Lord Anderson of Ipswich (CB)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I will make a brief comment on two aspects of Clause 14 which have been developed today and which were considered in my report. Amendments 23 and 25 in the name of the noble Lord, Lord Fox, would restrict the changes relating to internet connection records in Clause 14 to the intelligence services only. The noble Lord correctly noticed that, while I support the use of ICRs for the new target detection purpose in condition D1, I mentioned at paragraph 4.18 of my report that it would be

“open to Parliament to require further safeguards”

and suggested that those safeguards include

“making the extra condition available only to UKIC”—

in other words, the intelligence services—

“at least in the first instance”.

I pointed out a range of safeguards that already apply to ICRs. These are fully set out in the draft addition to section 9 of the code of practice that was helpfully provided in advance of these debates. I also pointed out, by way of mitigation to my proposal that only UKIC should have access, that

“working arrangements … could facilitate the use of UKIC powers in the service of NCA or CTP in particular”.

That is as much as I am told I can say on working arrangements, though noble Lords may be able to use their imaginations.

Clause 14, instead of going for this workaround, opted to give the NCA, though not counterterrorism policing, its own direct access to the new power. It is certainly true that the NCA has primary responsibility for many of the crimes where the new power may prove most useful—in particular, child sexual abuse, where it has strong potential. I will listen to what the Minister says about that, but I think there is no great division of opinion between us on this issue. We are really debating different mechanisms by which the NCA might get access to this material, and although it is not precisely what I suggested, I have no objection to the more direct route taken in the Bill.

I turn to Amendments 21, 24 and 26 in the name of the noble Lord, Lord West of Spithead, which would introduce a requirement for requests by the intelligence services and the NCA to be independently authorised by the Office for Communications Data Authorisations. This would be an exceptional state of affairs for communications data requests by the intelligence agencies. Existing ICR requests are internally authorised and some of those, in particular under condition B and C, will be arguably, as I said in my report, as intrusive as requests under the new condition.

However, the noble Lord has emphasised the undoubted intrusiveness of the new condition and I know from my own correspondence with the ISC that, very much to its credit, it has looked at this issue in considerable detail. Furthermore, I raised the possibility of independent authorisation for such requests in my report. While I said that the full double-lock procedure would be disproportionately burdensome, independent authorisation by OCDA, which is not a possibility on which I commented expressly, sounds as though it could be a more manageable proposition. I have some sympathy with Amendments, 21, 24 and 26. They raise an important issue on any view, and I look forward to hearing what the Minister has to say about them.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

I thank all noble Lords who have spoken in this group. I will first speak to Amendment 20, tabled by the noble Lord, Lord Fox, which would amend Clause 11. I want first to make it clear that Clause 11 does not enable any new activity under the Investigatory Powers Act but places into primary legislation the existing position set out at paragraph 15.11 of the Communications Data Code of Practice.

Paragraph 15.11 clearly sets out that it is not an offence to obtain communications data where it is made publicly or commercially available by the telecommunications operator or postal operator or otherwise, where that body freely consents to its disclosure. In such circumstances, the consent of the operator provides the lawful authority for the obtaining of the data on which public authorities can rely. Making this position explicit within primary legislation will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in Section 11. As such, there will be no doubt that acquiring communications data in this way means that an offence will not be committed in such circumstances.

The purpose of new subsection (3A)(e) is not permitting so-called surveillance, as the noble Lord’s amendment asserts. Rather, it is about clarifying the basis for lawful access to material which has already been published and should not require additional authority for its disclosure by a telecommunications operator, with the consent of that operator, to a public authority. I can assure noble Lords that telecommunications and postal operators will still need to satisfy themselves that any communications data disclosure is in accordance with the Data Protection Act, and any subsequent processing by public authorities must also be compliant.

The inclusion of this paragraph in the definition of “lawful authority” in the IPA will provide reassurance to public authorities on the basis for which they have lawful authority to acquire communications data where this authority falls outside the IPA itself. Inserting a definition of lawful authority does not remove the offence of knowing or recklessly obtaining communications data without lawful authority; it is still possible to commit this offence if the disclosure by the telecommunications operator is not lawful or if the public authority knowingly or recklessly acquires the communications data without lawful authority. The inclusion of this definition of lawful authority will encourage public authorities to ensure that they have lawful authority before they acquire communications data. I therefore respectfully ask the noble Lord to withdraw his amendment.

I turn to Clause 13 and the proposal from the noble Lord, Lord West, to remove this provision and the associated schedule from the Bill. The purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited in performing the roles expected of them by Parliament. It restores their important pre-existing statutory powers to acquire communications data in support of those functions. When the IPA was passed in 2016, it made specific provision, at Section 61(7)(f) and (j), for acquisition of communications data for the purposes of taxation and oversight of financial services, markets and financial stability.

As a result of the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, a number of changes were then made to the IPA. Crucially, not all the changes made at that time were a direct response to the judgment itself, but instead the opportunity was taken to streamline the statute book. This included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers. At that point, much of the relevant data fell outside the definition of communications data and therefore outside the provisions of the IPA. However, as businesses increasingly move their services online, so many have become, in part at least, telecommunications operators under the definition in the IPA. Therefore, more of the data they collect, and which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers, now falls within the IPA’s definition of communications data, and regulatory and supervisory bodies are, inadvertently, unable to acquire it.

The Financial Conduct Authority, His Majesty’s Revenue and Customs and Border Force are all examples of public authorities in Schedule 4 to the IPA and already have the power to acquire communications data using a Part 3 request. However, many of the matters that these bodies regulate or supervise fall short of serious crime, as defined in the Investigatory Powers Act at both Section 263(1) and Section 86(2A), which means that they are unable to acquire a Part 3 authorisation to get the data they need to perform the statutory functions expected of them.

The UK is not alone on this issue; European colleagues have identified similar issues for their equivalent bodies with regulatory and supervisory functions. The functions these bodies perform on behalf of the UK are simply too important to let this situation continue. They go to the heart of our safety in preventing terrorist funding, seeking to ensure financial stability, and the oversight of banking and financial markets, among other matters. For example, the Financial Conduct Authority has responsibility for supervising some 50,000 regulated firms to ensure they have systems and controls in place concerning the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Border Force has the responsibility of quickly identifying from the huge volumes of packages crossing our borders each day, those that may contain illegal items such as drugs, firearms and other illicit goods that present a risk to the UK. It is vitally important that these bodies are not inhibited in carrying out their core functions because of the way the world has changed since 2016.

The changes to the IPA brought about by Clause 13 strike an appropriate balance between necessity and proportionality, making clear as it does that the acquisition by these regulatory bodies should only be in support of their civil functions and not used in support of criminal prosecutions. Additional safeguards are provided for within codes of practice governing how this should work in practice. To be clear, this applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions; it is not creating a way to circumvent the safeguards of the IPA. It instead ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, once again, I thank noble Lords for their amendments and the points they have raised in this debate. I will do my very best to answer the questions that have been asked. Again, I am afraid I am going to do so in some detail.

The noble Lord, Lord Fox, has proposed removing Clause 16 from the Bill in its entirety. Clause 16 concerns the extraterritorial enforcement of retention notices. Under subsections (9) to (11) of Section 255 of the IPA, any technical capability notice—TCN—is already enforceable by civil proceedings against a person in the UK. Only TCNs that provide for interception and targeted communications data acquisition capabilities are enforceable against a person overseas. Section 95 of the IPA also provides that a data retention notice—DRN—is enforceable by civil proceedings against a person in the UK. DRNs already have extraterritorial applicability within the IPA, meaning that they can already be given to a person outside the UK. However, unlike TCNs, the current legislation does not permit the enforcement of a DRN against a person outside the UK.

Clause 16 therefore seeks to amend Sections 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs to strengthen policy options and the legal levers available when addressing emerging technology, bringing them in line with TCNs. As technology advances, data is increasingly held overseas. The clause will ensure that, if required, there is a further legal lever to protect and maintain investigatory powers capabilities overseas. This will ensure that law enforcement and the intelligence agencies have access to the communications-related data that they need to tackle serious crime and protect national security. It will also ensure consistency across the regime.

Lord Fox (LD)

- View Speech - Hansard -

Copy Link

- - Excerpts

I shall be brief. Not for the first time, your Lordships are in debt to the noble Lord, Lord Anderson, for intervening on an issue that I think all of us failed to note. His request of the Minister is helpful, and I hope the Minister will be able to respond. There is an alternative process which I could suggest to the Minister—I have not had a chance to talk to the noble Lord, Lord Coaker, about this. If the Minister wanted to withdraw this amendment and bring it back at Third Reading, which is applicable in certain circumstances. I am sure we would be very flexible in permitting that as well.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I thank noble Lords for this short debate and the scrutiny on these important issues. First, I will address Amendments 15 and 16 tabled by the noble Lord, Lord West of Spithead, which seek to remove Clause 13 and the Schedule from the Bill. We have covered some of the same ground as we did in Committee, and I am afraid that much of my response will make similar points to those I made then. However, I can appreciate why he has raised the points he made about these provisions, and I hope that I can still provide him with assurance on why these measures are needed and proportionate.

As the Government have been clear, the purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited from performing the roles expected of them by Parliament. It restores their pre-existing statutory powers to acquire CD in support of those functions. When the IPA was passed in 2016—under the expert stewardship of the noble Lord’s fellow ISC member in the other place, the right honourable Member for South Holland and The Deepings—it made specific provision, at Section 61(7)(f) and (j) respectively, for the acquisition of CD for the purposes of taxation and oversight of financial services, markets and financial stability. The noble Lord and his fellow committee members have queried whether we are “unmaking” these measures in the 2016 Act through Clause 13 of the Bill. I would therefore like to put beyond doubt what has happened since then to lead us to this point of needing to refine rather than unmake these provisions.

Following the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, the Government took the opportunity to streamline the statute book, including but not limited to some changes in response to that judgment. This streamlining included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers, and Section 12 of the IPA had not yet been commenced, removing many of those powers. The relevant data was outside of the provisions of the IPA at this time and therefore not considered to come within the definition of CD.

Since then, businesses have operated their services more and more online. This has meant that many have become, in part at least, telecommunications operators as defined by the IPA. As a consequence, growing amounts of the data that they collect—which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers—now fall within the IPA’s definition of CD. The effect of this is that public authorities are increasingly unable to acquire the CD that they need to perform their statutory civil or regulatory functions.

In summary, the IPA has been changed since it was commenced in 2016 to remove tax-related and financial stability-related powers to acquire CD and to introduce the serious crime threshold. Technology and society have moved on, with the result that more relevant data amounts to CD. Section 12 of the IPA has been commenced to remove general information powers. The combination of these changes has meant that public authorities are experiencing increased difficulty in carrying out their statutory functions. For example, the Financial Conduct Authority, His Majesty’s Revenue & Customs and the Treasury are all examples of public authorities that already have the power to acquire CD using a Part 3 request but that may be unable to do so in the exercise of some of their functions as a result of the issue I have just set out.

These bodies perform a range of vital statutory functions using CD, including tackling breaches of sanctions regimes, enforcing the minimum wage and providing oversight of banking and financial markets. Schedule 4 to the IPA provides a list of public authorities that can acquire CD under Part 3 of the Act. The new definition of public authorities inserted by this clause will apply in the context of the sharing of CD between public authorities. This will include government departments and their arm’s-length bodies, and executive agencies administering public services. While data sharing between government entities is covered under other legislation including the Data Protection Act and GDPR, or under separate data-sharing agreements, its sharing for legitimate purposes should not be discouraged or prevented by the IPA.

Clause 13 is needed to ensure that such bodies can continue to fulfil these existing statutory duties in the context of a world that takes place increasingly online. It strikes an appropriate balance between necessity and proportionality. In particular, I re-emphasise that it makes clear that the acquisition by these regulatory bodies should be only in support of their civil and regulatory functions, and not used in support of criminal prosecutions. Furthermore, the Government have retained the serious crime threshold that applies when acquiring CD for the purposes of a criminal prosecution.

The codes of practice will also provide additional safeguards and clarity on how this should work in practice. The Government published these in draft ahead of Committee to illustrate this. Any changes to the existing codes will be subject to statutory consultation before being made and will require approval from Parliament under the affirmative procedure. I am therefore confident that the changes will be subject to a high level of scrutiny. To be clear, this applies to a limited cadre of public authorities with the necessary statutory powers conferred on them by Parliament and only specifically when in support of regulatory and supervisory functions—it is not creating a way to circumvent the safeguards in the IPA. It ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential and has the most serious potential consequences in terms of criminal prosecutions.

I am happy to provide the reassurance—or I hope I am—that the noble Lord, Lord Anderson, sought. I am grateful to him for his comments regarding government Amendment 14, for engaging with officials to work through the concerns they raised and for his generous comments about the officials.

Our view is that the amended Clause 12 will be narrower in scope than the original drafting, which carried a risk of permitting access beyond the “who” and “where” of an entity. I assure noble Lords that the codes of practice will set out the further safeguards and details on the practical effect of Clause 12 so that operational partners are clear on the lawful basis of CD acquisition. It is appropriate that the technical detail is set out in this way rather than in primary legislation. The codes of practice will be subject to a full public consultation and will be laid in Parliament under cover of an SI, via the affirmative procedure. I reassure the noble Lord that we will consult with partners and the regulators of the IPA to ensure that the high standards of the CD acquisition regime remain world leading. I am happy to continue this conversation, and for my officials to continue with the extensive engagement already undertaken with the users of the CD powers, to see whether any further refinement is needed.

Finally, I confirm that the intention behind the amendment is to include the type of subscriber data that is necessary to register for, or maintain access to, an online account or telecommunication service. Examples of such data would include name, address and email address. It is not intended to include all types of data that an individual might give a telecommunication service that is not necessary for the purpose of maintaining or initiating access to that service.

I turn to Amendments 17, 19 and 20 on internet connection records, also tabled by the noble Lord, Lord West. Much of the argument I have heard relies on a perception that the new condition D is inherently more intrusive than the existing conditions B and C. I will set out why this is not the case.

The safeguards for the new condition D replicate the well-established and extensive safeguards already in place for CD authorisations. The authorisation process for CD varies according to the purpose for which the data is being sought and the type of CD to be acquired. This regime works effectively and has been considered by the Court of Appeal and found to be lawful.

The purpose of new condition D is to enable ICRs to be used for target detection, which is currently not possible under existing Part 3 authorisations. The level of appropriate oversight and safeguards is linked to the sensitivity of the data to be disclosed and the impact that disclosure may have on the subject of interest.

As I have said, the Government do not believe that condition D is inherently more intrusive than conditions B or C. Conditions B and C authorise “target development” work, and as such enable the applicant to request data on a known individual’s internet connections. As an example, this means that the NCA could request records of the connections a known subject of interest has made in a given time period, provided that request was judged to be both necessary and proportionate by the Office for Communications Data Authorisations. In comparison, condition A enables the requesting agency to request who or what device has made a specific connection to an internet service.

Similarly, condition D would enable an agency to request details about who has used one or more specified internet services in a specified timeframe, provided it was necessary and proportionate—for example, accessing a website that solely provides child sexual abuse imagery. The actual data returned with condition D will most likely constitute a list of IP addresses or customer names and addresses. No information concerning any wider browsing that those individuals may have conducted will be provided. Information about that wider activity would be available only under a further condition B or C authorisation. Condition D is therefore no more intrusive than conditions B and C in terms of what data is actually disclosed. As such, we see no benefit or logic to imposing a different authorisation route for condition D when the existing safeguards have proven sufficient in terms of ICRs applications under conditions A, B and C.

I use this opportunity to remind all noble Lords of the importance of this new condition D and how it will support investigations into some of the most serious crimes, as well as supporting the critical work against both state and cyber threats. ICRs could be used to detect foreign state cyber activity. For examples, ICRs could be used to illuminate connections between overseas state actors and likely compromised UK infra- structure. We understand that these actors have an intent to target UK-based individuals and organisations, including government and critical national infrastructure, from within UK infrastructure, which we typically would not see. The ICR data returned from TOs would be highly indicative of the extent of malicious infrastructure and could assist with victim exposure. Furthermore, improved access to ICR data would enable the National Cyber Security Centre to detect such activity more effectively and in turn inform incident management and victims of compromises. Using data to flag suspicious behaviour in this way can lead to action to protect potential UK victims of foreign espionage and attacks.

I now turn specifically to the ability of the intelligence agencies and the NCA to internally authorise condition D applications. The intelligence agencies and the NCA must obtain approval from the Investigatory Powers Commissioner for ICR applications for the purpose of preventing or detecting serious crime, other than in urgent circumstances. In urgent circumstances, such as threat to life or serious harm to an individual, the intelligence agencies and the NCA are able to obtain CD authorisations from internal designated senior officers in the same way that police forces are. In practice, the volumes of non-urgent requests are such that the IPC delegates responsibility for the authorisation of ICR and other CD requests to the OCDA.

In terms of oversight, the IPC could, if he wished to, consider specific types of CD authorisations himself. The IPC also has the power to directly inspect any part of the CD regime. If he wishes to focus attention on condition D applications, he has the necessary powers to do so. The approach we have adopted for condition D authorisations is therefore consistent with the wider CD regime and gives the IPC flexibility in how he exercises his powers and resources.

As is also consistent with the wider CD regime, condition D applications relating to national security will be authorised by a designated senior officer within the intelligence agencies. The CD codes of practice state that the designated senior officer must be independent of the operation and not in the line management chain of the applicant. This independence is declared within each application, and each designated senior officer completes training prior to taking up this role. Furthermore, each agency has one or more single point of contact officer, accredited by the Home Office and the College of Policing, who facilitates lawful acquisition of CD.

Lord Fox (LD)

- Hansard -

Copy Link

- - Excerpts

My Lords, I will move Amendment 21 and speak to the other amendments in this group in my name.

Amendment 21 specifies that the enforcement of retention notices applies only to UK recipients of such notices. It is one of a suite of amendments in this group that return to the issue of extra-territoriality— I see the Minister blow out his cheeks at the prospect. Amendments 22, 25, 28 and 31 are similarly directed and each largely seeks to limit extra-territoriality by ensuring that operators can make changes to their services for users outside UK jurisdiction.

The reason for tabling the amendments, the others of which I will not move, is that there remains a huge gulf of understanding between the tech companies and the Government when it comes to the interpretation of the Bill with respect to its territorial reach. I am again presenting the Minister with a golden opportunity to set out in clear language the territorial ambitions that the Government have for this Bill. I believe there is some element of miscommunication going on here, though I am not sure in which direction. I hope that the Minister can dispel that.

Clearly, we have international tech companies that are incorporated in another country with subsidiaries all around the world and data residing in many different domains—companies that offer services to customers all over the world. In essence, we need to understand what would happen as a result of this Bill if such a business proposed to change a global service that is used by consumers all over the world, including in the UK. How do the Government use this Bill to deal with such situations? I am looking forward to the response.

Amendments 23, 24, 29 and 30 would raise the threshold for calling in a change from “negative effect” to “substantially limit”. Again, this increases the bar before the Government can start the process. Negative effect is a very low bar which will catch almost everything. It is not in the interests of the authorities to have everything coming through. There needs to be some sense of funnel. This is an opportunity for the Minister to define what negative effect is and what it is not, because it is a very low bar. He would be wise to take our advice and look at the language there, certainly when it comes to the code coming later.

Moving on, my Amendment 27 is a retread of an amendment I tabled in Committee, and it was there as a placeholder. I am pleased to see that it is unnecessary, as government Amendments 26 and 32 very much embrace the spirit of what I was seeking to achieve in that amendment. I thank the Minister for responding, and therefore will not be speaking to or indeed moving Amendment 27.

I now turn to Amendment 35. Currently, while there is a requirement for the Secretary of State to consult the operator before giving notice, there is no requirement on the Secretary of State to consult ahead of making regulations that will specify what “relevant change” includes, and therefore what needs to be notified. My Amendment 35 therefore introduces a requirement for pre-legislative consultation on the definition of “relevant change”. The amendment specifies that the Secretary of State must consult the Technical Advisory Board. There is a precedent for consultation with this board in Section 253(6) of the 2016 Act. As your Lordships know, the Technical Advisory Board is comprised of independent and industry representatives; the amendment also specifies a wider range of consultees.

The amendment then requires the Secretary of State to have regard to the impact on users, including on their privacy and on operators’ ability to innovate. Again, there is precedent for this in the 2016 Act. Such considerations must be taken into account when a public authority is deciding whether to issue a TCN or NSN, or where a judicial commissioner approves a DRN. As such, we feel it is worth while also to consider these factors when legislating for a “relevant change”, because delaying a critical security update could negatively impact users and operators. In a sense, all we are asking for is consultation. We are not asking to change the law, and this gives the Government a power to abide by that consultation or not. But we feel that this is an important definition, and it needs to be more widely consulted on.

I hope the Minister will agree, but in the event that he declines, I will be moving Amendment 35. I beg to move Amendment 21.