be stopped as soon as possible, and that part of the authorisation is treated as cancelled. The effect of that part of the authorisation being treated as cancelled is that the data to which it relates must be deleted unless there is some other lawful basis for its retention. It may well be that it is appropriate for the intelligence service to continue to retain the data. That is why subsection (3), in effect, puts that part of the dataset back into the decision-making machinery in Section 220 of Part 7 of the IPA—so that such a decision can be made. We provide a fuller explanation of that in the draft code of practice for Part 7A, at paragraphs 4.26 and 5.39.
In conclusion on this amendment, if the noble Lord is suggesting that any actionable intelligence that has been identified while the agency was operating on the basis of that retention and examination being lawful under Part 7A should not be acted on, I am afraid I must playfully suggest that it is he who ought to forget his amendment.
I turn now to the various amendments on reporting on BPDs, including several that seek to amend the provisions set out in Clause 2, under Section 226DA, which require the heads of the intelligence services to provide an annual report on Part 7A to the Secretary of State. The first amendment proposed by the noble Lord, Lord Fox, Amendment 11, seeks to mandate that certain statistical information in a given year—specifically, the numbers of authorisations sought and granted—be provided to the relevant Secretary of State. This amendment is not necessary or appropriate. First, those Secretaries of State who are politically accountable for the intelligence services will have in place arrangements to that end and may demand of the relevant intelligence service any additional information he or she feels necessary. This may go beyond the level of detail the noble Lord has proposed be included in the annual report and may be more frequent. This is not a matter for the Bill, because the exact information the Secretary of State requires may evolve over time. Secondly, if this sort of specific reporting requirement is found to be necessary or desirable, it is more appropriate for inclusion in a code of practice, rather than being in the legislation. Indeed, the draft code of practice for Part 7A sets out some relevant details under paragraph 7.4.
I turn now to Amendments 10 and 12, proposed by the noble Lord, Lord West, and I take this opportunity to reassure him and the noble Lord, Lord Murphy. On behalf of the Security Minister, we thank them for their valuable work on the ISC and for the constructive engagement with the Bill Committee to date. I am pleased to see the noble Lord, Lord West, in his place today, and I am glad that he is on a more or less even keel.
The amendments the noble Lord has tabled would require the intelligence services to provide the same annual report that they provide to their Secretary of State, on the operation of Part 7A, to the ISC and the Investigatory Powers Commissioner. I do not believe that this additional requirement would provide the enhanced oversight of the regime that the amendments purport to provide. The annual reporting requirement is a formal statutory mechanism by means of which the Secretaries of State will receive information from the intelligence services about their use of Part 7A on an annual basis. This is a mechanism intended to ensure effective political oversight by the Secretary of State.
The ISC is a committee of Parliament. Oversight by the ISC is neither of the same nature as, nor a replacement for, the oversight of the Secretary of State. The ISC, as a committee of Parliament, already has a long-standing and well-established role in the oversight of the intelligence services to which these provisions will apply, and that role will continue here.
Sending the annual report to the Investigatory Powers Commissioner will not increase the level of independent oversight provided, for the following reasons. First, the Investigatory Powers Commissioner will be required to keep this new regime under review, as he does with the current Part 7 regime, and he will continue to report annually on his findings. Secondly, the information these amendments seek to include in the annual report is already information that the draft code of practice will require the intelligence services to keep, as is clear from paragraphs 7.1. and 7.2. The commissioner, and anyone acting on his behalf, has access to all locations, documentation and information systems as necessary to carry out a full and thorough inspection regime. The intelligence services are legally obliged to provide all necessary assistance to the commissioner, or anyone acting on his behalf, including by providing documents and information.
The noble Lords, Lord Fox, Lord Murphy and Lord West, asked about the continued engagement with the ISC. On both the policy proposals informing the Bill and the Bill itself, through a combination of ministerial, operational and official engagement, we have maintained continual engagement, which includes recent sessions with the Security Minister and the agency heads. As I said earlier, we are grateful to the committee for its engagement and scrutiny of the Bill. We will continue to involve it throughout the Bill’s passage, and I am more than happy to take the noble Lords’ comments back to the Home Office and make sure they are widely understood.
Amendment 13 would see the intelligence agencies notify the Investigatory Powers Commissioner every time an individual authorisation is granted in reliance on a category authorisation. I have already set out the distinct processes for individual and category authorisations under new Part 7A. As I set out earlier, categories will be authorised only with the prior approval of a judicial commissioner. IPCO inspectors will then be able to review the individual authorisation granted in reliance on a category authorisation during their regular inspections of the intelligence services throughout that time. Category authorisations will expire at 12 months and will then need to be renewed and that decision reapproved by a judicial commissioner.
My Lords, Amendment 20 is intended to probe the legal basis for surveillance of the type of data described in new Section 11(3A)(e). This amendment would prevent public authorities—councils, police forces, intelligence agencies, government departments including the DWP and HMRC, the Gambling Commission, the Food Standards Agency, and many more—having “lawful authority” to obtain and use communications data from a telecommunications or postal operator solely because the information is available to the public or a section of the public even if only on a commercial basis.
Communications data is defined in the IPA as data that may be used to identify, or assist in identifying, the sender, recipient, time, duration, type, method, pattern, or fact of a communication, along with the system used to make a communication, its location and the IP address or other identifier of any apparatus used. The broad list of public authorities able to obtain communications data is set out in Schedule 4 to the IPA.
Clause 11 of the Bill before us now amends the Section 11 IPA offence of unlawfully obtaining communications data from a telecommunications or postal operator. Whereas the IPA currently defines an offender as,
“A relevant person who, without lawful authority, knowingly or recklessly obtains communications data from a telecommunications operator”,
this Bill would add a list of examples to the Act of what constitutes lawful authority.
My Lords, this has been a really worthwhile part of our debate, and I thank those who have tabled amendments and the Minister for his response. I was particularly interested to hear both the substance of and response to the amendments of the noble Lord, Lord West of Spithead. I think it best that we spend some time reviewing this in Hansard in deciding what, if anything, needs to come back. With that said, I beg leave to withdraw Amendment 20.
My Lords, in opposing that Clause 16 stand part of the Bill, I shall also speak to the clause stand part notices on Clauses 17 and 20.
This is one part of the Bill that has attracted a huge amount of external interest and deserves some positioning to understand why external parties might be suspicious of what they see. We should recognise that one of the most important security features available to protect personal information, both on a device and in the cloud, is end-to-end encryption. That encryption technology ensures that only users, and not the companies which provide the cloud services, can access their personal data and communications. Computer scientists and cryptographers have argued for many years that there is no safe way to decrypt one person’s messages without compromising the whole system’s security infrastructure. As soon as a backdoor, as it is called, is created to scan private messages, a security vulnerability is created that can be exploited by bad actors as well as good actors. I assume that that was why the Online Safety Bill left things hanging, waiting for a technological breakthrough, though I was not party to the processes of that Bill.
I remind your Lordships that once the company has created a backdoor key for encrypted systems, even for a single user in a single case, and certainly for any mass scanning, it has created a vulnerability that can eventually be abused by bad actors as well as law enforcement. I also remind your Lordships that the Home Office already can and presumably, on occasion, does require companies to weaken their security apparatus in the interests of law enforcement and national security.
To a great extent, the proximity of this Bill to the debate in the Online Safety Bill, has not helped matters: sensitivities were raised during that debate, and this is a chance for the Minister to try to calm them. As I mentioned earlier, the impending arrival of the Data Protection and Digital Information Bill is also putting people’s nerves on edge. There is a deal of management required here.
End-to-end encrypted messaging service providers were vociferous in their concerns during the passage of the Online Safety Bill, yet Section 121 of the Online Safety Act remains. However, Ministers clarified that Ofcom could only require scanning once it becomes technically feasible to do so—that is, when the technology is invented and allows scanning without violating encryption. But Ofcom retains the power to order service providers to use their “best endeavours” to develop that technology.
It is not surprising that some of those same encrypted message service providers were raising flags when it came to some of the clauses in the Bill. The IPA, as it stands, already enables the Home Office to instruct service providers to remove electronic protection for communications of interest to the police or security services by issuing them with a technical capability notice—a TCN. This effectively empowers the Home Secretary to require the removal of end-to-end encryption on those services across any number of suspects and criminal offences. Currently, for the Home Secretary to issue a TCN to a service provider under the IPA, they have to satisfy a number of considerations, which your Lordships will be pleased to hear I am not going to list. Even if the answers to all those conditions is positive and leads to a TCN, a process of checks and balances sits alongside the request, including informal and formal consultation between the Home Office and a service provider before the TCN is issued, oversight by the independent judicial commissioner assessing the request’s proportionality and, of course, recourse for the service provider to request a review of the TCN, allowing it and the Home Secretary to make representations to the judicial commissioner and the technical advisory board for assessment. Crucially, the service provider is not required to start acting on the notice until the review process is concluded.
My Lords, I thank the Minister for an admirably comprehensive response. That was what we were looking for—perhaps not everyone, but certainly our Front Benches. There is a lot to get our heads around, so we will take this away and look into it.
There are a number of observations I would make. First, the Minister emphasised co-operation, collaboration and discussion. Of course, the legislation does not look like that, so it would help if the Government could find some confidence-boosting measures, be they from the code or the draft annexe, or something that enables the Government to signal their continued intention to co-operate and collaborate.
The Minister talked about an interconnected data world—that is exactly the point the operators are making. Because of that interconnection, a hiatus in delivering a service in the UK could also be a hiatus in delivering that service to the rest of the world, given that everyone is using the same service. That is one of the points that was not picked up by the Minister at the time. That interconnectedness is the very issue that some operators have: if they are prevented from doing it in one place, how do they do it elsewhere?
The issue of corporate entities is interesting. What the Minister described was something I used to call “corporate veil”, and I am interested to know how robust that is in corporate law. With corporate veil, it became very difficult, even at court level in the United States, to break down the corporate entities and their interconnections. For no other reason than making an observation, I am interested to see how that works. I certainly see why the Government are putting it forward in their legislation.
There is a lot for us to digest, which we certainly will, between now and the next stage; it gives us something to get our teeth into over Christmas. That said, I beg to withdraw my proposal that Clause 16 stands part of the Bill.
I am afraid that the noble Lord is not in a position to do that. This is a clause; one votes for it or against it.