Investigatory Powers Bill (Third sitting) Debate
Full Debate: Read Full DebateRobert Buckland
Main Page: Robert Buckland (Conservative - South Swindon)Department Debates - View all Robert Buckland's debates with the Attorney General
(8 years, 8 months ago)
Public Bill CommitteesI will deal with new clause 3 in fairly short compass. The amendment was suggested to me by the Scottish division of Pen International, which is a world association of writers. It would introduce a tort, or a delict as we call it in Scotland, for unlawful interception. Such a tort or delict exists already as a result of section 1(3) of the Regulation of Investigatory Powers Act 2000, and I am not entirely sure why it has not been replicated in the Bill. I would be interested to hear from the Solicitor General or the Minister for Security why the Government did not include the measure in the Bill, and whether they will give it serious consideration. It would give a meaningful avenue of recourse and act as a motivation to intelligence agencies, police forces and the Government to ensure that all interception is lawfully authorised, on pain of an action for damages if it is not properly authorised. It is really a very simple new clause modelled on section 1(3) of RIPA. I am interested to hear what the Government have to say about this suggestion.
It is a pleasure to take this first opportunity to say that I am looking forward to serving under your chairmanship, Ms Dorries, and indeed to serving with all colleagues on the Committee.
I am grateful to the hon. and learned Lady for making her observations in a succinct and clear way. I am able to answer her directly about the approach that we are taking. One of the aims of the Bill is to streamline provisions to make them as clear and easy to understand as possible. She is quite right in saying that RIPA had within it this provision—a tort or a delict, as it is called north of the border, that would allow an individual to take action against a person who has the right to control the use or operation of a private telecommunications system and to intercept communication on that system.
The Government have fielded a number of inquiries about the non-inclusion of the RIPA provision in the Bill. The circumstances in which it applies are extremely limited, and as far as we are aware it has never been relied on in the 15 years of RIPA’s operation. The provision applies only in limited circumstances because it applies to interception on a private telecommunications system, such as a company’s internal email or telephone system. Where the person with the right to control the use or operation of the system is a public authority, there are of course rights of redress under the Human Rights Act 1998, such as article 8 rights.
The Bill is intended to make the protections enjoyed by the public much clearer and we feel that introducing that course of action or replicating it would not add to that essential clarity, but I have listened carefully to the hon. and learned Lady and we are happy to look again at the issue in the light of her concerns. On that basis, I invite her not to press her new clause and I hope we can return to the matter on Report.
I am grateful to the Solicitor General for his constructive approach. I am happy not to press the new clause at this stage on the basis that the Government will look at it. I am happy to receive any suggestions about the drafting, which is mine. I had some discussions about the terms of the drafting with Michael Clancy of the Law Society of Scotland and James Wolffe, the dean of the Faculty of Advocates, but any infelicities are my fault alone. I would be happy to discuss the drafting with the Government.
Question put and agreed to.
Clause 2 accordingly ordered to stand part of the Bill.
Clause 3
Definition of “interception” etc.
Question proposed, That the clause stand part of the Bill.
There are no amendments tabled to the clause, which we support, but I say for the record and for clarification that what is welcome in clause 3 is the spelling out in legislation of the extent of an interception—an issue that has bedevilled some recent criminal cases. Importantly, as the explanatory notes make clear, it is now provided in clear terms that voicemails remaining on a system, emails and text messages read but not deleted and draft messages stored on a system will count within the phrase “in the course of transmission” and will therefore be covered by the offence. We welcome that. I wanted to emphasise that point and put it on the record, because a lot of time and effort was spent when that phrase was not so clearly defined.
I am extremely grateful to the hon. and learned Gentleman. He is right: we have moved a long way from phone tapping, which he, I and many others understood to be clear interception whereas, for example, the recording and monitoring of communications at either end of the process was not interception. As he rightly says, the internet and email have caught up with us, so as part of the Government’s thrust to have greater clarity and simplicity, this essential definition is a welcome part of the statutory framework that now exists.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clauses 4 and 5 ordered to stand part of the Bill.
Clause 6
Monetary penalties for certain unlawful interceptions
Question proposed, That the clause stand part of the Bill.
Again no amendments are tabled to the clause, but there are some questions that arise from it. The explanatory notes say, and it is clear in the Bill, that the clause creates a power for the Investigatory Powers Commissioner to impose fines where an interception has been carried out, but there was no intention. It relates to action that might otherwise be an offence, but the intention element is not made out. Against that background, I have some questions for the Solicitor General.
If the power applies where an interception is carried out but there was no intention to do so, it is hardly likely to have a deterrent effect because the person did not intend to do it in the first place, so what is the rationale and purpose of this provision? It is clear in schedule 1, which is related to clause 6, that the commissioner has very wide discretion in relation to the operation of the powers under the clause including, in paragraph 13, powers to require information from individuals
“for the purpose of deciding whether to serve”
an enforcement notice. Thus we have a provision that is premised on a non-intentional interception that then triggers quite extensive powers to require information with penalties for failure to provide that information. Schedule 1 states that guidance will be published on how the powers are to be exercised, but what is the real rationale and purpose? Why are the powers as extensive as they are and will the Minister commit to the guidance envisaged under schedule 1 being made public?
In clause 6(3)(c) there is reference to a consideration by the Commissioner that
“the person was not…making an attempt to act in accordance with an interception warrant”,
which suggests that that is outside the scheme of the provision. We have also noted that the provision relates only to a public telecommunications system. It is in many ways supplementary or complementary and we are not questioning it in that sense, but there is a number of unanswered questions. If we are to scrutinise and probe, it would be helpful to have those answered now if possible, and if it is not answered in writing.
I am grateful to the hon. and learned Gentleman for his questions. I assure him that there is a very good rationale for the inclusion of these powers. They are a replication of powers that were added to RIPA in 2011. Monetary penalty notices followed a letter of formal notice that was issued by the European Commission setting out its view that the UK had not properly transposed article 5(1) of the e-privacy directive and articles of the data protection directive. In particular, the Commission identified:
“By limiting the offence in Section 1(1) RIPA to intentional interception, the UK had failed to create a sanction for all unlawful interception as required by Article 5(1) of the E-Privacy Directive and Article 24 of the Data Protection Directive.”
The Government rightly conceded the defective transposition that had been identified and therefore the monetary penalty notice regime was established to introduce sanctions for the unintentional and unlawful interception in order to remedy the deficiency.
The hon. and learned Gentleman is quite right that it is a step down from a criminal offence, where intention has to be informed, but as my right hon. Friend the Minister for Security said when opening the debate, underpinning all of this is the importance of privacy, and the right to privacy is demonstrated in practical form by the inclusion of clause 6 and schedule 1. It is important so that we cover all aspects of intrusion because, as the hon. and learned Gentleman will know, privacy is not just about confidentiality. That is often misunderstood, particularly in the light of recent debates about injunctions. It is about intrusion into the lives of individuals, and that intrusion by the authorities in particular should be marked in some way by the imposition of some alternative sanction if it cannot be criminal sanctions. Therefore, there is a very sound rationale for the inclusion of these powers and replicating them from RIPA, and therefore I commend the clause to the Committee.
Question put and agreed to.
Clause 6 accordingly ordered to stand part of the Bill.
Schedule 1 agreed to.
Clause 7
Restriction on requesting interception by overseas authorities
I rise to make essentially the same point as I made on the previous clause, albeit more briefly. This is a good and right in principle clause to ensure that there are restrictions on requesting assistance under mutual assistance agreements, but again the sanction for breach is not entirely clear. That may be something that, under the umbrella that the Minister for Security just indicated, could be taken away to see what the enforcement regime is for these important safeguarding provisions.
The hon. and learned Gentleman will know that this mutual legal assistance regime definitely benefits from statutory underpinning. It has become increasingly important. Sadly we have all learnt that relying just on good will or informal arrangements is no longer sufficient, which is why the international work that I know hon. Members are aware of, particularly negotiations with the United States, are so important in speeding up the process and making it ever more efficient, particularly in the light of all the political controversies we have been dealing with in recent days. I undertake to deal with the question that he raises, which I think we can deal with in an umbrella form as he suggests.
Question put and agreed to.
Clause 8 accordingly ordered to stand part of the Bill.
Clause 9
Offence of unlawfully obtaining communications data
Question proposed, That the clause stand part of the Bill.
With this it will be convenient to discuss new clause 4—Tort or delict of unlawfully obtaining communications data—
“The collection of communications data from a telecommunications operator, telecommunications service, telecommunications system or postal operator without lawful authority shall be actionable as a civil wrong by any person who has suffered loss or damage by the collection of the data.”
This new clause creates a civil wrong of unlawful obtaining of communications data.
The new clause very much relates to what I said earlier about new clause 3. The intention is to create a civil wrong of unlawfully obtaining communications data as opposed to unlawful interception. Again, the drafting is mine and it could do with some serious tightening up, but my intention is to establish the Government’s attitude to the new clause. I hope that the Solicitor General will indicate that.
I am grateful to the hon. and learned Lady for the way in which she spoke to her new clause. I see that it very much follows new clause 3. Our argument with regard to new clause 4 is slightly different because it has a wider ambit than private telecommunication.
We submit that this tort or delict would not be practicable. Communications data are different from the content of communication. For example, one would acquire communications data even by looking at an envelope or searching for a wi-fi hotspot when turning on a particular wi-fi device at home. It would not be appropriate to make ordinary people liable for such activity. With respect to the hon. and learned Lady, its ambit is too wide. That said, it is only right that those holding office within a public authority are held to account for any abuses of power. That is why clause 9 makes it an offence for a person in a public authority to obtain communications data knowingly or recklessly without lawful authority. I place heavy emphasis on the Government’s approach to limiting and checking the abuse of power by the authorities.
On the new clause, the interception tool was always intended to address the narrow area that was not covered by the interception offence in RIPA, which is replicated in the Bill. As noted, the communications data offence is intentionally narrower. It would therefore be equally inappropriate to introduce a tort or delict in relation to the obtaining of communications generally or in the areas not covered by the new offence. Under the provisions of the Data Protection Act 1998, communications data often constitute personal data. That act already provides for compensation for damage or distress resulting from non-compliance with the data protection principles and for enforcement in respect of failing to comply with the provisions of the act.
Does my hon. and learned Friend think that the offence of misfeasance in public office would also add a civil remedy for any wrongdoing?
I am extremely grateful to my hon. and learned Friend. She is quite right. In fact, not only is there the offence of misconduct in public office, as it is now constituted, having been reformed from the old offence of misfeasance, but we have provisions in the Wireless Telegraphy Act 2006, the Computer Misuse Act 1990 and, as I have already mentioned, the Data Protection Act 1998. I therefore consider that the new offence we are introducing in clause 9, combined with relevant offences in other legislation, in particular the provision in section 13 of the Data Protection Act 1998, provides appropriate safeguards. On that basis, I respectfully invite the hon. and learned Lady to withdraw the amendment.
It is, as always, a pleasure to see you in the Chair, Ms Dorries. The Solicitor General has given examples of wide-ranging powers that are available to protect the public. I was grateful to listen to his contribution. However, during Second Reading I queried the Home Secretary’s position on the new offences that are being created. Many of the offences the Bill refers to, particularly in clause 9, relate to the regulation of investigatory powers. My concern is that later the Bill requires internet service providers, for example, to amass a large amount of personal data, and there is a danger that those data may be stolen rather than intercepted. I gave the example of a newspaper perhaps finding a low-grade technical operator in a telecommunications company, passing a brown envelope to them and stealing a celebrity’s internet connection records. I am concerned that the offence in clause 9 of unlawfully obtaining communications data does not go far enough.
I bear in mind the Solicitor General’s comments on other protections that are available, but would he or the Government consider an offence of not just obtaining but being in possession of unlawfully obtained communications data, which would strengthen the protections given to members of the public? We all know that the kind of scenario that I am expressing concern about has not been unknown in the last few years, as various court cases have demonstrated—though I should not discuss their details. Is the Minister satisfied that the protections he has outlined and those raised by the hon. Member for South East Cambridgeshire are sufficient, or should we take this clause a bit further, to give the public broader and wider protection of their privacy and the security of their internet and telecommunications transmissions?
It is a pleasure to follow my hon. Friend because I want to develop the point. This is a welcome clause, it is right that it is here, and we support it. However, we question whether it goes far enough. It only covers obtaining communications data. We think that serious consideration should be given to an overarching offence of misuse of the powers in the Bill. At the moment, there are specific provisions in relation to intercept which are replicated frim RIPA and we now have this welcome provision, but there is no overarching offence of misuse of the powers in the Bill.
It is all very well to say that there is the tort of misfeasance in public office. That is not the equivalent of a criminal offence. It has all sorts of tricky complications when one tries to apply it in practice. It is fair to say that there are other bits of legislation that might be made to fit in a given case, but it would be preferable and in the spirit of David Anderson’s approach for a comprehensive piece of legislation for an overarching criminal offence to be drafted, either out of clause 9 or in some other way, relating to misuse of powers in the Bill. It has been a source of considerable concern in the past and I ask the Government to think about a wider offence that would cover all the powers, because comms data are only one small subset of the issues and material information we are concerned with.
I have two short supplementary points. In subsection (3) there is a reasonable belief defence. It would be helpful if the Minister said a bit more about that. May I also foreshadow the inconsistency that we will need to pick up as we go along in the way reasonable excuse and reasonable belief are dealt with in the Bill? It is set out in subsection (3), but there is an inconsistency in other provisions that I will point to when we get there.
My other point is to ask the Minister to consider whether obtaining communications data unlawfully is a sufficient definition to make the offence workable in practice. I put my questions in the spirit of supporting the clause, but I also invite Ministers to go further and consider drafting a clause that covers the misuse of powers in the Bill, rather than simply saying that if we fish about in other bits of legislation or common law we might find something that fits on a good day. In my experience, that is not a particularly helpful way of proceeding.
Thank you, Ms Dorries, for allowing me to reply to a stand part debate on clause 9. I think we have elided the this and the previous clause, but I crave your indulgence to deal with everything in a global way. May I deal properly with clause 9 and set out the Government’s thinking on this?
The measure is all about making sure once again that those who hold office within a public authority are properly held to account for any abuses of power. The clause will make it an offence knowingly or recklessly to obtain communications data from a communications service provider without lawful authority. Somebody found guilty of that offence might receive a custodial sentence or a fine. The maximum punishment will vary according to whether the offence was committed in England and Wales, or in the jurisdiction of Scotland or Northern Ireland.
The hon. and learned Gentleman is right to point out the reasonable belief defence. The offence will not have been committed if it can be demonstrated that a person holding office acted in the reasonable belief that they had lawful authority to obtain the data. Where a communications service provider willingly consents to the disclosure of the data, including by making it publicly or commercially available, that would constitute a lawful authority.
The question about reasonable belief is about making sure that genuine error is not penalised, because there will be occasions when genuine errors are made. In the absence of such a defence, public authorities could be deterred by notifying genuine errors to the IPC. It is important that the Investigatory Powers Commission is an effective body monitoring failure and lack of best practice, and preventing future errors.
I think the hon. and learned Gentleman will agree that we both have fairly considerable criminal litigation experience. In this area, I think a regulatory approach will be just as effective, and in some ways more effective, than a criminal sanction. I am grateful to the hon. Member for City of Chester for reiterating the remarks that I remember him making on Second Reading, when he made some powerful points, but I caution that we are in danger of creating an entirely new criminal framework, catching people further down the line, which ultimately will only lead to more confusion and, I worry, the replication of existing offences.
An unauthorised disclosure by someone in a communications service provider would be covered by the Data Protection Act 1998, because those providers have duties and obligations under that Act just like any other holder of data. I hear what the hon. and learned Gentleman says, and I will consider the matter, but my initial reaction to his question and that of the hon. Member for City of Chester is that the Data Protection Act covers such a disclosure.
I have heard Opposition Members’ arguments. Some thought has been given to this point and clause 49 puts a duty not only on people who work in public services but on postal operators, telecommunications operators and any person employed therein to not make unauthorised disclosures in relation to intercept warrants. That might help.
I am grateful to my hon. Friend, who served with distinction on the Joint Committee. That provision relates to creating a statutory duty, which, with respect to her, is slightly different from some of the arguments we are having about criminal sanctions. However, it is important to pray that in aid, bearing in mind the mixed approach we need to take in order to hold public office holders and public authorities to account when dealing with this sensitive area.
The Bill provides a great opportunity for us to put into statute a new offence, which will, together with the other agencies, provide a robust regime that will add to the checks and balances needed in this area in order to ensure that our rights to privacy are maintained wherever possible, consistent with the Government’s duty towards the protection of our national security and the detection and prevention of crime.
I am grateful to the Solicitor General for that clarification. My concern about his reliance on, for example, the Data Protection Act is what happens in the scenario I described, which I do not believe is so unbelievable, bearing in mind the experiences that hon. Members of this House have had in the past few years with the theft of their information. One problem that his solution presents is that if, for example, my personal data were stolen and published, the only recourse I would have is to the telecommunications provider, which is in a sense a victim itself. The real villains and culprits—the people who stole the information and published it—would not be covered by the Data Protection Act, which is why I seek consideration of extending the clause or guidance from the Solicitor General.
I hear what the hon. Gentleman says. I have already indicated that I will consider the matter further. I will simply give this solution. He mentioned the stealing of information. Information is property, like anything else, and of course we have the law of theft to deal with such matters. I do not want to be glib, but we must ensure we do not overcomplicate the statute book when it comes to criminal law. I will consider the matter further, and I am extremely grateful for his observations.
Question put and agreed to.
Clause 9 accordingly ordered to stand part of the Bill.
On a point of order, Ms Dorries, may I seek clarification on my position on new clause 4, which the Minister invited me to withdraw? I am minded to do so, having regard to what the Solicitor General said about the Data Protection Act and what the hon. and learned Member for South East Cambridgeshire said about misfeasance in public office, but as a novice in these Committees I seek some guidance. If I press the new clause to a vote now and it is voted down, does that prevent me bringing it back to the Floor of the House?
I will be very quick. The clause is welcome and we support it, but again my concern is that there is no enforcement mechanism or sanction. Will the Minister take it under the umbrella of these clauses that are intended to ensure good governance, effectiveness and that the proper routes are used, and look in an overarching way at what their sanction might be? I am asking a similar question to one I made before: what is the sanction if what should happen does not happen?
Yes, of course, we will do as the hon. and learned Gentleman asks. I welcome his endorsement of the importance of the clause, bearing in mind what it sets out and the clarity we are achieving through its introduction.
Question put and agreed to.
Clause 11 accordingly ordered to stand part of the Bill.
Clause 12
Restriction on use of section 93 of the Police Act 1997
Question proposed, That the clause stand part of the Bill.
I make the same point again: the clause is a good provision but appears to lack any enforcement mechanism or sanction, so if it could go into the basket of clauses that are being looked at in relation to sanction, I will be grateful.
The clause confirms that section 93 of the Police Act 1997 may not be used to authorise conduct where the purpose of the proposed interference is to obtain communications, private information or equipment data and the applicant believes the conduct would otherwise constitute an offence under the Computer Misuse Act 1990, and the conduct can be authorised under an equipment interference warrant issued under part 5 of the Bill. So it does not prevent equipment interference being authorised under the Police Act where the purpose of the interference is not to obtain communications and other data—for example, interference might be authorised under the Act if the purpose is to disable a device, rather than to acquire information from it.
That reflects the focus of this Bill. We are trying to bring together existing powers available to obtain communications and communications data. I emphasise that the measure does not prevent law enforcement agencies from using other legislation to authorise interference with equipment that might otherwise constitute an offence under the Computer Misuse Act. For example, law enforcement agencies will continue to exercise powers under the Police and Criminal Evidence Act 1984 to examine equipment that they possess as evidence. The result of this clause is that all relevant activity conducted by law enforcement agencies will need to be authorised by a warrant issued under part 5 of the Bill.
Based on what the Minister has just said, it may be that it is anticipated that any attempt to use other legislation in breach of this provision would automatically be refused. That is the bit where there might need to be some clarity, because in effect it will not be an application under this legislation; it would be an application under different provisions, so does this operate as a direction to any decision maker that that is an unlawful use of another statute? That is not entirely clear. I think that that is what is intended. If it is, that is a good thing, but I am not entirely sure that a decision maker would say, “I am prohibited by law from exercising powers available to me under other legislation.” I leave that with the Minister because it may be something that can be improved by further drafting.
I thank the hon. and learned Gentleman for that intervention. While I will answer the specific question, I think it is important that I set out the fact that this provision is not the only means. What we are dealing with here is part 5 and the double lock and the enhanced safeguards. If any agency or authority fails to use new part 5 or PACE, for example, in other circumstances, they will be committing an offence under the Computer Misuse Act. Public authorities are no different from any other individual or body: if they are not complying with the existing legal framework by this or other means, they fall foul of the law themselves. I will endeavour to answer the other points raised about sanction but I urge the Committee to agree that the clause stand part of the Bill.
Question put and agreed to.
Clause 12 accordingly ordered to stand part of the Bill.
Clause 13
Warrants that may be issued under this Chapter
I beg to move amendment 57, in clause 13, page 10, line 16, after “content”, insert “or secondary data”
This amendment, and others to Clause 13, seek to expand the requirement of targeted examination warrants to cover the examination of all information or material obtained through bulk interception warrant, or bulk equipment interference warrant, irrespective of whether the information is referable to an individual in the British Islands. They would also expand the requirement of targeted examination warrants to cover the examination of “secondary data” obtained through bulk interception warrants and “equipment data” and “information” obtained through bulk equipment interference warrants.