Lord Anderson of Ipswich (CB)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, I will make a brief comment on two aspects of Clause 14 which have been developed today and which were considered in my report. Amendments 23 and 25 in the name of the noble Lord, Lord Fox, would restrict the changes relating to internet connection records in Clause 14 to the intelligence services only. The noble Lord correctly noticed that, while I support the use of ICRs for the new target detection purpose in condition D1, I mentioned at paragraph 4.18 of my report that it would be

“open to Parliament to require further safeguards”

and suggested that those safeguards include

“making the extra condition available only to UKIC”—

in other words, the intelligence services—

“at least in the first instance”.

I pointed out a range of safeguards that already apply to ICRs. These are fully set out in the draft addition to section 9 of the code of practice that was helpfully provided in advance of these debates. I also pointed out, by way of mitigation to my proposal that only UKIC should have access, that

“working arrangements … could facilitate the use of UKIC powers in the service of NCA or CTP in particular”.

That is as much as I am told I can say on working arrangements, though noble Lords may be able to use their imaginations.

Clause 14, instead of going for this workaround, opted to give the NCA, though not counterterrorism policing, its own direct access to the new power. It is certainly true that the NCA has primary responsibility for many of the crimes where the new power may prove most useful—in particular, child sexual abuse, where it has strong potential. I will listen to what the Minister says about that, but I think there is no great division of opinion between us on this issue. We are really debating different mechanisms by which the NCA might get access to this material, and although it is not precisely what I suggested, I have no objection to the more direct route taken in the Bill.

I turn to Amendments 21, 24 and 26 in the name of the noble Lord, Lord West of Spithead, which would introduce a requirement for requests by the intelligence services and the NCA to be independently authorised by the Office for Communications Data Authorisations. This would be an exceptional state of affairs for communications data requests by the intelligence agencies. Existing ICR requests are internally authorised and some of those, in particular under condition B and C, will be arguably, as I said in my report, as intrusive as requests under the new condition.

However, the noble Lord has emphasised the undoubted intrusiveness of the new condition and I know from my own correspondence with the ISC that, very much to its credit, it has looked at this issue in considerable detail. Furthermore, I raised the possibility of independent authorisation for such requests in my report. While I said that the full double-lock procedure would be disproportionately burdensome, independent authorisation by OCDA, which is not a possibility on which I commented expressly, sounds as though it could be a more manageable proposition. I have some sympathy with Amendments, 21, 24 and 26. They raise an important issue on any view, and I look forward to hearing what the Minister has to say about them.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

I thank all noble Lords who have spoken in this group. I will first speak to Amendment 20, tabled by the noble Lord, Lord Fox, which would amend Clause 11. I want first to make it clear that Clause 11 does not enable any new activity under the Investigatory Powers Act but places into primary legislation the existing position set out at paragraph 15.11 of the Communications Data Code of Practice.

Paragraph 15.11 clearly sets out that it is not an offence to obtain communications data where it is made publicly or commercially available by the telecommunications operator or postal operator or otherwise, where that body freely consents to its disclosure. In such circumstances, the consent of the operator provides the lawful authority for the obtaining of the data on which public authorities can rely. Making this position explicit within primary legislation will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in Section 11. As such, there will be no doubt that acquiring communications data in this way means that an offence will not be committed in such circumstances.

The purpose of new subsection (3A)(e) is not permitting so-called surveillance, as the noble Lord’s amendment asserts. Rather, it is about clarifying the basis for lawful access to material which has already been published and should not require additional authority for its disclosure by a telecommunications operator, with the consent of that operator, to a public authority. I can assure noble Lords that telecommunications and postal operators will still need to satisfy themselves that any communications data disclosure is in accordance with the Data Protection Act, and any subsequent processing by public authorities must also be compliant.

The inclusion of this paragraph in the definition of “lawful authority” in the IPA will provide reassurance to public authorities on the basis for which they have lawful authority to acquire communications data where this authority falls outside the IPA itself. Inserting a definition of lawful authority does not remove the offence of knowing or recklessly obtaining communications data without lawful authority; it is still possible to commit this offence if the disclosure by the telecommunications operator is not lawful or if the public authority knowingly or recklessly acquires the communications data without lawful authority. The inclusion of this definition of lawful authority will encourage public authorities to ensure that they have lawful authority before they acquire communications data. I therefore respectfully ask the noble Lord to withdraw his amendment.

I turn to Clause 13 and the proposal from the noble Lord, Lord West, to remove this provision and the associated schedule from the Bill. The purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited in performing the roles expected of them by Parliament. It restores their important pre-existing statutory powers to acquire communications data in support of those functions. When the IPA was passed in 2016, it made specific provision, at Section 61(7)(f) and (j), for acquisition of communications data for the purposes of taxation and oversight of financial services, markets and financial stability.

As a result of the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, a number of changes were then made to the IPA. Crucially, not all the changes made at that time were a direct response to the judgment itself, but instead the opportunity was taken to streamline the statute book. This included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers. At that point, much of the relevant data fell outside the definition of communications data and therefore outside the provisions of the IPA. However, as businesses increasingly move their services online, so many have become, in part at least, telecommunications operators under the definition in the IPA. Therefore, more of the data they collect, and which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers, now falls within the IPA’s definition of communications data, and regulatory and supervisory bodies are, inadvertently, unable to acquire it.

The Financial Conduct Authority, His Majesty’s Revenue and Customs and Border Force are all examples of public authorities in Schedule 4 to the IPA and already have the power to acquire communications data using a Part 3 request. However, many of the matters that these bodies regulate or supervise fall short of serious crime, as defined in the Investigatory Powers Act at both Section 263(1) and Section 86(2A), which means that they are unable to acquire a Part 3 authorisation to get the data they need to perform the statutory functions expected of them.

The UK is not alone on this issue; European colleagues have identified similar issues for their equivalent bodies with regulatory and supervisory functions. The functions these bodies perform on behalf of the UK are simply too important to let this situation continue. They go to the heart of our safety in preventing terrorist funding, seeking to ensure financial stability, and the oversight of banking and financial markets, among other matters. For example, the Financial Conduct Authority has responsibility for supervising some 50,000 regulated firms to ensure they have systems and controls in place concerning the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Border Force has the responsibility of quickly identifying from the huge volumes of packages crossing our borders each day, those that may contain illegal items such as drugs, firearms and other illicit goods that present a risk to the UK. It is vitally important that these bodies are not inhibited in carrying out their core functions because of the way the world has changed since 2016.

The changes to the IPA brought about by Clause 13 strike an appropriate balance between necessity and proportionality, making clear as it does that the acquisition by these regulatory bodies should only be in support of their civil functions and not used in support of criminal prosecutions. Additional safeguards are provided for within codes of practice governing how this should work in practice. To be clear, this applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions; it is not creating a way to circumvent the safeguards of the IPA. It instead ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential.

Lord Sharpe of Epsom (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, once again, I thank noble Lords for their amendments and the points they have raised in this debate. I will do my very best to answer the questions that have been asked. Again, I am afraid I am going to do so in some detail.

The noble Lord, Lord Fox, has proposed removing Clause 16 from the Bill in its entirety. Clause 16 concerns the extraterritorial enforcement of retention notices. Under subsections (9) to (11) of Section 255 of the IPA, any technical capability notice—TCN—is already enforceable by civil proceedings against a person in the UK. Only TCNs that provide for interception and targeted communications data acquisition capabilities are enforceable against a person overseas. Section 95 of the IPA also provides that a data retention notice—DRN—is enforceable by civil proceedings against a person in the UK. DRNs already have extraterritorial applicability within the IPA, meaning that they can already be given to a person outside the UK. However, unlike TCNs, the current legislation does not permit the enforcement of a DRN against a person outside the UK.

Clause 16 therefore seeks to amend Sections 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs to strengthen policy options and the legal levers available when addressing emerging technology, bringing them in line with TCNs. As technology advances, data is increasingly held overseas. The clause will ensure that, if required, there is a further legal lever to protect and maintain investigatory powers capabilities overseas. This will ensure that law enforcement and the intelligence agencies have access to the communications-related data that they need to tackle serious crime and protect national security. It will also ensure consistency across the regime.