Read Bill Ministerial Extracts
Investigatory Powers (Amendment) Bill [HL] Debate
Full Debate: Read Full DebateLord Ponsonby of Shulbrede
Main Page: Lord Ponsonby of Shulbrede (Labour - Life peer)Department Debates - View all Lord Ponsonby of Shulbrede's debates with the Home Office
(1 year ago)
Lords ChamberMy Lords, I think the whole House will be grateful for the noble Baroness’s intervention speaking in the gap. I thank the Minister for facilitating the briefings which we have had and will have in the coming days on the Bill.
The Bill makes changes to the 2016 Act, as we have heard. The 2016 Act provides a framework for the use of investigatory powers by the security and intelligence agencies, law enforcement and other public authorities. They include the power to obtain and retain communications. It also created the post of Investigatory Powers Commissioner and includes a number of safeguards for the use of such investigatory powers, including a two-stage procedure for obtaining authorisations. Many of the powers in the 2016 Act were pre-existing, as we have heard, and already being used by intelligence and law enforcement agencies. The Government stated that one of the intentions behind introducing the 2016 Act was to bring together and build on the statutory powers already available. The Government explained that the Act was also required to replace emergency legislation passed in 2014, the Data Retention and Investigatory Powers Act, which was subject to a sunset clause.
I agreed with the point made by the noble Lord, Lord Carlile, about the desirability of developing some sort of living instrument and a consolidation Bill to try to bring these pieces of legislation together.
The Bill before us proposes changes which include the creation of a new condition for the use of internet connection records to aid target detection, introducing a less stringent regulatory regime for the retention and examination of bulk personal datasets where individuals have little or no expectation of privacy, and a new notification requirement that can be issued to selected telecommunications operators, requiring them to inform the Government of proposed changes to their products and services that could negatively impact the current ability of agencies to lawfully access data.
I was going to say something about the contributions of the noble Lord, Lord Anderson, to the review of this legislation. My understanding is that all the noble Lord’s recommendations have been accepted by the Government, and I too express the Opposition Front Bench’s gratitude for the work he has done on this.
The Bill is a relatively short Bill of six parts, 31 clauses, and two schedules. I was going to step through its various elements, but I will not do that because it has been adequately covered by speakers earlier in this debate.
Like other noble Lords, I have received emails from industry and advocacy groups raising concerns about the Bill. On 7 November, a Financial Times piece reported that firms, including Apple and Meta, have signalled that they may withdraw from the UK market if they can no longer offer end-to-end encryption to their customers. I will quote from the concluding paragraph of a letter I received from Apple:
“The Home Office’s proposals to expand the IPA’s extraterritorial reach and to grant itself the power to pre-clear and block emerging security technologies constitute a serious and direct threat to data security and information privacy. To ensure that individuals have the tools to respond to the ever-increasing threats to information security, the Home Office’s proposal should be rejected”.
The piece, which I am sure we all received, then went on to explain their concerns about providing what they refer to as a back door into end-to-end encryption, and how that undermines the firms’ business model and the security of many other groups operating elsewhere in the world. It is right that we take the points raised by these commercial providers seriously, and maybe we will address them as the Bill progresses.
Similarly, online privacy advocacy groups such as Open Rights Group and Big Brother Watch have expressed their concerns, and we have heard from the noble Lord, Lord Strasburger, and the noble Baroness, Lady Bennett, today. It is worth saying that I agreed with every word of the noble Lord, Lord Carlile, when he said that he and I live in a different country from that spoken about by the noble Lord and the noble Baroness. We need to consider the concerns being addressed in the Bill, but also the wider context that other countries and other very large companies have access to bulk datasets—maybe not our bulk datasets—and are using that data in ways that we need to understand and pre-empt, if they are working against our national interest.
I conclude by talking about my own experience as an engineer, which is relevant to the debate we have just had. It used to be my working life to deal with very large datasets, make predictions based on them, and inform management about those predictions. One of my experiences was that it is very easy to mislead oneself because one is analysing large amounts of data. One needs to be realistic and at the same time see the possibilities of these extremely large datasets. It is a huge challenge. Huge amounts of data are used just to process them, and the maths and the imagination behind it is developing as we speak. The Bill in front of us now is a relatively modest step in the road, and we need to keep reviewing the processes available to us and reviewing the legislation to try to underpin them.
Investigatory Powers (Amendment) Bill [HL] Debate
Full Debate: Read Full DebateLord Ponsonby of Shulbrede
Main Page: Lord Ponsonby of Shulbrede (Labour - Life peer)Department Debates - View all Lord Ponsonby of Shulbrede's debates with the Home Office
(11 months, 2 weeks ago)
Lords ChamberMy Lords, I will make a brief comment on two aspects of Clause 14 which have been developed today and which were considered in my report. Amendments 23 and 25 in the name of the noble Lord, Lord Fox, would restrict the changes relating to internet connection records in Clause 14 to the intelligence services only. The noble Lord correctly noticed that, while I support the use of ICRs for the new target detection purpose in condition D1, I mentioned at paragraph 4.18 of my report that it would be
“open to Parliament to require further safeguards”
and suggested that those safeguards include
“making the extra condition available only to UKIC”—
in other words, the intelligence services—
“at least in the first instance”.
I pointed out a range of safeguards that already apply to ICRs. These are fully set out in the draft addition to section 9 of the code of practice that was helpfully provided in advance of these debates. I also pointed out, by way of mitigation to my proposal that only UKIC should have access, that
“working arrangements … could facilitate the use of UKIC powers in the service of NCA or CTP in particular”.
That is as much as I am told I can say on working arrangements, though noble Lords may be able to use their imaginations.
Clause 14, instead of going for this workaround, opted to give the NCA, though not counterterrorism policing, its own direct access to the new power. It is certainly true that the NCA has primary responsibility for many of the crimes where the new power may prove most useful—in particular, child sexual abuse, where it has strong potential. I will listen to what the Minister says about that, but I think there is no great division of opinion between us on this issue. We are really debating different mechanisms by which the NCA might get access to this material, and although it is not precisely what I suggested, I have no objection to the more direct route taken in the Bill.
I turn to Amendments 21, 24 and 26 in the name of the noble Lord, Lord West of Spithead, which would introduce a requirement for requests by the intelligence services and the NCA to be independently authorised by the Office for Communications Data Authorisations. This would be an exceptional state of affairs for communications data requests by the intelligence agencies. Existing ICR requests are internally authorised and some of those, in particular under condition B and C, will be arguably, as I said in my report, as intrusive as requests under the new condition.
However, the noble Lord has emphasised the undoubted intrusiveness of the new condition and I know from my own correspondence with the ISC that, very much to its credit, it has looked at this issue in considerable detail. Furthermore, I raised the possibility of independent authorisation for such requests in my report. While I said that the full double-lock procedure would be disproportionately burdensome, independent authorisation by OCDA, which is not a possibility on which I commented expressly, sounds as though it could be a more manageable proposition. I have some sympathy with Amendments, 21, 24 and 26. They raise an important issue on any view, and I look forward to hearing what the Minister has to say about them.
My Lords, I thank the three previous speakers in the short debate on this group. There are no opposition amendments in it, so I shall set out some more general questions that arise out of the amendments spoken to.
Why have the Government brought forward the widening powers to obtain communications data when the original Bill did the opposite? Can the Government provide an exhaustive list of the bodies that will be able to use these communications data collection powers? Why are they not in the Bill or the Explanatory Notes? Giving bodies such powers during any criminal investigation appears out of step with the rest of the Bill, which covers investigatory powers for national security or serious crime reasons. Why is this power so broad as to cover any criminal investigation? Given that the double lock exists for most of the powers in the Bill, why have the Government given wide-ranging powers for intelligence authorities and the NCA to self-authorise accessing internet connection records while undertaking subject discovery work? How does this compare to the powers for conditions A, B and C, which cover access to ICRs, for more restrictive purposes? Finally, what will the role of the IPC and the ISC be in monitoring how the new powers are used?
I was particularly interested in what the noble Lord, Lord Anderson, said when he was commenting on the two other speakers in this short group. I, too, will listen with great interest to what the Minister has to say on this, but this is all done in the spirit of exploration, as my noble friend Lord Coaker said. I look forward to the Minister's comments.
I thank all noble Lords who have spoken in this group. I will first speak to Amendment 20, tabled by the noble Lord, Lord Fox, which would amend Clause 11. I want first to make it clear that Clause 11 does not enable any new activity under the Investigatory Powers Act but places into primary legislation the existing position set out at paragraph 15.11 of the Communications Data Code of Practice.
Paragraph 15.11 clearly sets out that it is not an offence to obtain communications data where it is made publicly or commercially available by the telecommunications operator or postal operator or otherwise, where that body freely consents to its disclosure. In such circumstances, the consent of the operator provides the lawful authority for the obtaining of the data on which public authorities can rely. Making this position explicit within primary legislation will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in Section 11. As such, there will be no doubt that acquiring communications data in this way means that an offence will not be committed in such circumstances.
The purpose of new subsection (3A)(e) is not permitting so-called surveillance, as the noble Lord’s amendment asserts. Rather, it is about clarifying the basis for lawful access to material which has already been published and should not require additional authority for its disclosure by a telecommunications operator, with the consent of that operator, to a public authority. I can assure noble Lords that telecommunications and postal operators will still need to satisfy themselves that any communications data disclosure is in accordance with the Data Protection Act, and any subsequent processing by public authorities must also be compliant.
The inclusion of this paragraph in the definition of “lawful authority” in the IPA will provide reassurance to public authorities on the basis for which they have lawful authority to acquire communications data where this authority falls outside the IPA itself. Inserting a definition of lawful authority does not remove the offence of knowing or recklessly obtaining communications data without lawful authority; it is still possible to commit this offence if the disclosure by the telecommunications operator is not lawful or if the public authority knowingly or recklessly acquires the communications data without lawful authority. The inclusion of this definition of lawful authority will encourage public authorities to ensure that they have lawful authority before they acquire communications data. I therefore respectfully ask the noble Lord to withdraw his amendment.
I turn to Clause 13 and the proposal from the noble Lord, Lord West, to remove this provision and the associated schedule from the Bill. The purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited in performing the roles expected of them by Parliament. It restores their important pre-existing statutory powers to acquire communications data in support of those functions. When the IPA was passed in 2016, it made specific provision, at Section 61(7)(f) and (j), for acquisition of communications data for the purposes of taxation and oversight of financial services, markets and financial stability.
As a result of the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, a number of changes were then made to the IPA. Crucially, not all the changes made at that time were a direct response to the judgment itself, but instead the opportunity was taken to streamline the statute book. This included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers. At that point, much of the relevant data fell outside the definition of communications data and therefore outside the provisions of the IPA. However, as businesses increasingly move their services online, so many have become, in part at least, telecommunications operators under the definition in the IPA. Therefore, more of the data they collect, and which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers, now falls within the IPA’s definition of communications data, and regulatory and supervisory bodies are, inadvertently, unable to acquire it.
The Financial Conduct Authority, His Majesty’s Revenue and Customs and Border Force are all examples of public authorities in Schedule 4 to the IPA and already have the power to acquire communications data using a Part 3 request. However, many of the matters that these bodies regulate or supervise fall short of serious crime, as defined in the Investigatory Powers Act at both Section 263(1) and Section 86(2A), which means that they are unable to acquire a Part 3 authorisation to get the data they need to perform the statutory functions expected of them.
The UK is not alone on this issue; European colleagues have identified similar issues for their equivalent bodies with regulatory and supervisory functions. The functions these bodies perform on behalf of the UK are simply too important to let this situation continue. They go to the heart of our safety in preventing terrorist funding, seeking to ensure financial stability, and the oversight of banking and financial markets, among other matters. For example, the Financial Conduct Authority has responsibility for supervising some 50,000 regulated firms to ensure they have systems and controls in place concerning the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Border Force has the responsibility of quickly identifying from the huge volumes of packages crossing our borders each day, those that may contain illegal items such as drugs, firearms and other illicit goods that present a risk to the UK. It is vitally important that these bodies are not inhibited in carrying out their core functions because of the way the world has changed since 2016.
The changes to the IPA brought about by Clause 13 strike an appropriate balance between necessity and proportionality, making clear as it does that the acquisition by these regulatory bodies should only be in support of their civil functions and not used in support of criminal prosecutions. Additional safeguards are provided for within codes of practice governing how this should work in practice. To be clear, this applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions; it is not creating a way to circumvent the safeguards of the IPA. It instead ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential.
My Lords, I will briefly speak to the five amendments in this group in the name of my noble friend Lord Coaker. Amendments 35 and 37 would introduce a double-lock process to notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for the three existing types of notices that can be issued to telecommunications operators. Amendment 36 would add a further factor that the Secretary of State must consider when deciding to give a notice under this section, bringing this type of notice into line with the three existing types of notices that can be issued to telecommunications operators. Amendments 38 and 39, along with the others in my noble friend’s name, would introduce a potential double-lock process to the variation of notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for variation of the three existing types of notices that can be issued to telecommunications operators.
In introducing this group, the noble Lord, Lord Fox, set out very comprehensively the concerns of the various tech companies. I have read the same briefings that he has. He was right to see this as an opportunity for the Minister to address those concerns.
I have a few questions arising out of these amendments. First, why have the Government not included a double-lock structure of approval to this new type of notice, given that the three other types of notices that telecom companies can be issued have the same structure, along with many of the provisions in this Bill and the IPA? Further, why does it not have the same review structure as the other notices? What will companies be able to do to challenge this decision? New Section 258A states that companies must respond within “a reasonable time”. What would the Government consider a reasonable time to be in this regard? What assessment has been made of what other companies are doing to ensure they are aware of changes that would potentially impact national security? Finally, can the Government be more specific about the types of changes that would be considered relevant for this new notification of the proposed changes?
My Lords, once again, I thank noble Lords for their amendments and the points they have raised in this debate. I will do my very best to answer the questions that have been asked. Again, I am afraid I am going to do so in some detail.
The noble Lord, Lord Fox, has proposed removing Clause 16 from the Bill in its entirety. Clause 16 concerns the extraterritorial enforcement of retention notices. Under subsections (9) to (11) of Section 255 of the IPA, any technical capability notice—TCN—is already enforceable by civil proceedings against a person in the UK. Only TCNs that provide for interception and targeted communications data acquisition capabilities are enforceable against a person overseas. Section 95 of the IPA also provides that a data retention notice—DRN—is enforceable by civil proceedings against a person in the UK. DRNs already have extraterritorial applicability within the IPA, meaning that they can already be given to a person outside the UK. However, unlike TCNs, the current legislation does not permit the enforcement of a DRN against a person outside the UK.
Clause 16 therefore seeks to amend Sections 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs to strengthen policy options and the legal levers available when addressing emerging technology, bringing them in line with TCNs. As technology advances, data is increasingly held overseas. The clause will ensure that, if required, there is a further legal lever to protect and maintain investigatory powers capabilities overseas. This will ensure that law enforcement and the intelligence agencies have access to the communications-related data that they need to tackle serious crime and protect national security. It will also ensure consistency across the regime.
Investigatory Powers (Amendment) Bill [HL] Debate
Full Debate: Read Full DebateLord Ponsonby of Shulbrede
Main Page: Lord Ponsonby of Shulbrede (Labour - Life peer)Department Debates - View all Lord Ponsonby of Shulbrede's debates with the Home Office
(10 months ago)
Lords ChamberI shall be brief. Not for the first time, your Lordships are in debt to the noble Lord, Lord Anderson, for intervening on an issue that I think all of us failed to note. His request of the Minister is helpful, and I hope the Minister will be able to respond. There is an alternative process which I could suggest to the Minister—I have not had a chance to talk to the noble Lord, Lord Coaker, about this. If the Minister wanted to withdraw this amendment and bring it back at Third Reading, which is applicable in certain circumstances. I am sure we would be very flexible in permitting that as well.
My Lords, we support the introduction of the Government’s amendments. I echo what the noble Lord, Lord Fox, said about the amendment in the name of the noble Lord, Lord Anderson, and I look forward to the Government’s response on that point.
I would also be interested to hear what the Government have to say about my noble friend Lord West’s amendments. He has taken a keen interest in this part of the Bill, and I hope the Government will be able to answer the questions, in particular on data disclosure powers, as I think they can give a more detailed response to the expansion of disclosure powers to regulatory bodies than was given in the original legislation. It is also very likely to be further analysed and looked at as the Bill moves down to the other end of the Corridor. Nevertheless, we support the amendments as they are currently.
My Lords, I thank noble Lords for this short debate and the scrutiny on these important issues. First, I will address Amendments 15 and 16 tabled by the noble Lord, Lord West of Spithead, which seek to remove Clause 13 and the Schedule from the Bill. We have covered some of the same ground as we did in Committee, and I am afraid that much of my response will make similar points to those I made then. However, I can appreciate why he has raised the points he made about these provisions, and I hope that I can still provide him with assurance on why these measures are needed and proportionate.
As the Government have been clear, the purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited from performing the roles expected of them by Parliament. It restores their pre-existing statutory powers to acquire CD in support of those functions. When the IPA was passed in 2016—under the expert stewardship of the noble Lord’s fellow ISC member in the other place, the right honourable Member for South Holland and The Deepings—it made specific provision, at Section 61(7)(f) and (j) respectively, for the acquisition of CD for the purposes of taxation and oversight of financial services, markets and financial stability. The noble Lord and his fellow committee members have queried whether we are “unmaking” these measures in the 2016 Act through Clause 13 of the Bill. I would therefore like to put beyond doubt what has happened since then to lead us to this point of needing to refine rather than unmake these provisions.
Following the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, the Government took the opportunity to streamline the statute book, including but not limited to some changes in response to that judgment. This streamlining included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers, and Section 12 of the IPA had not yet been commenced, removing many of those powers. The relevant data was outside of the provisions of the IPA at this time and therefore not considered to come within the definition of CD.
Since then, businesses have operated their services more and more online. This has meant that many have become, in part at least, telecommunications operators as defined by the IPA. As a consequence, growing amounts of the data that they collect—which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers—now fall within the IPA’s definition of CD. The effect of this is that public authorities are increasingly unable to acquire the CD that they need to perform their statutory civil or regulatory functions.
In summary, the IPA has been changed since it was commenced in 2016 to remove tax-related and financial stability-related powers to acquire CD and to introduce the serious crime threshold. Technology and society have moved on, with the result that more relevant data amounts to CD. Section 12 of the IPA has been commenced to remove general information powers. The combination of these changes has meant that public authorities are experiencing increased difficulty in carrying out their statutory functions. For example, the Financial Conduct Authority, His Majesty’s Revenue & Customs and the Treasury are all examples of public authorities that already have the power to acquire CD using a Part 3 request but that may be unable to do so in the exercise of some of their functions as a result of the issue I have just set out.
These bodies perform a range of vital statutory functions using CD, including tackling breaches of sanctions regimes, enforcing the minimum wage and providing oversight of banking and financial markets. Schedule 4 to the IPA provides a list of public authorities that can acquire CD under Part 3 of the Act. The new definition of public authorities inserted by this clause will apply in the context of the sharing of CD between public authorities. This will include government departments and their arm’s-length bodies, and executive agencies administering public services. While data sharing between government entities is covered under other legislation including the Data Protection Act and GDPR, or under separate data-sharing agreements, its sharing for legitimate purposes should not be discouraged or prevented by the IPA.
Clause 13 is needed to ensure that such bodies can continue to fulfil these existing statutory duties in the context of a world that takes place increasingly online. It strikes an appropriate balance between necessity and proportionality. In particular, I re-emphasise that it makes clear that the acquisition by these regulatory bodies should be only in support of their civil and regulatory functions, and not used in support of criminal prosecutions. Furthermore, the Government have retained the serious crime threshold that applies when acquiring CD for the purposes of a criminal prosecution.
The codes of practice will also provide additional safeguards and clarity on how this should work in practice. The Government published these in draft ahead of Committee to illustrate this. Any changes to the existing codes will be subject to statutory consultation before being made and will require approval from Parliament under the affirmative procedure. I am therefore confident that the changes will be subject to a high level of scrutiny. To be clear, this applies to a limited cadre of public authorities with the necessary statutory powers conferred on them by Parliament and only specifically when in support of regulatory and supervisory functions—it is not creating a way to circumvent the safeguards in the IPA. It ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential and has the most serious potential consequences in terms of criminal prosecutions.
I am happy to provide the reassurance—or I hope I am—that the noble Lord, Lord Anderson, sought. I am grateful to him for his comments regarding government Amendment 14, for engaging with officials to work through the concerns they raised and for his generous comments about the officials.
Our view is that the amended Clause 12 will be narrower in scope than the original drafting, which carried a risk of permitting access beyond the “who” and “where” of an entity. I assure noble Lords that the codes of practice will set out the further safeguards and details on the practical effect of Clause 12 so that operational partners are clear on the lawful basis of CD acquisition. It is appropriate that the technical detail is set out in this way rather than in primary legislation. The codes of practice will be subject to a full public consultation and will be laid in Parliament under cover of an SI, via the affirmative procedure. I reassure the noble Lord that we will consult with partners and the regulators of the IPA to ensure that the high standards of the CD acquisition regime remain world leading. I am happy to continue this conversation, and for my officials to continue with the extensive engagement already undertaken with the users of the CD powers, to see whether any further refinement is needed.
Finally, I confirm that the intention behind the amendment is to include the type of subscriber data that is necessary to register for, or maintain access to, an online account or telecommunication service. Examples of such data would include name, address and email address. It is not intended to include all types of data that an individual might give a telecommunication service that is not necessary for the purpose of maintaining or initiating access to that service.
I turn to Amendments 17, 19 and 20 on internet connection records, also tabled by the noble Lord, Lord West. Much of the argument I have heard relies on a perception that the new condition D is inherently more intrusive than the existing conditions B and C. I will set out why this is not the case.
The safeguards for the new condition D replicate the well-established and extensive safeguards already in place for CD authorisations. The authorisation process for CD varies according to the purpose for which the data is being sought and the type of CD to be acquired. This regime works effectively and has been considered by the Court of Appeal and found to be lawful.
The purpose of new condition D is to enable ICRs to be used for target detection, which is currently not possible under existing Part 3 authorisations. The level of appropriate oversight and safeguards is linked to the sensitivity of the data to be disclosed and the impact that disclosure may have on the subject of interest.
As I have said, the Government do not believe that condition D is inherently more intrusive than conditions B or C. Conditions B and C authorise “target development” work, and as such enable the applicant to request data on a known individual’s internet connections. As an example, this means that the NCA could request records of the connections a known subject of interest has made in a given time period, provided that request was judged to be both necessary and proportionate by the Office for Communications Data Authorisations. In comparison, condition A enables the requesting agency to request who or what device has made a specific connection to an internet service.
Similarly, condition D would enable an agency to request details about who has used one or more specified internet services in a specified timeframe, provided it was necessary and proportionate—for example, accessing a website that solely provides child sexual abuse imagery. The actual data returned with condition D will most likely constitute a list of IP addresses or customer names and addresses. No information concerning any wider browsing that those individuals may have conducted will be provided. Information about that wider activity would be available only under a further condition B or C authorisation. Condition D is therefore no more intrusive than conditions B and C in terms of what data is actually disclosed. As such, we see no benefit or logic to imposing a different authorisation route for condition D when the existing safeguards have proven sufficient in terms of ICRs applications under conditions A, B and C.
I use this opportunity to remind all noble Lords of the importance of this new condition D and how it will support investigations into some of the most serious crimes, as well as supporting the critical work against both state and cyber threats. ICRs could be used to detect foreign state cyber activity. For examples, ICRs could be used to illuminate connections between overseas state actors and likely compromised UK infra- structure. We understand that these actors have an intent to target UK-based individuals and organisations, including government and critical national infrastructure, from within UK infrastructure, which we typically would not see. The ICR data returned from TOs would be highly indicative of the extent of malicious infrastructure and could assist with victim exposure. Furthermore, improved access to ICR data would enable the National Cyber Security Centre to detect such activity more effectively and in turn inform incident management and victims of compromises. Using data to flag suspicious behaviour in this way can lead to action to protect potential UK victims of foreign espionage and attacks.
I now turn specifically to the ability of the intelligence agencies and the NCA to internally authorise condition D applications. The intelligence agencies and the NCA must obtain approval from the Investigatory Powers Commissioner for ICR applications for the purpose of preventing or detecting serious crime, other than in urgent circumstances. In urgent circumstances, such as threat to life or serious harm to an individual, the intelligence agencies and the NCA are able to obtain CD authorisations from internal designated senior officers in the same way that police forces are. In practice, the volumes of non-urgent requests are such that the IPC delegates responsibility for the authorisation of ICR and other CD requests to the OCDA.
In terms of oversight, the IPC could, if he wished to, consider specific types of CD authorisations himself. The IPC also has the power to directly inspect any part of the CD regime. If he wishes to focus attention on condition D applications, he has the necessary powers to do so. The approach we have adopted for condition D authorisations is therefore consistent with the wider CD regime and gives the IPC flexibility in how he exercises his powers and resources.
As is also consistent with the wider CD regime, condition D applications relating to national security will be authorised by a designated senior officer within the intelligence agencies. The CD codes of practice state that the designated senior officer must be independent of the operation and not in the line management chain of the applicant. This independence is declared within each application, and each designated senior officer completes training prior to taking up this role. Furthermore, each agency has one or more single point of contact officer, accredited by the Home Office and the College of Policing, who facilitates lawful acquisition of CD.
My Lords, I will move Amendment 21 and speak to the other amendments in this group in my name.
Amendment 21 specifies that the enforcement of retention notices applies only to UK recipients of such notices. It is one of a suite of amendments in this group that return to the issue of extra-territoriality— I see the Minister blow out his cheeks at the prospect. Amendments 22, 25, 28 and 31 are similarly directed and each largely seeks to limit extra-territoriality by ensuring that operators can make changes to their services for users outside UK jurisdiction.
The reason for tabling the amendments, the others of which I will not move, is that there remains a huge gulf of understanding between the tech companies and the Government when it comes to the interpretation of the Bill with respect to its territorial reach. I am again presenting the Minister with a golden opportunity to set out in clear language the territorial ambitions that the Government have for this Bill. I believe there is some element of miscommunication going on here, though I am not sure in which direction. I hope that the Minister can dispel that.
Clearly, we have international tech companies that are incorporated in another country with subsidiaries all around the world and data residing in many different domains—companies that offer services to customers all over the world. In essence, we need to understand what would happen as a result of this Bill if such a business proposed to change a global service that is used by consumers all over the world, including in the UK. How do the Government use this Bill to deal with such situations? I am looking forward to the response.
Amendments 23, 24, 29 and 30 would raise the threshold for calling in a change from “negative effect” to “substantially limit”. Again, this increases the bar before the Government can start the process. Negative effect is a very low bar which will catch almost everything. It is not in the interests of the authorities to have everything coming through. There needs to be some sense of funnel. This is an opportunity for the Minister to define what negative effect is and what it is not, because it is a very low bar. He would be wise to take our advice and look at the language there, certainly when it comes to the code coming later.
Moving on, my Amendment 27 is a retread of an amendment I tabled in Committee, and it was there as a placeholder. I am pleased to see that it is unnecessary, as government Amendments 26 and 32 very much embrace the spirit of what I was seeking to achieve in that amendment. I thank the Minister for responding, and therefore will not be speaking to or indeed moving Amendment 27.
I now turn to Amendment 35. Currently, while there is a requirement for the Secretary of State to consult the operator before giving notice, there is no requirement on the Secretary of State to consult ahead of making regulations that will specify what “relevant change” includes, and therefore what needs to be notified. My Amendment 35 therefore introduces a requirement for pre-legislative consultation on the definition of “relevant change”. The amendment specifies that the Secretary of State must consult the Technical Advisory Board. There is a precedent for consultation with this board in Section 253(6) of the 2016 Act. As your Lordships know, the Technical Advisory Board is comprised of independent and industry representatives; the amendment also specifies a wider range of consultees.
The amendment then requires the Secretary of State to have regard to the impact on users, including on their privacy and on operators’ ability to innovate. Again, there is precedent for this in the 2016 Act. Such considerations must be taken into account when a public authority is deciding whether to issue a TCN or NSN, or where a judicial commissioner approves a DRN. As such, we feel it is worth while also to consider these factors when legislating for a “relevant change”, because delaying a critical security update could negatively impact users and operators. In a sense, all we are asking for is consultation. We are not asking to change the law, and this gives the Government a power to abide by that consultation or not. But we feel that this is an important definition, and it needs to be more widely consulted on.
I hope the Minister will agree, but in the event that he declines, I will be moving Amendment 35. I beg to move Amendment 21.
My Lords, we have had much welcome interaction from stakeholders on the issues summarised in this group, as well as some useful briefings from the Home Office and the noble Lord’s team, for which we are grateful.
As the noble Lord, Lord Fox, has just said, there appears to be a gulf in both position and understanding between the Government and the tech companies, both on the principle of the notice and its details, which is, in a sense, frustrating scrutiny of the Bill. I understand that there is a disagreement about the introduction of notification notices in general. It is right that we look at the details to ensure that the process takes place in a way that reflects the realities of international law, and the need of the intelligence services to maintain levels of data access and the necessary safeguards.
Concerns raised by stakeholders keep striking at the same places: how this notice would work with access agreements with other countries; why there is no double lock on the notification notice, despite the clear impact it would have on tech companies’ activities; and why the definition of telecoms operator is perhaps in reality wider than the Government intend.
We will not be supporting Amendment 35, in the name of the noble Lord, Lord Fox, although we understand the intent behind it. We encourage the Government to keep talking to stakeholders, and we believe that this part of the Bill will benefit from further discussion in the other place.