(9 months, 2 weeks ago)
Public Bill CommitteesThis is a somewhat odd argument, because the right hon. Gentleman and I are slightly together but also arguing at cross purposes. Both of us have a very high regard for the intelligence services and are confident in their integrity, but we are slightly at cross purposes because he believes that we are not satisfying the oversight element, but I believe we are.
Let me be clear. I am not being a stick in the mud about this for any political reason. I actually happen to believe that this is the right way to approach this. There is a constant balance in all forms of oversight between the ability to act quickly and the ability to be controlled from outside. I believe that this sets in place a very significant, burdensome requirement on those who are taking these responsibilities to act according to certain principles. To repeat, the principles are necessity and proportionality. I do not think anybody in here would argue against those. What this requires them to do is make sure that the principles are met by effectively targeting in advance.
The right hon. Gentleman’s comment about train line use would, I am afraid, not satisfy that proportional need. The individual would have to be specifically identified in advance. The pattern of use of the website from the single point and to the point of contact—from a phone to an internet server or whatever it might happen to be—would have to be clarified. These ICRs are Venn diagram circles that are getting narrower and narrower. The idea that this would end up with some sort of week-long or month-long trawl of a train line website is, I am afraid, not permissible under the 2016 Act. Were any intelligence officers to do it—though I do not believe that they would—they would fall foul of section 11 and would not be acting necessarily and proportionately. Therefore, it would not be permissible.
It is pretty clear that existing conditions B and C already enable public authorities to make an application for a known individual’s internet connections. New condition D only enables a request for details to identify individuals who have used one or more specified internet services in a specified time.
I think that is the point. I do not think anyone is arguing against the fact that there will sometimes be exceptional circumstances that require haste. Everybody accepts that, but the issue with condition D is that it is explicit in removing the targeted nature of the other conditions. It is where they do not know the time or person and do not have the data available that they are using condition D. There is nothing in the Bill to make clear that it can only be used in exceptional circumstances. How can we square that circle? I do not think that anyone would disagree with the fact that there needs to be an ability to move at pace at times, but there is nothing here that says that power could only be used in those sorts of circumstances. Condition D creates a situation where we are going to hoover up data on a huge number of people, but there is nothing to say how long we are going to hold on to that data for, or what would be done with it.
To answer the last part of the question first, the holding on to data and what is to be done with it is the same as under the IPA generally. Information can be held or not held according to those provisions. This Bill does not change any of that, which is why that is not covered here, and I know the hon. Gentleman would not expect it to be.
It is worth pointing out that condition D is not only no more intrusive than conditions A, B or C, in terms of data—
Let me just finish the point; I know the hon. Member will come back to me.
Condition D is no more intrusive, and it does require the serious crime threshold, which does add an extra layer before it can be used. I hear the hon. Member’s point; the condition still requires proportionality and necessity, so it could not be simply anybody who is using Facebook, because clearly that is not proportionate. It still requires that targeting; it still requires those Venn diagrams, if he likes, to close over a target; and, even then, it requires the serious crime threshold.
(9 months, 2 weeks ago)
Public Bill CommitteesI will be brief. I back up the comments of the right hon. Member for North Durham: much more needs to be done to define clearly what we mean by “low or no”. In many ways, separating the two out would make everything clearer. Everybody can tell what “no expectation of privacy” means. It is when we get to low expectation of privacy that we have debates: “Is it this or is it that?”
The factors considered in determining whether something qualifies as low or no include
“the extent to which…the data has been made public”.
If there is no expectation of privacy, that is obvious, so I do not understand why we cannot have more clarity and say, “This is what we mean by no expectation of privacy, and this is what we mean by low.” It might be fine for us in this room to have an understanding of what we mean, but there needs to be public understanding.
We all know that every time we go on any website, we are asked to click to accept the cookies, and sometimes we cannot progress any further unless we do. Data is being gathered left, right and centre. With the best will in the world, not everyone reads every single line of the terms and conditions. We need to be absolutely clear about exactly what we mean so that legal challenges do not occur down the line.
Before I address those points, I want to address the shadow Minister’s somewhat contentious argument that learning French is not a security issue —that was a bold innovation from him.
The points that have been raised are essential to understanding exactly why the Bill is so important. I will cover the “no” and “low” areas separately, for the reason that the hon. Member for Midlothian touched on. We all know what no expectation is; that has been largely covered, and the reality is that even the slightly more restricted version of the electoral register is shared with political parties, as the right hon. Member for North Durham knows.