Investigatory Powers Bill (Eighth sitting) Debate
Full Debate: Read Full DebateRobert Buckland
Main Page: Robert Buckland (Conservative - South Swindon)Department Debates - View all Robert Buckland's debates with the Home Office
(8 years, 7 months ago)
Public Bill CommitteesI think I can take this in fairly short compass. The clause deals with the lawfulness of conduct authorised by this part of the Bill. The amendment would delete clause 72(2)(b), the effect of which would be that conduct would have to remain unlawful if it could not be justified. As it is currently worded, the clause allows an exception to that principle, and that is not an appropriate exception. Conduct is either lawful or unlawful. If it is unlawful, it should be characterised as such and should not be justified. Strictly, if the amendment were to be passed, subsection (3) would have to be left out as well, for tidying-up purposes.
May I reassure the hon. and learned Lady that the provisions relating to lawfulness of conduct authorised by part 3 of the Bill replicate those that currently apply in the Regulation of Investigatory Powers Act 2000, and the Bill goes no further in providing indemnity from civil liability for conduct incidental to or reasonably undertaken in connection with a communications data authorisation? The clause is drafted to ensure that a person who engages in conduct only in connection with an authorisation cannot be subject to civil liability unless that activity could itself have been authorised separately under a relevant power. It must follow that the removal of that provision would mean that a person who was acting lawfully under an authorisation that had properly been granted under the Bill would be at risk of civil liability if some incidental or reasonably connected conduct were not expressly covered by the authorisation.
I can see the thrust of the hon. and learned Lady’s argument, but I hope that I have reassured her that the Bill does not go any further than the status quo. For that reason, I urge her to withdraw the amendment.
I beg to ask leave to withdraw the amendment for the time being.
Amendment, by leave, withdrawn.
Clause 72 ordered to stand part of the Bill.
Clause 73 ordered to stand part of the Bill.
Clause 74
Certain transfer and agency arrangements with public authorities
Question proposed, That the clause stand part of the Bill.
I am delighted to see you back in the Chair, Ms Dorries, as I break my couple of sessions’ silence; it is always very reassuring. I certainly do not wish to keep the Committee here all night, but I will reiterate a point that I made earlier in our considerations, and that relates to the retention of certain data. As my hon. and learned Friend the Member for Holborn and St Pancras pointed out, we understand the need for data retention. However, on looking at the Bill, I am still not entirely satisfied that the Government have taken into account the need for additional security for data retention.
I look to the Minister for reassurance that, when telecommunications and internet providers and suchlike are obliged to retain data, there is a consequent obligation on them to maintain it securely. We know that several such providers have problems with internet security: we saw that with the TalkTalk hack, and we believe another large provider has been hacked recently. Those attacks were on personal data; the Solicitor General and I have had exchanges in this room about the potential for charging them as theft—about whether the sanctions against somebody who committed that offence would be contained in existing legislation.
This part of the Bill needs to look at obliging or maintaining a minimum acceptable level of security, to provide security and privacy for people whose data may have been accepted. I realise that it might not necessarily be covered in detail in the new clause, but now might be a good time for the Ministers to consider whether they believe internet security and the security of personal data held under the terms of clause 79 should be considered in the Bill. Do they believe guidance should be given to telecommunications providers to maintain that security, or do they feel that it is not relevant and that they are quite satisfied with the status quo? I must say that I am not. Notwithstanding the need for the retention of individual data, as described so eloquently by my hon. and learned Friend, it remains a major concern of mine that individual privacy and data are at risk: it puts a question mark over the whole clause and over the areas we are discussing.
I am grateful to hon. Members for a wide-ranging debate. I would first like to reiterate on behalf of the Government the position adopted by the Joint Committee on the draft Investigatory Powers Bill, which quite clearly indicated its conclusion that the case was made for a retention period of up to 12 months for relevant communications data. In the report from David Anderson QC, “A Question of Trust”, recommendation 14 is:
“The Home Secretary should be able by Notice (as under DRIPA 2014 s1 and CTSA 2015 s21) to require service providers to retain relevant communications data for periods of up to a year”.
There we have it: the Government are acting upon the specific endorsement of an independent reviewer and a Joint Committee of this House. There is an element of the waving of the proverbial shroud when it comes to the retention of data, because the word “relevant”, which is contained in the second line of clause 78(1), is the governing word here. It is very important to remember that this is not carte blanche for the Secretary of State to authorise communications service providers to retain everything for 12 months. That is not the case. Where there is no case of necessity and proportionality for a 12-month period, a shorter period must be adhered to. Indeed, if the material is not relevant, it falls outwith the ambit of any such authorisation.
I reassure the hon. Member for City of Chester, who makes quite proper points about the integrity of data, that he is right to make them. That issue affects all those in this room and beyond. He is also right to allude to the criminal law. I reassure him that communications service providers have to comply with the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, which together contain those requirements that the data is appropriately secured. When he has the time—which I am sure is as precious to him as it is to the rest of us—chapter 16 of the draft communications code of practice contains an entire set of provisions relating to the security, integrity and, indeed, destruction of retained data, which very much underpin the principles of why CSPs have to operate and will give him the reassurance that he properly seeks about the position with regard to individual data and people’s privacy.
Data retention legislation has existed in this country since the Anti-terrorism, Crime and Security Act 2001, which allowed the Secretary of State to enter into voluntary agreements with telecommunications operators so that they could retain data that otherwise would be deleted. The Data Retention (EC Directive) Regulations 2007 were the first piece of data retention legislation that provided for the Secretary of State to require the retention of such data. We currently have DRIPA 2014 and the data retention regulations of that year. We hope to replace those with the provisions in the Bill. A very important point is that there is nothing new about these proposals. Our data retention legislation has always had the Secretary of State involved in the process and there are very good reasons for that. It has worked successfully until now. As I have indicated, it has been recommended to us by David Anderson.
The amendments that have been tabled seek to drive a coach and horses through all of that. There is a simple and blindingly obvious reason why we wish to maintain the system of data retention. For example, when a crime happens or a child goes missing, it is impossible to know in advance which data would be relevant in any subsequent investigation. It is therefore important that we require the retention of all relevant communications data that matches a certain description wherever it is necessary and important. Because it is impossible to know which data will be the most relevant in advance of any crime, it is impossible to know whether a specific piece of data will be of value to MI5 in locating a terrorist, for example, or to the National Crime Agency in identifying a paedophile, or for any other legitimate purpose. For that reason it does not make sense for those authorities to apply for retention warrants individually. What makes sense is for the requirement of all relevant public authorities to be considered together. The person best placed to do that is the Secretary of State. Public authorities set out their requirements for data retention to the Home Office and they are then carefully considered. As they usually overlap, the Secretary of State is able to identify the specific telecommunications operators and specific data types that it is necessary and proportionate to make subject to data retention notices. As the full costs of data retention are covered by the Secretary of State, only he or she can decide whether or not the benefits of data retention are proportionate to the costs.
There has been some discussion about cost again today. The £170 million figure is based on the cost of our anticipated implementation, which takes into account data that is already obtained under existing legislation. We noted the evidence of BT when it talked about the costs being dictated by its implementation approach, and we continue to discuss implementation with those communication service providers likely to be inspected. Whatever the final cost, however, the important underwriting by the Government is a vital factor in giving reassurance to the industry, not only on the practicability of these measures, but on the importance therefore of involving the Secretary of State.
My worry is that if we went down the road proposed by the amendments, we would end up with a rather confused system that would not allow for the overall benefits of retaining a particular type of data, because the judicial commissioner would only ever be able to consider the benefits to the particular public authority applying for a warrant. It would therefore be impossible to judge the overall necessity and proportionality of requiring a particular company to retain a particular dataset.
We have heard about new clause 10 and its provisions. Given that it is impossible to predict in advance what data would need to be retained, this approach relies on data being retained only after a crime has been committed and/or an investigation has begun. Preservation only works if the data are there to preserve and it is of limited benefit without an existing retention scheme. Without data retention, data protection rules require that the data that are no longer needed for business purposes must be deleted. Without data retention, the data that are needed would not exist. Therefore, the regime of warrantry—the double lock, indeed the proposals put forward by Opposition Members—none of it would matter, because the material would not be there. That is particularly relevant when it comes to the increasing move of criminals and their ilk away from conventional telecommunications to the internet and internet connections.
A number of reports published by the EU Commission show the value of communications data and why the concept of data preservation, as envisaged in new clause 10, is not a viable alternative. In a Europe-wide investigation into online child sexual exploitation, of the 371 suspects identified here in the UK, 240 cases were investigated and 121 arrests or convictions were then possible. Of the 377 suspects in Germany, which does not have a data retention regime, only seven could be investigated and no arrests were made.
I have explained why the existing data retention regime that the Bill replicates is the appropriate model. May I deal with the change proposed by a set of amendments that involve changing the word “may” to “must” in clause 78(2)? That would require a data retention notice to cover certain issues. I am sympathetic to the aim of the amendment, because I am in favour of specific requirements, but the amendment is misconceived because subsection (7) already requires that a retention notice must specify the operator to whom it relates, the data which are to be retained, the period of retention, the requirements and restrictions imposed by the notice, and information on costs. Subsection (2) sets out the scope of what a notice may require and subsection (7) requires that the notice must make clear what is required. The two subsections are therefore aimed at different things.
The effect of this amendment would be to require a notice to cover issues that it might not have any reason to cover. For example, a retention notice may
“make different provision for different purposes”.
With respect, it therefore does not make sense to say it must make different provision for different purposes, because a notice may not relate to those different purposes. I would argue that there is therefore nothing to be gained by moving these amendments. That is all I wish to say, but for those reasons I urge hon. Members to withdraw the amendments.
I will not detain the Committee for too long; these issues have already largely been addressed. Amendments 304 and 305 seek to remove paragraphs (d) and (e) from clause 78(2). In a Bill replete with vagueness, those two subsections stand out as being particularly vague. The new clause that I will come to in a moment would require a data retention notice—or warrant, as we would wish—to be issued only for a specific investigative or operational purpose. The SNP has tabled amendments that will bring greater clarity to when and why a warrant would be issued.
As we know, communications data are defined as data that would be used to identify, or assist in identifying, the who, where and how. However, instead of allowing a blanket surveillance approach that treats everyone as a suspect, the amendments would allow the police to apply to a judicial commissioner for targeted retention warrants, in which data are required for the purposes of a specific investigation into serious crime, or for the purpose of preventing death or injury. I trust that these amendments are acceptable to the Government.
I rise to address the concerns of the hon. Gentleman. It is good to hear from him; I should have said that during the last group. He has made the point about his concerns of vagueness. However, I would argue that it is very important that a notice can have a degree of flexibility within it, because a single telecommunications operator may provide a number of different communications services, such as mobile telephony and internet access. However, there may be different complexities and sensitivities about the different types of communications data that are generated by those services. Considerable preliminary work is carried out between the Government and telecoms operators in advance of the service of a retention notice. That covers a number of issues, including the type of data that will be retained, the complexities of the operator’s systems, and the relevant security requirements. Flexibility is needed to ensure that the notice can appropriately reflect those issues, and that it imposes the minimum requirements necessary to meet the operational requirements.
What we are counter-intuitively getting at is to make sure that there is necessary give and take within the system to prevent what the hon. Gentleman and I would regard as an overweening approach from the Secretary of State, which would impede the ability of communications service providers to carry out their operations. For that reason, I respectfully urge him to withdraw the amendment.
I hear what the Solicitor General has said, but I do not wholly agree with him. I reserve the right to bring this back at a later stage. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Amendment 306 is tabled, quite properly, to tease out from the Government the more detailed reasoning behind the important statement made by the Home Secretary on Second Reading. The hon. and learned Lady is quite right to refer to that statement. I once again reiterate the Government’s position that we will not be requiring the retention of third party data through these provisions.
The question is how best to achieve that; therein lies the tension. Attractive though the approach advanced by the hon. and learned Lady might be, there are some drafting issues and problems about legal certainty, which mean that putting those provisions in the Bill with suitable detail is problematic.
One of the main functions of the Bill—and one of my desiderata—is to ensure that it is resilient and stands the test of time. My concern is that if we end up with a definition that is too technologically neutral, it will either fail the test of time in this place, or be subject to challenge. As a Law Officer, legal uncertainty is something I have to take very seriously when considering how legislation is presented. That is why I commend the detailed provisions within the draft code of practice on third party data—paragraphs 2.68 to 2.72—that the hon. and learned Lady referred to. That is not only an explicit reiteration of our commitment but the sort of detail needed for those operating the provisions, which could not be properly put in the Bill.
It is generally well understood what third party data are, but perhaps I should briefly explain the important areas of detail that could not be covered on Second Reading. Where one communications service provider is able to see the communications data in relation to applications or services that run over their network, but does not process that communications data in any way to route the communication across the network, then that is regarded as third party data. For example, an email provider, such as Yahoo or Gmail, knows that a certain internet access service, such as BT Internet, was used to send email, but that fact is not needed or used to send it. So it is in everybody’s interest, not least that of the service providers themselves, that there is sufficient clarity about the data that can be retained under the provisions. As I have said, I think the code of practice is the right vehicle for this. It is also the appropriate vehicle for ensuring that there can be a sufficiently detailed definition of third party data for the reasons I have outlined. In those circumstances, I respectfully ask the hon. Lady to consider withdrawing her amendment.
I am not happy about withdrawing the amendment in the absence of elaboration of what the Solicitor General means by drafting issues and problems of legal certainty. I am not clear at the moment why we cannot have both the amendment and the further elaboration that will be provided in the codes of practice.
Amendment proposed to amendment 306: (a), leave out “notice” and insert “warrant”.—(Gavin Newlands.)
Question put, That the amendment be made.
The SNP has tabled the amendments to provide for clear, appropriate and limited grounds on which data retention warrants may be issued. The amendments require that the data to be retained are specified and that organisations served with warrants to retain communications data should be identified rather than merely described.
Amendments 315 and 317 affirm that organisations that have been served a notice or warrant to retain the communications of their customers are properly and explicitly identified. The term “description of operators” is far too vague and we urge that it is changed to “or operators”. Amendment 328 ensures that those organisations are defined and named before a retention notice can be issued. Amendment 338 removes the possibility of the Home Secretary being able merely to describe the telecommunications operators that she wants to target. Amendments 361, 374 and 375 provide the basis for a concrete description to be included when there is any variation of a notice.
The amendments attempt to bring to the Bill some clarity, which is sadly lacking. It is not good enough that the Home Secretary can sign a notice that merely describes who is impinged on or directly affected by these intrusive powers, because that approach opens up the space for the powers to be abused. We need to act to ensure that, as much as possible, we operate a targeted approach.
I understand the purpose behind the amendment in that, in the opinion of the hon. Member for Paisley and Renfrewshire North, it would ensure greater specificity in the giving of notices. However, I shall give a brief example of what a “description of operators” might be. With this provision we would have been able to give the same retention notice to all wi-fi providers supplying wi-fi to the Olympic park in London during the 2012 Olympics. In these circumstances the operators are providing precisely the same kind of communications service and the data required to be retained are the same. Whether a notice relates to a description of operators or to a single operator, it can only contain what the Bill’s provisions allow and the Secretary of State must consult with the operators to which it relates. Operators also have the opportunity to refer the notice back to him or her in relation to any aspect of it. Therefore, on that basis, I invite the hon. Gentleman to withdraw his amendment.
I am content to withdraw the amendments at this stage. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
This is the first speech I have made in this place that has required an intermission. It has been suggested that I start from the beginning as I cannot remember where I had got to. I am nothing but a crowd pleaser, Ms Dorries, but I have found the place where I left off, so I shall continue.
I was saying that the question whether the Bill is in accordance with the law is up for debate. If this part is left unchanged, Liberty and others suggest that it will be in conflict with human rights law, including breaching the EU charter of fundamental rights and freedoms. In July 2015, the High Court upheld its challenge and struck down sections 1 and 2 of the Data Retention and Investigatory Powers Act 2014, finding them incompatible with the British public’s right to respect for private life and communications, and protection of personal data under articles 7 and 8 of the EU charter of fundamental rights.
In addition, we should be mindful that the challenge against DRIPA is ongoing and that the outcome will have an impact on whether this part of the Bill is lawful, although I suspect not. On that basis, I question whether ICRs will do the job the Government intend them to do. The Home Office has become entrenched with regard to ICRs and its fixation with them is clouding its ability not only to look at alternatives, but to assess whether ICRs are proportionate, necessary or in accordance with the law. The SNP believes that ICRs fail those three basic assessments.
I want to quote an unlikely ally, who, in 2009, said in Committee:
“Our consideration of the regulations comes against the backdrop of an increasingly interventionist approach by the Government into all of our lives, seemingly taking the maxim ‘need to know’ to mean that they need to know everything. Certainly, we need to know what the Government’s intentions are in relation to the creation of a new central database, which would create a central store of our electronic communications.”—[Official Report, Fourth Delegated Legislation Committee, 16 March 2009; c. 6.]
That ally was none other than the right hon. Member for Old Bexley and Sidcup (James Brokenshire), now Minister for Immigration at the Home Office, speaking in a Delegated Legislation Committee on an EC directive with very similar provisions to parts of this Bill. That statutory instrument was passed by the House, but notable opponents included Members who are now Scottish Secretary, Home Secretary and Minister for Security—the Minister in charge of this Bill.
We in the SNP are mindful of the evidence that has been presented and submitted to the Committee, but it is our opinion, backed up by case law, that the power to retain ICRs is incompatible with the right to privacy and the protection of personal data, and I urge hon. Members to amend the Bill and ask the Government to think again.
I am grateful to hon. Members for this important debate, which, although it relates to an amendment, inevitably strayed into what is, in effect, the stand part debate on communications data.
The hon. Member for Paisley and Renfrewshire North set out his case comprehensively, but his arguments relate to measures and proposals that are not before the Committee. We have moved a long way from 2009, and certainly from 2012, when the original draft Bill was considered by a predecessor Joint Committee. We are not in the situation where the Government will hold a centralised database. That sort of measure was rightly opposed by my right hon. Friend the Minister for Immigration and other of my hon. Friends at that time, because we are naturally suspicious of an organ of Government directly blanket-holding such data.
That is why this provision is not remotely like that. It does not contain anything like the provisions that the hon. Gentleman rightly cautions against, most importantly because the retention of that data is not in the hands of Government. That arm’s length approach is a key difference, which I am afraid undermines all the seeming quality of his argument.
Will the series of private databases under the Bill be any safer from hacking than a central Government database?
The hon. Gentleman makes a proper point about security. This, in respect of the code of practice and in collaboration with the industry, will be at the forefront of everybody’s mind. What is important is that the Government do not have a pick-and-mix or help yourself avenue within which they can mine data for their own capricious purposes.
The framework of the Bill quite properly severely circumscribes the circumstances within which the Government can seek access to that material. Most importantly, when it comes to content, the warrantry system—the world-leading double lock system we are proposing—will apply. An internet connection record is not content; it is a record of an event that will be held by that telecommunications operator. It relates to the fact of whether or not a customer has connected to the internet in a particular way. If it goes further into content, the warrantry provisions will apply. It is important to remember that framework when determining, and describing and putting into context, what we are talking about. The Committee deserves better than indiscriminate shroud-waving about prospects and concerns that simply do not arise from the measures in the Bill.
The hon. Gentleman quite properly raised the Danish experience. The Danish Government and authorities are in regular conversation with the United Kingdom Government. That dialogue goes on because they are naturally very interested to see how our model develops, although there are important differences that should be set out briefly. The Danish legislation was not technology neutral, unlike these proposals, because it specified two options that proved unworkable. We work with operators case by case so that the best option for their network at the appropriate time will be determined. The Bill builds on existing data retention requirements, such as the retention of data necessary to resolve IP addresses, which regime already exists under the Counter-Terrorism and Security Act 2015. The full cost recovery underpinning by the Government means that there is no incentive for communications service providers to cut corners, as I am afraid happened in Denmark. There are important differences between the two.
The hon. Gentleman rightly talks about IPV6. Although it is a great aim and something that all of us who have an interest in this area will have considered carefully, it still is, with the best will in the world, a way away, I am afraid. It will take a long time for all service providers to implement in full, and until then, there will be both types of system. Even with IPV6, CSPs may choose to implement address sharing or network address translation, meaning that it is not the guaranteed solution that perhaps has been suggested. Servers who host illegal material are much less likely to move to that system, meaning that, in practice, IPV4 may well remain with us. We therefore have to act in the interim, because, as has been said, the drift away from what I have called conventional telecommunications to the internet carries on whether we like it or not. We have to face up to the world as it is, rather than the world as we would love it to be, and therefore take into account the fact that we are in danger of being unable to detect criminality and terrorism.
The Solicitor General says we have to face up to the world as it is. Why is it, then, that no other democratic nation in the world is implementing legislation of this sort?
The hon. and learned Lady has asked that question before, and I have said to her before that somebody has to step up, try it and make that change. I am proud that the United Kingdom is prepared to do that, as we have done it in so many ways.
Is the Solicitor General aware that it is not that other countries have not looked at the problem? They have looked at the problem and decided that this is not the way to solve it.
I am afraid I do not agree with the hon. and learned Lady. What they have looked at is the sort of centralised, governmental-based database that all of us have quite properly rejected. They are looking with interest to see how this particular proposal develops, bearing in mind that it has now been refined through many Committees of the House. Accordingly, I think what we are doing is innovative, world leading and, with its technology-neutral approach to the definitions, striking the right balance.
The problem with the amendment as I see it is not only that it is technically deficient, but that, on close reading, it does not exclude the retention of internet connection records, because it talks about the sender and recipient of communications, which is either end of the communication we are talking about when it comes to ICRs. Let us assume that that is an error. Even if we consider its intention at face value, the problem with going back to the 2009 regulations is that we are returning to the language of dial-up—the sort of non-broadband, non-mobile internet access we were all used to 15 years ago, but which now belongs in a museum. If we imprison ourselves in that sort of language, the danger that I have outlined becomes very real.
What next? Are we going back to the telex or the marconigram? We have to make sure that the language of the Bill keeps pace with the breathtaking scale of technological change. In the words of the hon. Member for Paisley and Renfrewshire North, the amendment just does not cut the mustard and I urge that it be withdrawn.
I beg to move amendment 175, in clause 79, page 62, line 34, at end insert—
“() the public interest in the protection of privacy and the integrity of personal data; and
() the public interest in the integrity of communications systems and computer networks.”.
Clause 79 sets out those matters to be taken into account before giving a retention notice, as well as likely benefits and the likely number of users. Amendment 175 would add two public interest matters to that list. My argument is similar to the one I made on other provisions. Where matters are to be taken into account, it is important that the protection of privacy and the integrity of personal data and of communications systems are specifically listed. I have moved to a position of thinking that an overarching privacy clause is probably the way to achieve this end; this is therefore a probing amendment and I will not press it to a vote.
I am grateful for the way in which the hon. and learned Gentleman states his case. To put it extremely simply, we would argue that the public interest in the protection of privacy and in the integrity of personal data are already factored in by the provisions of the Bill.
First, proportionality must include consideration of the protection of privacy. Secondly, the integrity of personal data being such an important public interest is why clause 81 requires any retained communications data to be of at least the same integrity as the business data from which they are derived. A retention notice will therefore not be permitted to do anything that would undermine the integrity of the data that the operator already holds for business purposes. That is all I want to say about the matter, but I assure hon. and learned Gentleman that those important considerations are at the heart of the processes we have followed.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 79 ordered to stand part of the Bill.
Clause 80
Review by the Secretary of State
As the hon. and learned Gentleman says, the amendments would require that review under clause 80 be by a judicial commissioner rather than the Secretary of State. Will the Government tell us why the provision of such a route of review would not, in their opinion, give the telecommunications providers greater reassurance that notices are not only lawful, necessary and proportionate but stable and legally certain? It seems to me that a review by a judicial commissioner, or at the very least by the Investigatory Powers Commissioner, would provide that reassurance.
The hon. and learned Lady asks a perfectly proper question. I reiterate the position that we have taken in principle: the Secretary of State is the appropriate and accountable person to be responsible for reviewing retention notices. However, although the Secretary of State must be responsible for giving notices and must therefore be the person ultimately responsible for deciding on the outcome of the review, that does not mean that she or he can make the decision on the outcome of the review without consultation—far from it.
Clause 80(6) ensures that the Secretary of State must consult both the Investigatory Powers Commissioner and the technical advisory board. The commissioner must consider the proportionality of the notice; the board must consider the technical feasibility and financial consequences of it; and both must consult the operator concerned and report their conclusions to the operator and the Secretary of State. Only then can the Secretary of State can decide whether to vary, revoke or give effect to the notice. That system provides rigorous scrutiny of the notice and maintains the accountability of the final decision resting with the Secretary of State. We therefore believe it is the best mechanism for review. Accordingly, I commend the unamended clause to the Committee.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 80 ordered to stand part of the Bill.
Clause 81
Data integrity and security
Question proposed, That the clause stand part of the Bill.
I seek the Minister’s guidance. Throughout our considerations, I have spoken of my fears whether data held under this Act are held securely. I hope that clause 81 will address many of my fears; I seek the Minister’s advice on whether it lays responsibility on communications providers to maintain those data securely. I simply reiterate my concern that when theft does take place, there has to be a consideration of an offence of unlawful possession of stolen data, on the basis that the communications provider that has suffered the theft would also be legally responsible for that theft when the provider is in fact a victim of the theft itself. Bodies that seek to obtain illicitly a person’s private communications data may try to make financial gain as a result. Is the Minister confident that clause 81 gives me the kind of assurances that I have been looking for on internet security? Is there sufficient deterrent, in terms of possession of unlawfully obtained data, that might be included later in the Bill?
The hon. Gentleman has been consistent in stating his concerns. I assure him that clause 81 contains the sort of requirements that he would reasonably expect. It sets out the matter clearly. It should be read in conjunction not only with other legislation that I have mentioned, such as the Data Protection Act 1998 and the Privacy in Electronic Communications Regulations 2003, but with clause 210, which provides for the Information Commissioner to audit the security, integrity and destruction of retained data, and the codes of practice to which I referred earlier. The provisions in the communications data draft code of practice go into more detail about the security arrangements.
We had a discussion some days ago about the existence of adequate criminal legislation. The Bill has a number of provisions that relate to those who hold data, and we discussed whether existing legislation could cover those who come into possession of the data unlawfully. I say to the hon. Gentleman that I will take the matter away and consider it, and come up with a proper considered response to his query.
Question put and agreed to.
Clause 81 accordingly ordered to stand part of the Bill.
Clauses 82 and 83 ordered to stand part of the Bill.
Clause 84
Enforcement of notices and certain other requirements and restrictions
I beg to move amendment 225, in clause 84, page 65, line 20, after “not”, insert “, without reasonable excuse,”.
There are two points to make here. One is to state the principle that reasonable excuse defences are needed to protect those who are exposed in wrongdoing. We had that debate last week and I listened carefully to the response given. The practical reason is the inconsistencies may be intentional, or they may be unintentional. Clause 73(1), under which unlawful disclosure is made an offence under part 3, has a “without reasonable excuse” provision. Clause 84, which is in part 4, does not. There may be a very good reason for that, but it escapes me at the moment. That is either a point that the Solicitor General can deal with now, or I am happy for him to deal with it later on. It may be just one of those things when you draft a long, complicated Bill, but there is an inconsistency of approach here, because reasonable excuse is sometimes written in and other times not, for no apparent reason.
The hon. and learned Gentleman askes what the policy objective is of not having such a defence. The clear policy underlining this is the Government’s policy of not revealing the existence of data retention notices. They are kept secret because revealing their existence could damage national security and hamper the prevention and detection of crimes, because criminals may change how they communicate in order to use a provider that is not subject to data retention requirements. Clause 84 places a duty on providers not to reveal the existence of notices.
Just to be clear, I do not need to be persuaded about the policy objective of a clause that keeps a retention notice safe. It is the policy objective of not having a “reasonable excuse” defence to the provision, which operates as an exclusion to the prohibition, of which I need to be persuaded. I do not need persuading about the prohibition for safety.
I was coming to that. We are talking about a duty here; the earlier clause the hon. and learned Gentleman referred to is an offence. That will, I think, explain the importantly different context.
To deal with the question of “reasonable excuse”, the problem is that once the information is out in the public domain, it cannot be withdrawn—whether that information has been introduced with good or bad intentions does not matter. It cannot be right for the Bill to allow a person to release sensitive information in that way and then subsequently rely on a “reasonable excuse”.
May I deal with clause 84(4), which is relevant to this provision? It provides an exemption where the Secretary of State has given permission for the existence of the notice to be revealed. The Government intend that such permission would be given, for example, where a provider wishes to discuss the existence of their retention notice with another provider subject to similar requirements. Should the operator wish to reveal the existence of the notice, they should discuss the matter with the Secretary of State, and in such circumstances permission is likely to be given. There will be those sort of scenarios, as I am sure the hon. and learned Gentleman will understand, and they will help improve the operational model.
My concern about using the “reasonable excuse” provision in the context of a duty would be that it would undermine the important policy objective that I have set out. For that reason I would urge the hon. and learned Gentleman to withdraw the amendment.
I will withdraw the amendment. As to the difference between a duty and an offence, I understand that in principle, but I am pretty convinced that elsewhere in the Bill a breach of the duty becomes an offence, as otherwise it is an unenforceable provision, so I am not sure it is a distinction that withstands scrutiny. That being said, I am not going to press this to a vote. It would be helpful and reassuring if the Solicitor General would agree to set out the route by which a whistleblower brings this to attention. I think we have already agreed in general terms and it may come within the umbrella of the undertaking that has been given; if it does, all well and good. That would reassure those that have concerns about exposing wrongdoing. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
These amendments were consistent with earlier amendments that have now been withdrawn, the purpose of which was to put the decision-making power in the hands of the Investigatory Powers Commissioner or the judicial commissioner. The other amendments having been withdrawn, I will not press these to a vote; they do not make sense within the unamended Bill as it now stands.
We have already discussed the importance of protecting the identities of those companies subject to data retention notices, but there are circumstances where a telecommunications operator should be able to disclose the existence of a retention notice. Clause 84 allows the Secretary of State to give them permission to do so. The amendment would ensure that a telecommunications operator could disclose the existence or content of a retention notice to the IPC without the need for permission to be given. I would say the proposal is unnecessary, because it is absolutely the Government’s intention to give telecommunications operators permission to disclose the existence and content of the retention notice to both the relevant oversight bodies—the IPC and the Information Commissioner—at the point at which a notice is given. In any event, clause 203 as drafted would permit the telecommunications operator to disclose a retention notice to the IPC in relation to any of his functions.
Amendment 224 would mean that the IPC, not the Secretary of State, would be granting permission for a telecoms operator to disclose the existence of the notice. In practice the Secretary of State would consider, at the point that a retention notice was issued, to whom the telecommunications operator could disclose the existence of a notice. It would not make any sense for this issue to be considered separately by the commissioner following the issue of a notice by the Secretary of State.
Further requests by a telecommunications operator to disclose a retention notice are likely to cover administrative matters, such as disclosure to a new systems supplier. Such matters should appropriately be considered by the Secretary of State. I think that explanation not only justifies opposition to the amendments, which I know are being withdrawn, but supports clause 84.
I have nothing further to add, so I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.