Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)

- View Speech - Hansard -

Copy Link

-

Let me start with two thank yous. First, let me put on record my party’s gratitude to the intelligence services and law enforcement organisations that work so incredibly hard to keep all our citizens safe in the face of constantly changing and developing threats. Secondly, I thank all those who took part in the reviews of the 2016 Act that have informed the Bill. However, as Lord Anderson said in his own review, they should be a starting point for parliamentary scrutiny and debate rather than a finishing point.

Although any opportunity to revisit and improve the 2016 Act would generally be welcome, my party has serious concerns about certain provisions in this amendment Bill. In short, while it is constantly presented as “updating”, and as protecting and making efficient pre-existing powers, we fear that the reality is a very significant expansion of what are, we must remember, already extraordinarily wide powers by international standards. There are significant privacy and human rights risks, and the danger of increasingly widespread suspicionless surveillance. We fear that we may be handing invasive powers to intelligence and law enforcement agencies not because the powers are necessary or essential to their work but because they are convenient, and that is not striking the right balance.

All this is consistent with the very detailed and principled privacy and human rights concerns that my party raised in relation to the 2016 Act itself—particularly in the speeches made by my hon. and learned Friend the Member for Edinburgh South West (Joanna Cherry), who is here to take part in the debate again today. As will be the case today, we did not oppose the Second Reading of that Bill, but in the absence of important amendments, or concessions and reassurances—again, as with the 2016 legislation—we keep open the option to oppose the current Bill at a later stage.

Today I will focus on concerns relating to bulk personal datasets, and on notices relating to changes in telecommunication services. I will also briefly flag up our concerns about internet connection records and changes to the offence of unlawfully obtaining communications data. My party also believes that this Bill provides an opportunity to revisit the whole issue of snooping on parliamentarians, if we are bold enough to take it.

I shall turn first to bulk personal datasets and part 7 of the 2016 Act. In short, we struggle to see that the proposed changes have been shown to be necessary. We fear that they will instead create even larger gaps in the oversight regime in relation to these capabilities. A whole host of concerns arises in relation to the provisions of clause 2 and the concept of data in relation to which there can be

“low or no reasonable expectation of privacy”.

Bluntly, I struggle to see how a decision maker is supposed to assess people’s reasonable expectations of privacy, and when we say “people” we can be talking about hundreds or thousands of people or potentially several million people. Within that group of individuals there will be many varying attitudes to further privacy, and the data related to individuals could vary hugely from the mundane to the deeply personal. It may be that there is supposed to be some type of “reasonable person” test applied, but is that reasonable person black, gay, Jewish or indeed a trade unionist? How are potentially very different subjective attitudes to be accounted for? These might seem like odd questions, but the experience in the United States of America, where a similar test is involved, proves that these questions are very real indeed. Is it a general question of privacy in relation to the data or a more specific question of expectations of the use of that data by intelligence services? What precisely is low expectation? This seems to be an impossible assessment to undertake in any realistic or meaningful sense.

Stuart C. McDonald

- Hansard -

Copy Link

-

My hon. and learned Friend will not be surprised to hear that I completely agree with her.

In fact, that brings me to the next point I want to raise in relation to clause 2. As well as putting in place what I struggle to see as being a reasonably operated assessment, the clause raises concerns in relation to consistency with data protection legislation and with human rights obligations. The factors to be taken into account when undertaking that really difficult assessment do not even expressly include the sensitivity of the data in question, which surely should be central to any question of processing. That is an inconsistency with existing data protection principles and laws, and I agree that the compatibility of such provisions with our human rights obligations is also surely highly dubious. Just because someone has shared personal data does not mean that they automatically lose their right to further protection around how that data is shared and processed, especially when it is sensitive personal data, as my hon. and learned Friend has just said.

The role of judicial commissioners in this area is even further diluted, reduced to reviewing by judicial review standards whether datasets do indeed relate to data where there can be low or no expectation of privacy. Frankly, that is not a safeguard at all. At the very least, their role needs to be strengthened when the Bill is considered in Committee. We also need to seek assurances around how the Bill will impact on the reporting of the retention and use of bulk personal datasets. If large numbers are retained under category authorisations, we may not know how many datasets are actually being gathered.

Let me turn to various aspects of part 4, on notices. Again there are some controversial provisions, particularly in clause 21 and the requirement on selected telecommunications operators to inform the Secretary of State if they propose to make changes to their products or services that would negatively affect existing lawful access capabilities. That seems like an extraordinarily broad power, without anything remotely appropriate in terms of oversight and limitations. These powers are going to make the UK a real outlier. Essentially, the Secretary of State will be empowered to say to tech companies, “You are not allowed to improve your products without consulting us, so that we can still break in to access the data that we need and when we want it”. Despite what the Secretary of State says, taken together with other changes to review processes, such powers could easily be used to significantly delay, or de facto veto, updates to security, rendering everybody’s data more vulnerable to hacking by third-party actors.

Stuart C. McDonald

- Hansard -

Copy Link

-

I am grateful for that clarification from the Minister, and we will of course engage further in this debate in Committee.

These concerns have been raised not just by me but by significant tech companies; this is not something that has come to me simply through perusing the Bill. The key question remains: why is there to be no proper oversight of these notices and notice powers by independent advance authorisation? Why is there not even the double lock that applies to other notices that can be served on communications providers under that Act? Surely that scrutiny should be carried out in advance. There are also lots of question marks around the expanded claims of international jurisdiction. How will potential conflicts of law be resolved, especially if a company subject to one of these notices that is contrary to its domestic laws cannot even say anything about it because it is bound to secrecy by this legislation? What are the prospects of other Governments copying what our Government are doing and seeking to replicate such provisions, and what would the impact of that be on UK companies?

Turning to internet connection records, the starting point is that we should remember that no other European Union or Five Eyes country permits the requiring of ICR generation or retention in relation to its own residents, so this was a hugely controversial development in the 2016 Act. As we have heard, ICRs can reveal huge amounts of deeply sensitive information about a person. For now, secret services can seek ICRs only when certain facts that are already known, such as the identity of a person connecting or the time and use of the connection, so that the retention is at least targeted in some way.

The risk in this Bill is that reasonable suspicion will no longer precede targeted surveillance. Instead, the Bill would seek to use ICRs for the discovery of new targets, which is a really significant jump and development. I can genuinely understand some of the reasons being offered for this change, and I am not unsympathetic to the case being made, but if these powers are not carefully circumscribed, they risk creating a big step towards mass surveillance and fishing exercises. We need to ask whether there are less invasive alternatives and whether these powers are therefore really necessary. Alternatively, we need to look again at the oversight mechanisms for the use of these powers.

We also have concerns about the Bill’s proposals in relation to the offence created by the 2016 Act, where relevant persons in a relevant public body knowingly or recklessly obtain communications data from a telecoms or postal operator without lawful authority. This Bill seeks to set out examples of what would amount to lawful authority, which is a laudable aim. However, there are real questions about whether some of the examples in clause 12 are not in fact redefining the concept of lawful authority. In particular, the assertion that there would be lawful authority simply because

“the communications data had been published before the relevant person obtained it”

is controversial. That is particularly so when

“‘published’ means make available to the public or a section of the public (whether or not on a commercial basis).”

As I said in relation to bulk personal datasets, limited publication is not authority for intrusive surveillance. Could a simple private message not amount to publication of comms data? The implications of this definition of lawful authority need very careful scrutiny indeed.

Finally, on the interception and hacking of parliamentarians, making provision for circumstances where the Prime Minister is unavailable to play his part in a triple lock seems sensible, but the fact that the issue of snooping on MPs and others is being revisited should trigger us all to rethink the whole scheme. Our role of representing our constituents, interrogating legislation and holding the Government to account should not be interfered with lightly. We should take the chance to consider post-surveillance notification of MPs who have been spied upon, by judicial commissioners, once investigations are completed. As matters stand at the moment, redress is almost impossible to obtain. We should also require that the investigatory power commissioners be informed every time these powers are used, so that there is transparency about how often this is happening. All other options should be on the table as well.

I started by thanking intelligence and law enforcement authorities and I am happy to do so again in closing, but our respect for them does not mean we should ever consider writing blank cheques or handing them whatever powers they ask for. They are not perfect. From time to time they exceed their powers and certain individuals abuse their lawful capabilities. The powers that they seek through this Bill are extremely invasive and broad in scope. There is a real danger that key provisions of the Bill will go beyond what is necessary and get the balance with privacy and human rights wrong. These provisions will need serious scrutiny and revision in Committee, and that is what we in the SNP will seek to secure.