Investigatory Powers (Amendment) Bill [HL] Debate
Full Debate: Read Full DebateLord Sharpe of Epsom
Main Page: Lord Sharpe of Epsom (Conservative - Life peer)Department Debates - View all Lord Sharpe of Epsom's debates with the Home Office
(11 months, 2 weeks ago)
Lords ChamberMy Lords, I am grateful for the contributions to this debate, which have been very interesting. I thank all noble Lords for the points raised. I shall do my very best to address all of them and apologise in advance for going into significant detail. I also thank everyone in the Committee for their broad support for the Bill.
I will start with the low/no privacy factors on bulk personal datasets, which I will henceforth call BPDs, and the various amendments relating to the test set out in Clause 2, to be applied when an intelligence service is considering whether a particular dataset is one that can be retained, or retained and examined, under new Section 226A in the new Part 7A. This test requires that regard must be had to all the circumstances, and that particular regard must be had to the factors set out in new subsection (3). The list of factors is not exhaustive and other factors may be considered, where relevant.
Schedule 10 to the Data Protection Act is related to Section 86 of that Act, which is concerned with sensitive processing of personal data by the intelligence services. Schedule 10 sets out a list of conditions which must be met for such processing to be lawful for the purposes of the Data Protection Act. There is a risk that applying these words here, in a different context and for a different purpose, may be seen to create a link, albeit fallacious, between the type of datasets that will be retained and examined under new Part 7A and sensitive processing under the Data Protection Act. For that reason, their inclusion here risks doing more harm than good, as the noble and learned Lord, Lord Hope of Craighead, noted.
In any case, the safeguards in new Part 7A are already sufficient to ensure due regard for privacy. Every dataset proposed to be retained, or retained and examined, must be individually authorised. In addition to the test at new Section 226A, as new Section 226B makes clear, an individual authorisation may be granted only if it is both necessary and proportionate.
The factors have been chosen because they are most relevant to the context in which the test will be applied and have been drawn from existing case law. They provide a guide to the decision-maker in reaching a conclusion as to the nature of the dataset. Furthermore, a form of prior judicial approval will apply to all authorisations so that there is independent oversight of the conclusions reached.
Amendment 1, tabled by the noble Lord, Lord Coaker, seeks to replace factor (b) with language drawn from Schedule 10 to the Data Protection Act 2018. Factor (b) is concerned with the extent to which an individual has made public the data in the dataset, or has consented to the data being made public. The Government do not consider the amendment necessary. I am sure the noble Lord’s aim is to improve the safeguards in the Bill, and he has drawn inspiration from existing precedent to do so in an effort to bring consistency across statute. However, the amendment fails to achieve that aim, and risks creating an unclear and unnecessary link between this Bill and the Data Protection Act, which I have already explained. I will return to the Data Protection Act in due course.
Amendment 2, tabled by the noble Lord, Lord Fox, probes the inclusion of factors (d) and (e), relating to publicly available datasets that are already widely known about or are already used in the public domain—for example, in data science or academia. As I mentioned, the test in new Section 226A is one in which
“regard must be had to all the circumstances”.
The removal of factors from new subsection (3) would not, therefore, fundamentally change the test; it would mean simply that the decision-maker would not be bound to have particular regard to the absent factors. This amendment would, in fact, result in less transparency in the considerations the intelligence services apply when assessing expectation of privacy in relation to Part 7A authorisations.
The Government consider it important that particular regard is had to these factors. I know that noble Lords particularly enjoy the example of the “Titanic” manifest. It is a useful example of where such factors would be relevant, as it is a dataset that is widely known about and widely used, and contains real data about real people who would, unfortunately, no longer have an expectation of privacy. I also point to the helpful example in the independent review by the noble Lord, Lord Anderson: the Enron corpus. This is a large dataset of emails that came into the public domain following the investigation into the collapse of the Enron Corporation. Although initially sensitive, the dataset has been available in various forms for almost 20 years and is widely used in data science. It is right that such datasets are in scope of the new regime.
The noble Lord, Lord Fox, asked specifically about the extent to which these factors depart from existing privacy laws. The law concerning the reasonable expectation of privacy is likely to develop over time, and new Section 226A is intended to be sufficiently flexible to accommodate future changes. Rather than departing from the law, new Section 226A is intended to ensure that the intelligence services can continue to apply the law as it develops.
On Amendment 3, I thank the noble Lord, Lord Anderson, for tabling this helpful probing amendment. I am afraid the Government do not think it is necessary in order to achieve what we understand the intended effect of the amendment to be. The amendment does, however, provide an opportunity to better explain the difference between what the Bill calls “individual authorisations” and “category authorisations”. An individual authorisation will authorise the retention, or retention and examination, of a dataset under the new Part 7A being inserted into the Investigatory Powers Act—which I will henceforth refer to as the IPA—by this Bill.
All datasets that are to be retained under Part 7A must have an individual authorisation. Individual authorisations are subject to prior approval by a judicial commissioner unless the dataset described falls within an existing category. A category authorisation will not authorise the retention, or retention and examination, of a dataset. Instead, it is a mechanism through which a judicial commissioner’s permission may be sought in order to depart from the normal rule on prior approval, but only in respect of datasets that meet a particular description.
If the Minister and indeed the noble Baroness had listened to what I said, they would know that I do not think it is forgettable; I just wanted the Minister to confirm that point.
Thank you; point taken.
Section 226D provides a mechanism to achieve what I understand the intent of the amendment to be. It is clear that remedial action must be taken if it is discovered that Section 226A does not apply or no longer applies to part of a dataset authorised under Part 7A. Anything in the process of being done must be stopped as soon as possible, and that part of the authorisation is treated as cancelled. The effect of that part of the authorisation being treated as cancelled is that the data to which it relates must be deleted unless there is some other lawful basis for its retention. It may well be that it is appropriate for the intelligence service to continue to retain the data. That is why subsection (3), in effect, puts that part of the dataset back into the decision-making machinery in Section 220 of Part 7 of the IPA—so that such a decision can be made. We provide a fuller explanation of that in the draft code of practice for Part 7A, at paragraphs 4.26 and 5.39.
In conclusion on this amendment, if the noble Lord is suggesting that any actionable intelligence that has been identified while the agency was operating on the basis of that retention and examination being lawful under Part 7A should not be acted on, I am afraid I must playfully suggest that it is he who ought to forget his amendment.
I turn now to the various amendments on reporting on BPDs, including several that seek to amend the provisions set out in Clause 2, under Section 226DA, which require the heads of the intelligence services to provide an annual report on Part 7A to the Secretary of State. The first amendment proposed by the noble Lord, Lord Fox, Amendment 11, seeks to mandate that certain statistical information in a given year—specifically, the numbers of authorisations sought and granted—be provided to the relevant Secretary of State. This amendment is not necessary or appropriate. First, those Secretaries of State who are politically accountable for the intelligence services will have in place arrangements to that end and may demand of the relevant intelligence service any additional information he or she feels necessary. This may go beyond the level of detail the noble Lord has proposed be included in the annual report and may be more frequent. This is not a matter for the Bill, because the exact information the Secretary of State requires may evolve over time. Secondly, if this sort of specific reporting requirement is found to be necessary or desirable, it is more appropriate for inclusion in a code of practice, rather than being in the legislation. Indeed, the draft code of practice for Part 7A sets out some relevant details under paragraph 7.4.
I turn now to Amendments 10 and 12, proposed by the noble Lord, Lord West, and I take this opportunity to reassure him and the noble Lord, Lord Murphy. On behalf of the Security Minister, we thank them for their valuable work on the ISC and for the constructive engagement with the Bill Committee to date. I am pleased to see the noble Lord, Lord West, in his place today, and I am glad that he is on a more or less even keel.
The amendments the noble Lord has tabled would require the intelligence services to provide the same annual report that they provide to their Secretary of State, on the operation of Part 7A, to the ISC and the Investigatory Powers Commissioner. I do not believe that this additional requirement would provide the enhanced oversight of the regime that the amendments purport to provide. The annual reporting requirement is a formal statutory mechanism by means of which the Secretaries of State will receive information from the intelligence services about their use of Part 7A on an annual basis. This is a mechanism intended to ensure effective political oversight by the Secretary of State.
The ISC is a committee of Parliament. Oversight by the ISC is neither of the same nature as, nor a replacement for, the oversight of the Secretary of State. The ISC, as a committee of Parliament, already has a long-standing and well-established role in the oversight of the intelligence services to which these provisions will apply, and that role will continue here.
Sending the annual report to the Investigatory Powers Commissioner will not increase the level of independent oversight provided, for the following reasons. First, the Investigatory Powers Commissioner will be required to keep this new regime under review, as he does with the current Part 7 regime, and he will continue to report annually on his findings. Secondly, the information these amendments seek to include in the annual report is already information that the draft code of practice will require the intelligence services to keep, as is clear from paragraphs 7.1. and 7.2. The commissioner, and anyone acting on his behalf, has access to all locations, documentation and information systems as necessary to carry out a full and thorough inspection regime. The intelligence services are legally obliged to provide all necessary assistance to the commissioner, or anyone acting on his behalf, including by providing documents and information.
The noble Lords, Lord Fox, Lord Murphy and Lord West, asked about the continued engagement with the ISC. On both the policy proposals informing the Bill and the Bill itself, through a combination of ministerial, operational and official engagement, we have maintained continual engagement, which includes recent sessions with the Security Minister and the agency heads. As I said earlier, we are grateful to the committee for its engagement and scrutiny of the Bill. We will continue to involve it throughout the Bill’s passage, and I am more than happy to take the noble Lords’ comments back to the Home Office and make sure they are widely understood.
Amendment 13 would see the intelligence agencies notify the Investigatory Powers Commissioner every time an individual authorisation is granted in reliance on a category authorisation. I have already set out the distinct processes for individual and category authorisations under new Part 7A. As I set out earlier, categories will be authorised only with the prior approval of a judicial commissioner. IPCO inspectors will then be able to review the individual authorisation granted in reliance on a category authorisation during their regular inspections of the intelligence services throughout that time. Category authorisations will expire at 12 months and will then need to be renewed and that decision reapproved by a judicial commissioner.
My Lords, I thank the three previous speakers in the short debate on this group. There are no opposition amendments in it, so I shall set out some more general questions that arise out of the amendments spoken to.
Why have the Government brought forward the widening powers to obtain communications data when the original Bill did the opposite? Can the Government provide an exhaustive list of the bodies that will be able to use these communications data collection powers? Why are they not in the Bill or the Explanatory Notes? Giving bodies such powers during any criminal investigation appears out of step with the rest of the Bill, which covers investigatory powers for national security or serious crime reasons. Why is this power so broad as to cover any criminal investigation? Given that the double lock exists for most of the powers in the Bill, why have the Government given wide-ranging powers for intelligence authorities and the NCA to self-authorise accessing internet connection records while undertaking subject discovery work? How does this compare to the powers for conditions A, B and C, which cover access to ICRs, for more restrictive purposes? Finally, what will the role of the IPC and the ISC be in monitoring how the new powers are used?
I was particularly interested in what the noble Lord, Lord Anderson, said when he was commenting on the two other speakers in this short group. I, too, will listen with great interest to what the Minister has to say on this, but this is all done in the spirit of exploration, as my noble friend Lord Coaker said. I look forward to the Minister's comments.
I thank all noble Lords who have spoken in this group. I will first speak to Amendment 20, tabled by the noble Lord, Lord Fox, which would amend Clause 11. I want first to make it clear that Clause 11 does not enable any new activity under the Investigatory Powers Act but places into primary legislation the existing position set out at paragraph 15.11 of the Communications Data Code of Practice.
Paragraph 15.11 clearly sets out that it is not an offence to obtain communications data where it is made publicly or commercially available by the telecommunications operator or postal operator or otherwise, where that body freely consents to its disclosure. In such circumstances, the consent of the operator provides the lawful authority for the obtaining of the data on which public authorities can rely. Making this position explicit within primary legislation will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in Section 11. As such, there will be no doubt that acquiring communications data in this way means that an offence will not be committed in such circumstances.
The purpose of new subsection (3A)(e) is not permitting so-called surveillance, as the noble Lord’s amendment asserts. Rather, it is about clarifying the basis for lawful access to material which has already been published and should not require additional authority for its disclosure by a telecommunications operator, with the consent of that operator, to a public authority. I can assure noble Lords that telecommunications and postal operators will still need to satisfy themselves that any communications data disclosure is in accordance with the Data Protection Act, and any subsequent processing by public authorities must also be compliant.
The inclusion of this paragraph in the definition of “lawful authority” in the IPA will provide reassurance to public authorities on the basis for which they have lawful authority to acquire communications data where this authority falls outside the IPA itself. Inserting a definition of lawful authority does not remove the offence of knowing or recklessly obtaining communications data without lawful authority; it is still possible to commit this offence if the disclosure by the telecommunications operator is not lawful or if the public authority knowingly or recklessly acquires the communications data without lawful authority. The inclusion of this definition of lawful authority will encourage public authorities to ensure that they have lawful authority before they acquire communications data. I therefore respectfully ask the noble Lord to withdraw his amendment.
I turn to Clause 13 and the proposal from the noble Lord, Lord West, to remove this provision and the associated schedule from the Bill. The purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited in performing the roles expected of them by Parliament. It restores their important pre-existing statutory powers to acquire communications data in support of those functions. When the IPA was passed in 2016, it made specific provision, at Section 61(7)(f) and (j), for acquisition of communications data for the purposes of taxation and oversight of financial services, markets and financial stability.
As a result of the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, a number of changes were then made to the IPA. Crucially, not all the changes made at that time were a direct response to the judgment itself, but instead the opportunity was taken to streamline the statute book. This included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers. At that point, much of the relevant data fell outside the definition of communications data and therefore outside the provisions of the IPA. However, as businesses increasingly move their services online, so many have become, in part at least, telecommunications operators under the definition in the IPA. Therefore, more of the data they collect, and which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers, now falls within the IPA’s definition of communications data, and regulatory and supervisory bodies are, inadvertently, unable to acquire it.
The Financial Conduct Authority, His Majesty’s Revenue and Customs and Border Force are all examples of public authorities in Schedule 4 to the IPA and already have the power to acquire communications data using a Part 3 request. However, many of the matters that these bodies regulate or supervise fall short of serious crime, as defined in the Investigatory Powers Act at both Section 263(1) and Section 86(2A), which means that they are unable to acquire a Part 3 authorisation to get the data they need to perform the statutory functions expected of them.
The UK is not alone on this issue; European colleagues have identified similar issues for their equivalent bodies with regulatory and supervisory functions. The functions these bodies perform on behalf of the UK are simply too important to let this situation continue. They go to the heart of our safety in preventing terrorist funding, seeking to ensure financial stability, and the oversight of banking and financial markets, among other matters. For example, the Financial Conduct Authority has responsibility for supervising some 50,000 regulated firms to ensure they have systems and controls in place concerning the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Border Force has the responsibility of quickly identifying from the huge volumes of packages crossing our borders each day, those that may contain illegal items such as drugs, firearms and other illicit goods that present a risk to the UK. It is vitally important that these bodies are not inhibited in carrying out their core functions because of the way the world has changed since 2016.
The changes to the IPA brought about by Clause 13 strike an appropriate balance between necessity and proportionality, making clear as it does that the acquisition by these regulatory bodies should only be in support of their civil functions and not used in support of criminal prosecutions. Additional safeguards are provided for within codes of practice governing how this should work in practice. To be clear, this applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions; it is not creating a way to circumvent the safeguards of the IPA. It instead ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential.
My Lords, I will briefly speak to the five amendments in this group in the name of my noble friend Lord Coaker. Amendments 35 and 37 would introduce a double-lock process to notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for the three existing types of notices that can be issued to telecommunications operators. Amendment 36 would add a further factor that the Secretary of State must consider when deciding to give a notice under this section, bringing this type of notice into line with the three existing types of notices that can be issued to telecommunications operators. Amendments 38 and 39, along with the others in my noble friend’s name, would introduce a potential double-lock process to the variation of notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for variation of the three existing types of notices that can be issued to telecommunications operators.
In introducing this group, the noble Lord, Lord Fox, set out very comprehensively the concerns of the various tech companies. I have read the same briefings that he has. He was right to see this as an opportunity for the Minister to address those concerns.
I have a few questions arising out of these amendments. First, why have the Government not included a double-lock structure of approval to this new type of notice, given that the three other types of notices that telecom companies can be issued have the same structure, along with many of the provisions in this Bill and the IPA? Further, why does it not have the same review structure as the other notices? What will companies be able to do to challenge this decision? New Section 258A states that companies must respond within “a reasonable time”. What would the Government consider a reasonable time to be in this regard? What assessment has been made of what other companies are doing to ensure they are aware of changes that would potentially impact national security? Finally, can the Government be more specific about the types of changes that would be considered relevant for this new notification of the proposed changes?
My Lords, once again, I thank noble Lords for their amendments and the points they have raised in this debate. I will do my very best to answer the questions that have been asked. Again, I am afraid I am going to do so in some detail.
The noble Lord, Lord Fox, has proposed removing Clause 16 from the Bill in its entirety. Clause 16 concerns the extraterritorial enforcement of retention notices. Under subsections (9) to (11) of Section 255 of the IPA, any technical capability notice—TCN—is already enforceable by civil proceedings against a person in the UK. Only TCNs that provide for interception and targeted communications data acquisition capabilities are enforceable against a person overseas. Section 95 of the IPA also provides that a data retention notice—DRN—is enforceable by civil proceedings against a person in the UK. DRNs already have extraterritorial applicability within the IPA, meaning that they can already be given to a person outside the UK. However, unlike TCNs, the current legislation does not permit the enforcement of a DRN against a person outside the UK.
Clause 16 therefore seeks to amend Sections 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs to strengthen policy options and the legal levers available when addressing emerging technology, bringing them in line with TCNs. As technology advances, data is increasingly held overseas. The clause will ensure that, if required, there is a further legal lever to protect and maintain investigatory powers capabilities overseas. This will ensure that law enforcement and the intelligence agencies have access to the communications-related data that they need to tackle serious crime and protect national security. It will also ensure consistency across the regime.