Investigatory Powers (Codes of Practice) Regulations 2018 Debate

Full Debate: Read Full Debate
Department: Department for International Development

Investigatory Powers (Codes of Practice) Regulations 2018

Lord Paddick Excerpts
Thursday 1st February 2018

(6 years, 9 months ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Murphy of Torfaen Portrait Lord Murphy of Torfaen (Lab)
- Hansard - - - Excerpts

My Lords, I am happy to support the Minister in everything she has said about these regulations. A few years ago I had the privilege of chairing the Joint Select Committee on the draft of the Investigatory Powers Bill. The committee made around 80 recommendations which were all accepted by the Government, and I think that few Bills in the past couple of Sessions have been subject to as much scrutiny as this one. It was considered for many days in this House and in the other place, as well as in the Joint Committee. It was right that that was the case because the powers given by the Bill to the intelligence agencies are very wide and deep—rightly so, but safeguards have been built into the Act and now, of course, they are built into the regulations as well. That is necessary because we have to strike a balance between the liberty of the individual on the one hand and the safety of our citizens on the other.

I welcome in particular the regulations on the codes of practice, which were central to the thinking of the Joint Committee. The Minister in the other place, Mr Ben Wallace, indicated that they are “user friendly” in terms of their language, and certainly they are more user friendly than the regulations themselves, which are phrased in gobbledegook, to say the least. The Technical Advisory Board, something that the committee recommended, has now been set up. It is an important development along with, as the Minister has said, the appointment of the new Investigatory Powers Commissioner, Lord Justice Fulford. On behalf of the Opposition, my successor as the Member of Parliament for Torfaen, Nick Thomas-Symonds, supported these recommendations and I do not doubt that my noble friend Lord Kennedy is likely to do the same. As a former chair of the Intelligence and Security Committee, I support them too because these regulations are vital to implementing the Act. I also congratulate the services on their work in ensuring that our children are safe from paedophiles and our citizens are safe from terrorists.

Lord Paddick Portrait Lord Paddick (LD)
- Hansard - -

My Lords, if the House will allow me, I should like to make a few comments about what happened during Oral Questions yesterday. Perhaps I may say that the decision of the Prime Minister, the right honourable Theresa May, to refuse the resignation of the noble Lord, Lord Bates, was one of her better decisions. I also commend the noble Lord, Lord Taylor of Holbeach, on how he picked up the loose ball and ran with it. It just shows what the Government can do if they work together rather than against each other. The noble Baroness, Lady Smith of Basildon, reflected the views of the overwhelming majority in the House in indicating genuine respect and affection for the noble Lord, Lord Bates. We are very pleased that he is having a couple of days of well-earned rest before he resumes the fray. However, I fear that is the end of me being nice.

I thank the Minister for introducing these regulations, which, if the House will allow me, I will take in the order set out on the Order Paper rather than in the order in which the Minister spoke to them. The regulations have been introduced against a background of two linked and significant matters. First, the 16th report of the Secondary Legislation Scrutiny Committee states:

“Because bulk interceptions in particular have the potential to include communications of people who are not suspects as well as those who the security services are targeting, this legislation is likely to be of interest to the House”.


In other words, this important committee of the House has given these regulations a red flag, not least because the codes of practice run to several hundred pages. Again I quote:

“We were therefore disappointed with the obscurity of the original Explanatory Memorandum which gave the reader no indication of the potential effects of these Codes.”


Secondly, the Home Office is having to make late changes to the Investigatory Powers Act in an attempt to comply with the European Court of Justice ruling on the UK’s mass surveillance powers following the decision of the Appeal Court this week. We had long debates, as the noble Lord has just said, during the passage of the Investigatory Powers Bill. We on these Benches argued that the bulk acquisition of communications data treated everyone in the UK as a suspect. We drew a distinction between mobile phone data that is routinely kept by communications services for billing purposes—such as where was the call made and where was the person calling, so that the person can be charged the right amount on their bill—and new communications data that CSPs do not routinely collect; for example, so-called internet connection records, where CSPs will be required to keep a record of the first page of every website that every user of the internet in the UK visits on a rolling 12-month basis. The Investigatory Powers Act allows police and other organisations to self-authorise access to such data. The Appeal Court ruled on Tuesday that the Data Retention and Investigatory Powers Act 2014, many of the powers in which are incorporated in the Investigatory Powers Act, is inconsistent with EU law because of a lack of safeguards and the absence of a prior review or an independent administrative authority.

Noble Lords may wonder what this has to do with the regulations before the House today. The Investigatory Powers (Codes of Practice) Regulations 2018 include a draft code of practice on bulk acquisition of communications data. My understanding is that the Government claim that the judgment does not affect bulk acquisition of communications data because this is limited to the intelligence services—the Security Service, the Secret Intelligence Service and GCHQ—and that these organisations are concerned with national security, which is outside EU data protection law. The first problem with this is that GCHQ, in particular, is involved in accessing data in relation to serious crime; for example, working jointly with the National Crime Agency on child sexual exploitation, which is not within the normal definition of a national security issue.

The second problem is that, after Brexit, the UK will be treated as a third-party country by the EU 27. National security issues will no longer be exempt from scrutiny and compliance with EU law if the UK wants to continue to exchange data with the EU 27. Will the Minister explain what impact the UK’s need to secure an adequacy certificate from the EU in relation to compliance with EU data protection standards once we exit the EU will have on the bulk acquisition draft code of practice? Will she also explain what advice Ministers are receiving about the likelihood of success of Liberty’s other challenge to the Investigatory Powers Act, due to be heard in the High Court later this year, and what effect that will have on these codes of practice? The bulk acquisition draft code of practice also talks about communications operators receiving public funding and support to ensure that they can provide an effective and efficient response to the security services’ requests for data. Can the noble Baroness tell the House how much public funding will need to be provided, particularly in relation to ICRs that are not collected and stored at the moment?

On the second code of practice, in relation to equipment interference, we pointed out in debate on the Investigatory Powers Bill the anomaly that while requests from the security services for equipment interference—downloading the contents of a mobile phone or exploiting weaknesses in software to enable remote accessing of a computer, for example—had to be authorised by a Secretary of State, requests by law enforcement agencies for equipment interference could be self-authorised by a law enforcement chief. The interception of communications warrants, covered by the third code of practice, has to be authorised by a Secretary of State whether the request comes from the security services or law enforcement agencies, but a Secretary of State’s authority is not required in the case of equipment interference warrants for law enforcement agencies. Surely, in the light of the decision of the Court of Appeal, such self-authorisation should no longer be permitted.

Targeted equipment interference warrants can be issued against equipment belonging to or in the possession of an organisation or equipment in a particular location. Can the Minister explain, if warrants allow interference with the equipment of innocent people within that organisation or at that location—collateral damage, if you will, in pursuit of the real criminals and terrorists—how that is compliant with the ruling of the High Court and the ECJ?

The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations are straightforward and we support them. The Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations deal with appeals against technical capability notices, national security notices and data retention notices, which include consultation with the Technical Advisory Board. These regulations set out the composition of the TAB and the process and timing of appeals. We support these regulations as well.

Finally, we come to the Investigatory Powers (Technical Capability) Regulations, setting out what may be contained in technical capability notices, which impose obligations on a relevant operator in order that the operator can deliver what is required if served with an interception warrant, equipment interference warrant, or warrant or authorisation for obtaining communications data. In the tech sector, techUK represents 900 companies, employing about half of all those employed in that sector in the UK, and it has raised concerns about technical capability notices arising from these regulations.

Clearly, communication service providers must have the technical capability to be able to comply with lawfully authorised warrants. But these regulations also require CSPs,

“to notify the Secretary of State, within a reasonable time, of—

(a) proposed changes to telecommunications services or telecommunication systems to which obligations imposed by a technical capability notice relate;


(b) proposed changes, to existing telecommunications services or telecommunication systems, of a description specified in the notice, and


(c) the development of new telecommunications services or telecommunication systems”.


In her opening remarks, the Minister said that these regulations do not create new powers. But techUK claims that these notifications of innovation were not listed on the face of primary legislation, albeit that the primary legislation states:

“The obligations that may be specified in regulations under this section include, among other things”.


I emphasise “among other things”. It goes on to express concern that these provisions could force tech companies half way through development to notify the Home Secretary about what they were doing and that the Home Secretary could then come back and demand changes, extending the tight deadlines under which they operate and risking information about commercially sensitive developments being made public to the benefit of competitors. These provisions could be a barrier to innovation and drive tech companies overseas beyond the reach of these regulations. Can the Minister provide some reassurance to the House that these additional provisions will not stifle innovation and drive tech companies overseas?

--- Later in debate ---
Lord West of Spithead Portrait Lord West of Spithead
- Hansard - - - Excerpts

Does not the Minister agree that the collection of bulk data does not assume that everyone in our population is a suspect, as the noble Lord, Lord Paddick, said, any more than the camera systems on our public transport assume that everyone on that bus is a suspect? Rather, it highlights and spots the person who sticks a knife in someone.

Lord Paddick Portrait Lord Paddick
- Hansard - -

I am very grateful to the noble Baroness. The question I was asking, reflected by another noble Lord during the debate, was: what is the impact of the Appeal Court ruling this week and the decision of the European Court of Justice on these very issues? The expression I used was one that came from that judgment rather than being one I was adopting as my own.

Baroness Williams of Trafford Portrait Baroness Williams of Trafford
- Hansard - - - Excerpts

Sometimes the problem with interventions is that you do not get around to saying what you were going to say. Perhaps noble Lords will be patient. The noble Lord, Lord West, put it very succinctly and illustrated what we mean by bulk data.

Where the content of a communication is to be examined when it is of a person known to be in the British Isles, a separate targeted examination warrant must be obtained, which is in itself subject to approval by the Secretary of State and a judicial commissioner. The codes of practice that I have been outlining today provide additional safeguards on the use of bulk powers relating to filtering data, the training that must be obtained by those examining it and how bulk data should be handled, retained and destroyed.

The noble Lord, Lord Paddick, also asked if warrants allowed interference with devices of innocent people and asked how that was compliant with the ECJ ruling—the question on everyone’s lips. Equipment interference is subject to stringent safeguards and any warrant must be necessary and proportionate and must be approved by a judicial commissioner. This House has, of course, approved those strong safeguards.

I see the noble Baroness, Lady Chakrabarti, looking quite interested, because the noble Lords, Lord Paddick and Lord Butler, asked about the Liberty challenge to the IP Act and the Government’s response to it. The judgment handed down by the Court of Appeal on Tuesday this week—I presume that that is the one that they are referring to—relates to the challenge brought against the DRIP Act. It has now been replaced by provisions in the Investigatory Powers Act, and therefore the judgment relates to legislation that is actually no longer in effect. The provisions in the Act challenged by Liberty, which will be heard at the end of February in the High Court, relate to targeted communications data and, therefore, are not relevant to the debate today.

I move on to the technical capability regulations. I was asked whether they would stifle innovation. To be clear here, none of the regulations that we are discussing today in and of themselves place any burden on industry. To suggest that the Investigatory Powers (Technical Capability) Regulations 2018 would damage companies operating in this country is to misunderstand what the provisions in those regulations actually do. Those regulations do not themselves impose any requirements on telecommunications or postal operators. Rather, they set out what obligations could be imposed on an operator through a technical capability notice. The power for the Secretary of State to give such notice is set out in the Investigatory Powers Act itself, and has therefore already been approved by Parliament. There are stringent safeguards in the Act regulating the use of technical capability notices to minimise the impact on businesses, including that the notice must be necessary, proportionate and approved by a judicial commissioner. As I have already said, before giving a technical capability notice to a relevant operator, the Secretary of State must consult that operator. In addition, the Secretary of State must consider a number of factors before deciding to give a notice. Those factors include the technical feasibility and likely cost to the operator complying with the notice, which goes to the heart of ensuring that a notice does not damage a company’s interests.

The Act also makes it clear that the Secretary of State must ensure that arrangements are in force for securing that relevant operators receive an appropriate contribution in respect of their costs incurred in complying with the Act, as the Secretary of State deems appropriate. Such costs include those incurred in relation to complying with a technical capability notice. The Government’s policy is that the appropriate contribution is calculated on a case-by-case basis to ensure that the operator makes neither a loss nor a gain from complying with the Act. A number of the draft codes of practice that we have debated today include an entire chapter on technical capability notices, giving further information about their use, including details of the cost recovery process and the sorts of activities it is anticipated that the Government would fund as part of an operator maintaining a capability.

I may be repeating myself here, but the noble Lord, Lord Butler, asked about making sure that the codes of practice on retention records are made consistent with this week’s ruling. The judgment related to the retention of communications data by telecommunications operators is not being debated today. The CJEU ruling was not about safeguards for equipment interference or for access to bulk communications data. The IP tribunal considered the specific issue of whether the CJEU judgment applied to bulk communications data and has made a further reference to the CJEU on this very point and on whether the bulk communications data regime is within the scope of the judgment’s safeguarding requirements.

Lord Paddick Portrait Lord Paddick
- Hansard - -

My Lords, I realise that I am intervening a bit late, but I did not want to interrupt prematurely, as I did before. Will the Minister comment on techUK’s specific suggestion that the regulations impose an additional aspect to the technical capability notice, in that the Home Office will be alerted to changes in innovation in systems and development? I do not think that the noble Baroness has addressed that specific issue.