(9 months, 2 weeks ago)
Public Bill CommitteesFirst, unless I was distracted, I do not think I got a specific answer on the types of data mentioned in the amendment—for example a Facebook post, CCTV footage or anything else.
Those are covered under sensitive data areas; they would not be covered under bulk personal data. The hon. Gentleman also mentioned health data, and he is absolutely right that I did not answer that. I should be absolutely clear: it is hard to envision a case in which health data would be considered “low or no”, unless it was of very ancient historical standing, or there were other exceptional reasons.
I will just answer that directly, as the hon. Gentleman seems to be running away with this issue slightly. The test set out in proposed new section 226A still applies to all datasets. It is not removed; it goes through the whole thing.
That is useful to know. I will pray in aid the fact that we did not have any witnesses; anything I say that is daft, and anywhere that I do not understand how the Bill operates, I will blame on the lack of witnesses.
That is useful to know. I will go away and look at that and make sure that that all makes sense to me. That just leaves me with my earlier request: can we have some examples of what a category authorisation looks like? I can imagine that they could be incredibly broadly drafted, but they could also be very narrow. It would be useful to get a better understanding of how they will operate.
My final point is that the Government’s case appears to centre quite largely on using the material for machine learning. We have heard about language, online encyclopaedias and whatever else. If nothing else, why not use this streamlined process on that category of information and keep the existing processes in place for everything else?
I welcome the spirit in which the hon. Gentleman approaches this issue. He is asking important questions, and I do not challenge at all the validity of the way he has approached the issue; in fact, I should put on record that I am grateful for the way the whole House, and this Committee in particular, have approached it. It is important that any questions that any Member has, particularly the questions honourably and reasonably raised by the hon. Gentleman, are addressed.
The hon. Gentleman’s question on category authorisation is important, because the individual authorisation authorises the retention or retention and examination of a bulk personal dataset, to which part 7A applies. In other words, for every individual dataset there will be an individual authorisation. The normal rule is that each individual authorisation must be approved in advance by a traditional commissioner, as my right hon. Friend the Member for South Holland and The Deepings quite rightly addressed.
A category authorisation does not itself authorise the retention or retention and examination of a dataset; rather, the category itself is the means by which the normal rule of prior judicial approval may be disapplied in respect of the individual authorisation of datasets that fall within the description approved by the category authorisation. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East knows, that allows for the internal authorisation of an individual dataset that falls within an existing category. By definition, those categories are narrow enough to be identifiable but large enough to be useful. The reality is that that must be done on a case-by-case basis, but under the watchful eye of not just the unit within the intelligence service that requests it, but a senior officer in that service and a judicial commissioner.
That oversight means that we have an effective way of ensuring that we are able to use bulk personal data as categorised in different areas in a speedy fashion to enable the detection and prevention of harm, but with the oversight regime that the hon. Gentleman quite rightly expects of any apparatus of the state. The intelligence services in particular, for reasons of operational necessity, operate in the shadows, and therefore require an extra guarantee of reliance.
I will go away and consider what the Minister said. Our basic issue here is that a process is in place whereby every single individual dataset must be approved and have the approval and authorisation of a judicial commissioner. Under this scheme, if there is a category authorisation and then an individual authorisation under it, there will not necessarily be any involvement from a judicial commissioner. That is the bit that we have an issue with.
May I come back straightaway on that? To be clear, category authorisations are reviewed by IPCO at the very latest a year—12 months—after the authorisation, but they could actually be reviewed at any point. I am afraid the idea that a category authorisation stands forever just because it has been allowed is not accurate—I know that is not what the hon. Gentleman is suggesting. The judicial commissioner would have oversight of the wider category authorisation, and the IPCO review means that the whole thing is checked at the very latest every 12 months, and probably more frequently than that.
Again, I get all that, and I do not think that we are really at cross-purposes. However, we are talking about 12 months of access to datasets without necessarily having them before a judicial commissioner.
I do not think that anyone disputes that this is a slightly weaker form of oversight, which is because the services want to access this material at scale and regard the existing oversight mechanisms as cumbersome, slow and whatever else. We still ask the question of whether there is another way to do that that would still involve judicial commissioners but happen much more randomly and at scale. However, we will go away and consider that. I repeat my request—I know it is not easy—for some examples to reassure members of the public on how exactly this will work. That would be useful. In the meantime, I do not intend to push the amendment to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I will be very brief, because I fully support what the shadow Minister and the right hon. Member for North Durham have said. If we are going to go down the route of somewhat watering down the oversight of certain bulk personal datasets, we need greater transparency and accountability. Our amendment 38 has very similar motivations. It requires complete transparency with the ISC by listing all the bulk personal datasets that would be retained under a category authorisation in the report the Bill requires to be sent to the ISC. It answers the question of how we are supposed to know how these new powers will be and are being used unless we have one of these methods of transparency.
If I may, I will come to the last point first. The information going to the ISC on this basis would be, as far as possible, the same as that going to the Secretary of State. Obviously, the operational data may not be included, depending on the relevant operational case. I hope that will reassure this Committee and, indeed, the ISC that the intention is to make sure that the ISC is as fully informed as possible.
On the point made by the right hon. Member for North Durham, he will know that the Bill, in many ways, has been a joint project between the Government and the ISC. I have spent many hours with members of the ISC, including the Chair, my right hon. Friend the Member for New Forest East (Sir Julian Lewis), and with various members of the Committee. Their input has been exceptionally important to me and has been included in many areas of drafting on this.
Turning to amendment 15, the right hon. Member for North Durham and the hon. Member for Barnsley Central, in many ways, have both been the Occam’s razor of the Bill process, not just here, but in other areas. They have been rightly keen that we should not include powers or requirements that would otherwise constrain or block processes or confuse the law. I understand the argument that hon. Members are making about a one-line email, but the reason that I am not convinced—though I am very happy to have the conversation suggested—is that the reality is that it is possible for IPCO to investigate at any point, and it must investigate at 12 months. Therefore, if we ask for a legal requirement on the services, that would force an extra legal duty into the various elements and it will be an extra change.
(9 months, 2 weeks ago)
Public Bill CommitteesClause 11 will ensure that there is clarity for telecommunications operators operating within the IPA framework about which regulatory body certain personal data breaches should be notified to. It also provides a statutory basis for the Investigatory Powers Commissioner being notified of such breaches. Without this change, there will be confusion about personal data reporting obligations and a regulatory gap in respect of certain personal data breaches by telecommunications operators not being dealt with by the appropriate regulatory body. The clause also ensures that an individual affected by a personal data breach can be notified of the breach by the Investigatory Powers Commissioner, if the IPC deems to it to be in the public interest to do so. This will enable them to seek remedy from the Investigatory Powers Tribunal.
Government amendments 1 and 2 build upon the provisions already contained in clause 11 by providing a clear route to redress for those affected by personal data breaches committed by telecommunications operators. They ensure that the Investigatory Powers Tribunal has the jurisdiction to consider and determine complaints about personal data breaches committed by TOs and grant a remedy. The IPT already has significant experience of considering complaints from individuals who believe they have been the victim of unlawful interference by public authorities. It is therefore the appropriate forum to consider complaints regarding certain personal data breaches.
Amendment 1 agreed to.
Amendment made: 2, in clause 11, page 32, line 19, at end insert—
‘(1A) In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—
(a) in subsection (2), after paragraph (b) insert—
“(ba) to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;”
(b) after subsection (4) insert—
“(4AA) The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.
(4AB) In subsection (4AA) “relevant personal data breach” means a personal data breach that the individual is informed of under section 235A(5) of the Investigatory Powers Act 2016 (serious personal data breaches).”
(1B) In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—
(a) in subsection (1)(b), after “65(2)(b)” insert “, (ba)”;
(b) in subsection (5)—
(i) the words from “section” to the end become paragraph (a), and
(ii) after that paragraph insert “, or
(b) section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.”
(c) in subsection (6), for “reference” substitute “complaint or reference has been”.
(1C) In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—
“(8) In this section “relevant Commissioner” means—
(a) the Investigatory Powers Commissioner or any other Judicial Commissioner,
(b) the Investigatory Powers Commissioner for Northern Ireland, or
(c) the Information Commissioner.”’—(Tom Tugendhat.)
This amendment provides for the Investigatory Powers Tribunal to be the appropriate forum for complaints by individuals about certain personal data breaches reported to the Investigatory Powers Commissioner under section 235A of the Investigatory Powers Act 2016 (personal data breaches).
Clause 11, as amended, ordered to stand part of the Bill.
Clause 12
Offence of unlawfully obtaining communications data
I beg to move amendment 39, clause 12, page 33, leave out lines 16 and 17.
This amendment would remove one of the examples cases where a relevant person has lawful authority to obtain communications data from a telecommunications operator or postal operator, being where the data has been “published”.
The clause relates to section 11 of the Investigatory Powers Act 2016, which created an offence where a relevant public authority knowingly or recklessly obtained communications data from a telecoms or postal operator without lawful authority. That is an extra protection against unlawful invasions of privacy by public authorities. Comms data can of course be vital to prevent serious crime or to assist in missing persons investigations, but it can also be seriously invasive if not monitored, as such data can reveal all sorts of details about our lives and the people that we are linked with. The clause makes changes to that offence.
It is said that there is a lack of clarity around the concept of lawful authority, so the clause includes some examples of what lawful authority is. Most are uncontroversial—for example, where there is a statutory basis for gathering the data, where there is a relevant court order or an authorisation, or where it is obtained to respond to a call to the emergency services. However, we contest the assertion that new subsection (3A)(e) is a proper example of lawful authority, referring to:
“where the communications data had been published before the relevant person obtained it”.
We are concerned that that is not a correct expression of the law as it stands.
The simple fact of data being published is not in and of itself lawful authority for it to be obtained and subject to surveillance. The fact that I publish a Facebook post at such and such a time in such and such a place does not give public authorities the right to seek it from Facebook. In fact, on a Zoom meeting about a controversial political campaign, it cannot be the case that Zoom can then be ordered by the police to obtain the relevant communications data simply because the data was published and available to those who attended the meeting.
We need a very careful explanation from the Minister about what precisely is intended by the example in paragraph (e) because as drafted—again, it depends on how we interpret these things—it seems to be open to an interpretation that anything even semi-publicly available can be obtained by public authorities without anything more.
I will speak more widely to clause 12 before addressing the amendment. The clause does not create new routes to obtain communications data outside the Investigatory Powers Act. Rather, it provides examples of existing routes to acquire communications data in order to put the existing position, as set out in the communications data code of practice, on to a statutory footing. This will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in section 11 of the IPA. It makes it clear that sharing of communications data between public bodies is lawful. It is not the intention of section 11 to discourage public sector sharing of data when administering public services for purposes such as fraud prevention. Clause 12 puts that beyond doubt.
While discussing clause 12, I will take the opportunity to set out that a communications data authorisation can amount to lawful authority to require a telecommunications operator to carry out any necessary activity on their systems to enable or facilitate the obtaining of the relevant communications data. The list of examples of what will amount to lawful authority in clause 12 will provide additional clarity to the existing drafting of section 60A(5) in the Investigatory Powers Act, which sets out what can be authorised under part 3 for the purposes of acquiring communications data.
I would also like to address an inconsistency with paragraph 176 of the explanatory notes for the 2016 Act and the conduct that the Act permits. To be clear, a communications data authorisation may authorise interference with equipment by a person where that is done to enable or facilitate the acquisition of communications data for the purposes of identifying an entity as well as information about their previous or current location.
The Government do not support amendment 39, moved by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East. Additional authority for published material should not be required for its disclosure by a telecommunications operator to a public authority when that data has been disclosed with the consent of that operator. The consent of the operator provides the lawful authority for the obtaining of the previously published communications data, which public authorities can rely on. It places the existing position, set out in paragraph 15.11 of the communications data code of practice, on a primary legislative footing. It does not create new acquisition routes.
Clause 13 amends the definition of communications data to include subscriber and account data, ensuring that this communications data is available to investigators with an IPA part 3, even if it is transmitted as the content of the message. That is not a broadening of the definition but a clarification of scope. “Subscriber data”, or “account data”, includes the details provided when someone completes an online registration form for a telecommunications service or system. This change overcomes the current uncertainty for investigators about the data types that will be “communications data” and therefore available to them.
Clause 14 restores the general information gathering powers to regulatory or supervisory bodies, which were repealed by section 12 of the 2016 Act. It will ensure that public authorities will be able to utilise their own pre-existing statutory powers to acquire communications data for civil purposes. These are existing statutory powers that have been conferred on public authorities by Parliament—for example, in the regulation of the financial markets to ensure market stability.
Since 2016, the data sought has increasingly moved online and is now being caught by the definition of “communications data” in the 2016 Act. For example, His Majesty’s Treasury is responsible for the civil enforcement of financial sanctions regulations. Some information that is essential in carrying out its civil enforcement functions, such as the timestamp of an online banking transaction, is now communications data, and His Majesty’s Treasury cannot currently use its powers to compel that information to be provided by a telecommunications operator. Communications data is available under the IPA only if the matter under investigation is a serious crime, and so is out of reach for public authorities exercising civil enforcement functions.
I thank the Minister for his response and his explanation. We will of course take that away and give it consideration again. He has referred to codes of practice being put into statute, so we will go away and look at those codes of practice. Of course, codes of practice can sometimes be inconsistent with various laws as well, so this is not necessarily the end of the matter. It would be helpful if the Minister could perhaps—in writing, or perhaps we will have to revisit it on Report—look at the specific examples that I gave and just explain whether or not those amount to prior publications of comms data.
I very much appreciate that, and that will hopefully help to clear things up before we get to the next stage of proceedings. I will withdraw the amendment.
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 12 ordered to stand part of the Bill.
Clauses 13 and 14 ordered to stand part of the Bill.
Schedule agreed to.
Clause 15
Internet connection records
Question proposed, That the clause stand part of the Bill.
The changes made by clause 15 should transform the intelligence services and the National Crime Agency’s ability to detect serious criminals and those seeking to undermine national security. Current internet connection record conditions only enable identification of individuals involved in known events. That means an investigator must know the date, time and service being used, preventing identification of offenders where they cannot be linked to a specific time of access. For example, where analysis of a seized device identifies a site serving images of child sexual exploitation, it would not currently be possible to search ICRs for subjects accessing that site beyond a specific known event. New condition D would help to identify other subjects accessing those sites. This will not be a fishing exercise. As with all investigatory powers, the case for requesting ICR data must be necessary, proportionate and intelligence-led. As Committee members will have heard this week, the benefit to the agencies is in being more, not less, specific.
The new condition will be subject to robust safeguards, including limiting the statutory purposes available, stringent necessity and proportionality requirements and independent oversight, including regular inspections by the Investigatory Powers Commissioner’s Office. Where internal authorisation takes place for urgent and national security-related applications, authorising officers must be independent of the operation and not in the line management chain of the applicant. If an investigator knowingly or recklessly obtained ICRs—for example, if the request was clearly not proportionate—they would be at risk of having committed a section 11 offence of unlawfully obtaining communications data, which can result in a fine or imprisonment.
The right hon. Gentleman is creating his own haystack here. Although I hope as ever that this power will be used only exceptionally rarely, sadly the nature of serious and organised crime and terror in this country means that it will be used more often. There is a slight misunderstanding as to how this will be used. Targeting a train website or a single authority would not be proportionate or meet the necessity provisions within the Bill. It would be neither necessary nor proportionate. In fact, it would be unnecessary and would be vastly disproportionate, because it would be a mass collection exercise that would neither be targeted in a way that would satisfy the proportionality requirement, and nor would it give a useful answer—it would give such bulk data as to be useless—and therefore it would not be necessary.
The whole point of this is that it sets out a series of conditions in which these powers could be used—perhaps against a certain website, that is true—but on the basis of intelligence. It would have to have a particular cause and a particular time. This is not a Venn diagram with a single circle, but a Venn diagram with four or five circles; it must be in the centre of those for it to be necessary and proportionate.
I would be reassured if there was independent advanced judicial oversight. The Minister has said a couple of times that the powers will be used “exceptionally”. What is the difficulty in making sure that there is an exception for urgent cases of advanced judicial authorisation for use of these powers?
“Exceptional” does not mean that there is necessarily huge amounts of time to act; exceptional means that the seriousness of the offence is extremely grave. These powers are for things such as child sexual exploitation. I wish it were not so, but even in this country, the police very often have to act extremely speedily to prevent harm to a child and sometimes, very sadly, multiple children. They have also to act extremely speedily to prevent terrorist plots or other forms of very serious organised violence or criminal activity.
That is why “exceptional” does not necessarily mean that it can be dealt with in a procedural way over a number of weeks; exceptional may mean absolutely pressing as well, and that is what this is designed for. The right hon. Member for North Durham may have been aware from briefings that I believe he has received that, in some circumstances, this Bill will reduce the time taken to interrupt serious abuse of children, from months and occasionally years down to days and weeks. That is surely an absolutely essential thing to do, but that will not work unless these powers are used according to the Act, with the important words being “proportionate” and “necessary”. The reason I repeat those words is that were the intelligence services to go on some sort of fishing expedition—and I know that the right hon. Gentleman is not suggesting that they would—that would not be legally permissible under this Act and nor would it achieve the required results, because it would turn up so much data that it would simply be an unusable, vast collection of fluff. Effectively, instead of targeting the needle, they would have merely collected another haystack.
As I understand it, the Minister is describing the powers that already exist under the 2016 Act. If we are down to that level of knowledge of where, when and who, then what in the Bill goes beyond that? I do not follow.
In the existing Act, one would have to be entirely specific about a particular time. It could not be 5.30 pm to 6.30 pm; an internet connection record could be done only at 5.30 pm exactly. The Bill extends that a bit, but it still has to be very targeted. This is a proportionate change in the law to allow the intelligence services to collect information that would enable the targeting of serious and organised crime.
Section 87(4) of the IPA provides that a data retention notice cannot require the operator to retain so-called “third party data”. There is no intention to revisit the principle of this important provision, but technological advancements have highlighted some discrete and unintended consequences. For example, the Secretary of State is prevented from placing communications data retention obligations on a UK telecommunications operator in relation to data associated with users of a foreign SIM card within the UK.
Clause 16 addresses those unintended consequences and makes an exception for that data within Section 87(4), so that data in relation to roamers using a foreign SIM in the UK would be treated in an equivalent way to the data that could be retained in relation to users of UK SIM cards. Clause 16 also clarifies that communication data required for an internet connection record can be subject to a data retention notice. All existing safeguards will continue to apply.
Continuing to clause 17, the IPA already has extraterritorial effect. Data retention notices—or DRNs—and interception technical capability notices—or TCNs—can be given to a person overseas where there is an operational requirement, and it is necessary and proportionate to do so. However, only TCNs are currently enforceable in relation to a person overseas.
Clause 17 amends section 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs, if required, for UK security purposes when addressing emerging technology and the increasing volume of data being held overseas, bringing them in line with interception TCNs. It is vital to have this further legal lever, if needed, to maintain the capabilities that the intelligence and law enforcement agencies need to access the communications data that they need to in the interests of national security and to tackle serious crime.
I have some comments to make about extraterritoriality, but I will do so in the next debate.
Question put and agreed to.
Clause 16 accordingly ordered to stand part of the Bill.
Clause 17 ordered to stand part of the Bill.
Clause 18
Review of notices by the Secretary of State
Question proposed, That the clause stand part of the Bill.
I want to make a similar case. We are now getting into territory where I struggle to understand exactly what is going on, because I am not a tech geek. We are speeding past this measure almost as if it were inconsequential, but the language in some of the briefings that we have received about it is pretty dramatic.
The bundle that was emailed to Committee members this morning includes evidence from Apple that I think needs to be addressed:
“At present, the SoS must navigate important oversight mechanisms before they can block the offering of a new product or service they believe will impact…ability to access private user data.”
Apple summarises the suite of clauses that the Committee is considering, including the requirement in clause 18 to maintain the status quo during the review process, as allowing the Secretary of State
“to block, in secret, the release of a product or service even before the legality of a Technical Capability Notice can be reviewed by independent oversight bodies. The effect of this amendment will be to, extraordinarily, hand the SoS the power to block new products or services prior to their legality being ascertained. This result upends the balance of authority and independent oversight Parliament struck in the IPA.”
Given the new definition of “telecommunications operator” in clause 19, Apple has also warned that there will be serious implications for conflicts with other laws, including the EU GDPR and with US legislation.
As well as Apple, we have heard from various other organisations. TechUK has highlighted problems with broadening the definition of “telecommunications provider” before control of provision of a telecoms service, including to UK users, is established overseas. It also highlights the potential conflict of laws. What if the domestic law in the country in which a company is based does not allow for compliance with the notice that the Home Secretary has delivered? That company might not even be able to raise the issue of a conflict of laws, because it would be sworn to secrecy under the Bill.
According to TechUK, the proposed changes mark a departure in the way that the UK approaches the extraterritorial reach of the UK or UK laws and the consequential conflicts of laws. That was all recognised in the 2016 Act, in which a partial solution was found in the form of a UK-US agreement. Currently, however, the Government have not set out any plans to work towards equivalent solutions.
In relation to clause 21, I will raise similar concerns from other experts, but it is clear that some very serious companies and organisations have significant concerns about what the combination of these notices may end up delivering. Those concerns need addressed.
I thank hon. Members for the spirit in which they have engaged. To be clear, it is absolutely right that we listen to representations from companies around the world, as I am absolutely sure all Members across the House would expect. We are still engaged in conversations: the Home Secretary was on the west coast of the United States only last week, I think, and I maintain regular communication with many different companies, including many of the same companies to which the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East referred.
Let me be quite clear about one aspect. There is a real challenge here, and it is absolutely worth getting to the heart of it. The way in which communications data has evolved means that there are now jurisdictions in which the UK cannot protect its citizens without the co-operation of certain companies overseas. That was always bound to happen to a certain degree, but it is now very much the case: I do not know whether the hon. Gentleman has children, but he will know that many children use tablets and internet-connected devices in their bedroom.
The reach of these companies into the personal life of children in our country has to be a matter of concern to the British Government—it just has to be. The question is who governs these spaces. Are they governed by the association agreements and terms and conditions of the companies, or are they governed by the laws of the United Kingdom passed by Members of this House, of whichever party? That is the fundamental question.
The jurisdiction of this House must be sovereign. If sovereignty is to mean anything, it must mean the ability to protect our children from serious harm. That is basic. Under the IPA and previous legislation going back to the 1980s, this House has always exercised a certain element of influence. Yes, the Bill is extraterritorial, but so are many other Bills that this House passes in relation to the protection of our citizens and our interests. We can have operational reach further than the UK border in order to protect our citizens. That is what we are doing here, and that is what makes it proportional.
It is true that there are conflicts of interest that we have to resolve. I must be honest with the hon. Gentleman: this has come up before. It has even come up in my time. It is something that we have to look at in order to ensure that we address those conflicts and see where the balance of proportionality lies.
It is our very good fortune that many of the conflicts arise between jurisdictions with which we are extremely close. The United States, for example, is an extremely close ally. We regularly—in fact, I regularly—have conversations with the US Justice Department and others to make sure that we manage those conflicts of interest in the best interests of all our citizens. It is unusual for us not to find a resolution, but there are means of dispute resolution when we do not. Although I take the hon. Gentleman’s point, it is not exceptional for companies rightly and understandably to defend their interests where they feel that they have a commercial advantage. That is, of course, reasonable.
The reality is that we are not stopping companies doing anything; we are asking them not to change our ability to protect our citizens, until we have found a fix. If they want to introduce a new product or service or change the way they operate, that is fine: it is nothing to do with us. All we ask is that they maintain our ability to protect our citizens during that translation and into the future.
I will come on later to another line of argument that relates to the unintended consequences of these permissions, but for now I have a specific question. The Minister has spoken about how conflicts of law can be resolved. Is there not an added complication? If we put a notification notice—if we are calling it that—on a company, it cannot share the fact of that notification with anybody at all. Does that not make it well-nigh impossible to resolve the issue with conflicts of law?
Without going into details that it would be inappropriate to share: no, it does not. I can assure the hon. Member that this is a long-standing practice that has been tested, and it does operate.
On clause 19, I wish to put one further point on the record. The clause will amend the definition of a telecommunications operator, out of an abundance of caution, to ensure that the IPA continues to apply to those to whom it was intended to apply, building on the work that my right hon. Friend the Member for South Holland and The Deepings has laid out. There are circumstances in which a telecommunications system that is used to provide a telecommunications service to persons in the United Kingdom is not itself controlled from the United Kingdom; we have talked about some of those services. The clause will ensure that multinational companies are covered in their totality in the context of the IPA, rather than just specific entities.
Clause 19 does not seek to bring additional companies within the scope of the definition, nor does it seek to constrain how a company structures itself. It is a clarificatory amendment that will improve the effectiveness and efficiency of the regime and the process of giving notices.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clause 19 ordered to stand part of the Bill.
Clause 20
Renewal of notices
Question proposed, That the clause stand part of the Bill.
Clause 21 is required to safeguard lawful access to critical data, which is needed by law enforcement and intelligence agencies to keep the public safe from serious threats such as terrorism and child sexual exploitation.
Technology has advanced rapidly since 2016, presenting a risk to lawful access capabilities. Notification notices have been introduced in response to technological advancements and will require relevant operators who provide, or are expected to provide, lawful access to data of significant operational value to inform the Secretary of State of any technical changes that they intend to make that will have an impact on existing lawful access capabilities.
The requirement will apply only to relevant services or systems specified within the notice, which will be agreed in consultation with the operator, prior to the notice being given, and will not necessarily apply to all elements of their business. It should be noted that technical capability notices already contain a notification requirement; this is not a new concept to the IPA. The clause replicates the power as a standalone obligation within notification notices.
To be clear, there is no ability within the notification process for the Secretary of State to delay, prevent or alter the roll-out of the operator’s intended change. The requirement is needed to provide the Secretary of State—and, by extension, operational partners—with time to identify and evaluate any potential impact that the change may have on lawful access capabilities. It will also be important in giving operational partners time to adjust their ways of working to ensure that lawful access is maintained. The primary objective of the obligation is to create an opportunity for collaborative working between operators and Government to protect the crucial capabilities required to keep people safe.
Amendments 6 to 13 are minor and technical amendments to ensure consistency of language throughout the clause and the IPA.
I want to pursue another line of argument that has been put to members of the Committee. I spoke earlier about the principles of the notification regime; I now want to probe the Government on the extent to which they have considered the possible unintended consequences of setting it up.
The evidence circulated this morning includes a letter from academics and experts from the United Kingdom and across North America, who express considerable concern about the outcome of the proposal. During the last debate, the Minister explained that the justification is that companies from across the world have a reach into children’s homes in the United Kingdom, and it is the duty of this Parliament and legislators to keep them safe. I do not think anyone would dispute that at all.
The experts argue that an unintended consequence of being as radical as the proposal in the Bill is that citizens in the United Kingdom could be less safe. Although the Government are trying to restrict the scope of the regime to what happens in the United Kingdom, in reality it will mean that certain updates and security features will not be rolled out to the United Kingdom. In fact, certain organisations may think twice about developing products for the UK market at all.
I am way outside my comfort zone, so I will go straight to what the experts argue in their evidence:
“If enacted, these proposals would have disastrous consequences for the security of users of services operating in the UK, by introducing bureaucratic hurdles that slow the development and deployment of security updates. They would orchestrate a situation in which the UK Government effectively directs how technology is built and maintained, significantly undermining user trust in the safety and security of services and products.”
They argue that this contains a significant risk of increased cyber-crime, as well as of endangering the encryption of important services. They conclude that
“these proposals are anathema to the best interests of UK citizens and businesses and internet users everywhere, and contradict universally accepted security best practices.”
I want to probe the Government on the extent to which they have considered the possible unintended consequences of how these companies may react to their proposals.
I thank the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East for the way in which he has approached the issue, and I am grateful to him for raising it, but I simply disagree. I disagree on the basis of advice that I have received from intelligence services, from UK-based companies, from the National Cyber Security Centre and indeed from many others.
Let us be quite clear. A notification notice does not create any conflicts of law, prevent any updates or prevent the application of any security patches. The only thing that it does is ask a company to keep the UK Government informed if it is going to change the way the UK Government will be able to protect British people. That has led to somewhat more caution in the reading than is necessary in reality; I have had many conversations with companies about that.
This is a difficult area, but as I understand it, the argument is not that the notification notices themselves have that issue, but that the combination of notices, together with the technical capability notice, the new provisions in relation to review and the status quo, could give the Government that sort of power. That is the argument.
I hear the hon. Gentleman’s point. I will just say that many of these powers have been in place for a significant period. The situation that he describes is not one that we have found or noticed in any way at all. I believe that this is a case of people gilding a lily to turn it into lead.
Amendment 6 agreed to.
Amendments made: 7, in clause 21, page 45, line 8, leave out “person’s” and insert “relevant operator’s”.
See amendment 6.
Amendment 8, in clause 21, page 45, line 29, at end insert—
“‘relevant operator’ has the same meaning as in that section.”
See amendment 6.
Amendment 9, in clause 21, page 45, line 35, leave out “notice, as varied,” and insert “variation”.
This amendment provides that references to the variation of a notice are used consistently in Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
Amendment 10, in clause 21, page 46, line 2, leave out first “person” and insert “relevant operator”.
See amendment 6.
Amendment 11, in clause 21, page 46, line 2, leave out second “person” and insert “relevant operator”.
See amendment 6.
Amendment 12, in clause 21, page 46, line 5, leave out “person” and insert “relevant operator”.
See amendment 6.
Amendment 13, in clause 21, page 46, line 6, leave out “person” and insert “relevant operator”—(Tom Tugendhat.)
See amendment 6.
Clause 21, as amended, ordered to stand part of the Bill.
Clause 22
Interception and examination of communications: Members of Parliament etc
I shall speak to new clause 4. We are discussing our very important role as legislators—people who have to scrutinise the Government to represent our constituents. Any interference with that role, and any surveillance of us, is a matter of great significance and some controversy, so there should be as much oversight and transparency as possible. I am not a member of the ISC, and I do not know whether this is something the Minister will be able to tell us, but I would be interested to know how often powers have been used to institute surveillance on MPs in each and every of the past few years.
New clause 4 allows us to debate the possibility of post-surveillance notification. That proposal was debated in the House of Lords, but I think it is something that MPs should be alive to as well. Post-surveillance notification would give judicial commissioners a mandatory duty to notify parliamentarians subject to surveillance once a particular operation or investigation had ended. That would typically introduce a further safeguard to protect democracy and our role as legislators, and would ensure the Government are complying with their obligations under article 8 of the European convention on human rights.
Various objections were made to that line of argument in the House of Lords. For example, it was argued that notification would risk revealing sources or methods. That does not have to be the case; post-surveillance notification can inform an individual of the fact of past surveillance without having to disclose such information. Such a post-surveillance notification regime works in Germany, for example.
In particular, there would be no risk—this was alleged by the Government in the House of Lords—of affording judicial commissioners any operational decision-making power. That is because notification would occur only when a surveillance operation was no longer active and, secondly, any such notification regime could allow the judicial commissioner to consult whomever applied for the warrant in the first place. I am absolutely open to a discussion with the Government about the safeguards that would needed to allow such a measure to be implemented.
The other line of argument pursued by the Government in the House of Lords was that redress is already available to parliamentarians thorough the Investigatory Powers Tribunal. As we all know, however, if someone does not know that they have been subject to surveillance, they have no reason to go to the tribunal in the first place.
This proposal is not without some difficultly, but it is worthy of discussion. The Government’s resistance to it has not always stacked up so far, so I look forward with interest to hearing what the Minister will say.
On the point about notification: forgive me, but it is inconceivable that it should be required in law to inform somebody that they have been subject to an investigation by the intelligence services in such a way. I would be delighted to discuss with the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East in a more secure environment why, for a whole series of reasons, that may not be such a good idea. On the question of the Prime Minister appearing before the ISC, my friend the hon. Member for Barnsley Central knows my views—I have expressed them on many occasions—but that is way above my pay grade.
(10 months ago)
Commons ChamberMy hon. and learned Friend will not be surprised to hear that I completely agree with her.
In fact, that brings me to the next point I want to raise in relation to clause 2. As well as putting in place what I struggle to see as being a reasonably operated assessment, the clause raises concerns in relation to consistency with data protection legislation and with human rights obligations. The factors to be taken into account when undertaking that really difficult assessment do not even expressly include the sensitivity of the data in question, which surely should be central to any question of processing. That is an inconsistency with existing data protection principles and laws, and I agree that the compatibility of such provisions with our human rights obligations is also surely highly dubious. Just because someone has shared personal data does not mean that they automatically lose their right to further protection around how that data is shared and processed, especially when it is sensitive personal data, as my hon. and learned Friend has just said.
The role of judicial commissioners in this area is even further diluted, reduced to reviewing by judicial review standards whether datasets do indeed relate to data where there can be low or no expectation of privacy. Frankly, that is not a safeguard at all. At the very least, their role needs to be strengthened when the Bill is considered in Committee. We also need to seek assurances around how the Bill will impact on the reporting of the retention and use of bulk personal datasets. If large numbers are retained under category authorisations, we may not know how many datasets are actually being gathered.
Let me turn to various aspects of part 4, on notices. Again there are some controversial provisions, particularly in clause 21 and the requirement on selected telecommunications operators to inform the Secretary of State if they propose to make changes to their products or services that would negatively affect existing lawful access capabilities. That seems like an extraordinarily broad power, without anything remotely appropriate in terms of oversight and limitations. These powers are going to make the UK a real outlier. Essentially, the Secretary of State will be empowered to say to tech companies, “You are not allowed to improve your products without consulting us, so that we can still break in to access the data that we need and when we want it”. Despite what the Secretary of State says, taken together with other changes to review processes, such powers could easily be used to significantly delay, or de facto veto, updates to security, rendering everybody’s data more vulnerable to hacking by third-party actors.
That is simply incorrect, and I know that the hon. Gentleman would not wish to continue down a road that he knows to be incorrect. Let me just be very clear: this is a continuation of a power that was granted in 2016. The notice does not extend that power; it merely enables a conversation to begin with companies before any action is taken, to maintain an existing standard and not in fact to change it.
I am grateful for that clarification from the Minister, and we will of course engage further in this debate in Committee.
These concerns have been raised not just by me but by significant tech companies; this is not something that has come to me simply through perusing the Bill. The key question remains: why is there to be no proper oversight of these notices and notice powers by independent advance authorisation? Why is there not even the double lock that applies to other notices that can be served on communications providers under that Act? Surely that scrutiny should be carried out in advance. There are also lots of question marks around the expanded claims of international jurisdiction. How will potential conflicts of law be resolved, especially if a company subject to one of these notices that is contrary to its domestic laws cannot even say anything about it because it is bound to secrecy by this legislation? What are the prospects of other Governments copying what our Government are doing and seeking to replicate such provisions, and what would the impact of that be on UK companies?
Turning to internet connection records, the starting point is that we should remember that no other European Union or Five Eyes country permits the requiring of ICR generation or retention in relation to its own residents, so this was a hugely controversial development in the 2016 Act. As we have heard, ICRs can reveal huge amounts of deeply sensitive information about a person. For now, secret services can seek ICRs only when certain facts that are already known, such as the identity of a person connecting or the time and use of the connection, so that the retention is at least targeted in some way.
The risk in this Bill is that reasonable suspicion will no longer precede targeted surveillance. Instead, the Bill would seek to use ICRs for the discovery of new targets, which is a really significant jump and development. I can genuinely understand some of the reasons being offered for this change, and I am not unsympathetic to the case being made, but if these powers are not carefully circumscribed, they risk creating a big step towards mass surveillance and fishing exercises. We need to ask whether there are less invasive alternatives and whether these powers are therefore really necessary. Alternatively, we need to look again at the oversight mechanisms for the use of these powers.
We also have concerns about the Bill’s proposals in relation to the offence created by the 2016 Act, where relevant persons in a relevant public body knowingly or recklessly obtain communications data from a telecoms or postal operator without lawful authority. This Bill seeks to set out examples of what would amount to lawful authority, which is a laudable aim. However, there are real questions about whether some of the examples in clause 12 are not in fact redefining the concept of lawful authority. In particular, the assertion that there would be lawful authority simply because
“the communications data had been published before the relevant person obtained it”
is controversial. That is particularly so when
“‘published’ means make available to the public or a section of the public (whether or not on a commercial basis).”
As I said in relation to bulk personal datasets, limited publication is not authority for intrusive surveillance. Could a simple private message not amount to publication of comms data? The implications of this definition of lawful authority need very careful scrutiny indeed.
Finally, on the interception and hacking of parliamentarians, making provision for circumstances where the Prime Minister is unavailable to play his part in a triple lock seems sensible, but the fact that the issue of snooping on MPs and others is being revisited should trigger us all to rethink the whole scheme. Our role of representing our constituents, interrogating legislation and holding the Government to account should not be interfered with lightly. We should take the chance to consider post-surveillance notification of MPs who have been spied upon, by judicial commissioners, once investigations are completed. As matters stand at the moment, redress is almost impossible to obtain. We should also require that the investigatory power commissioners be informed every time these powers are used, so that there is transparency about how often this is happening. All other options should be on the table as well.
I started by thanking intelligence and law enforcement authorities and I am happy to do so again in closing, but our respect for them does not mean we should ever consider writing blank cheques or handing them whatever powers they ask for. They are not perfect. From time to time they exceed their powers and certain individuals abuse their lawful capabilities. The powers that they seek through this Bill are extremely invasive and broad in scope. There is a real danger that key provisions of the Bill will go beyond what is necessary and get the balance with privacy and human rights wrong. These provisions will need serious scrutiny and revision in Committee, and that is what we in the SNP will seek to secure.
(2 years, 1 month ago)
Commons ChamberI thank the Minister for his statement. Like him and the shadow Home Secretary, the right hon. Member for Normanton, Pontefract and Castleford (Yvette Cooper), I pay tribute to all those working so hard to protect us.
We all wish the Minister well in his work to strengthen national security and we will work constructively with him to that end. In principle, a taskforce is welcome; the devil will be in the detail and the proof in the pudding. For example, will he tell us more about the timescale and how its membership will be appointed, and will he say more about the participation of devolved Governments in it?
Although we acknowledge that the Minister takes national security incredibly seriously, he will appreciate that lots of questions are still outstanding about his colleagues. As we heard, the former Prime Minister and Foreign Secretary had her phone hacked, apparently revealing highly sensitive discussions and information. Her predecessor had his phone number freely available online for 15 years, and had a meeting with a former KGB agent without officials. A Home Secretary has resigned in recent days over her use of personal phones and emails for official business, only to be reappointed within days. Recent High Court papers suggested that “government by WhatsApp” was the norm. A taskforce is all well and good, but those questions must be answered.
I appreciate that the Minister cannot say much at the Dispatch Box about the hacking of the former Prime Minister’s phone, but can he reassure us that steps are being taken to ensure that nothing similar happens again? Does he agree that there should be some form of inquiry into that incident and will he commit to full co-operation with that? Will he say whether government by WhatsApp is still considered appropriate? Will he confirm the status of the documents that the Home Secretary sent to her private email?
Finally, what steps is the Minister taking to reassure our international partners? We know that they take a dim view of the security mess at the heart of the Government. Frankly, how can we expect them to share anything with us when too many of his colleagues appear to be playing fast and loose with what they are told?
I thank the Scottish National party spokesman for his co-operative tone in regard to how we will work together on this issue. I will set out details and be in touch with the devolved Governments and Administrations to make sure that their views are fully taken into account and that the important different needs of different devolved areas are respected and play fully into the taskforce.
It is essential that we recognise that, sadly, this is not simply a matter for the United Kingdom. The reality is that the points that the hon. Gentleman made also apply to friends and partners around the world. We have seen very significant reports of intrusion and intervention into electronic communications in other countries. Sadly, that includes France, where President Macron set out his issues with Russian hostile activity at the time of the general election only a few years ago; and there are other such reports in other jurisdictions.
We are working together with friends and partners on this issue, because the reality is that the defence of democracy does not stop at the United Kingdom coast but continues in depth when we work with partners and allies. We will only be safe when we support others to guarantee their freedoms so that ours are even more secure.
(2 years, 1 month ago)
Commons ChamberUrgent Questions are proposed each morning by backbench MPs, and up to two may be selected each day by the Speaker. Chosen Urgent Questions are announced 30 minutes before Parliament sits each day.
Each Urgent Question requires a Government Minister to give a response on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
I, too, congratulate the hon. Member for Rutland and Melton (Alicia Kearns) on securing this important urgent question, and I welcome the Minister to his place.
These are really alarming and incredibly serious allegations, which, as the Minister says, have to be properly investigated. Indeed, the suggested international scale of these activities across 30 countries on five continents is actually pretty shocking. Given the international perspective, what discussions are the Minister and his counterparts having with colleagues in the EU and beyond about how they can co-ordinate on this matter?
What steps can the Minister say have been taken to ensure that law enforcement and security services have the skills and resources to tackle the matter? This seems a recent and different challenge for them. Will he say a little more about the co-ordination with devolved Governments who have responsibility for policing?
The Minister expressed confidence that the powers in the National Security Bill, which we have debated at some length, will be sufficient to tackle this type of alleged activity. Will he express a willingness to use those powers if these allegations are made out?
Finally, does the Minister agree that, while our attention is rightly focused on the bad actors seeking to control and coerce Chinese residents, BNOs and others, it is all the more important that we remember and support the many other groups, businesses and individuals who do positive work in supporting their communities to contribute to our society?
I thank the hon. Member for the tone with which he has addressed these questions. This is truly a United Kingdom issue, and the way to address them is for the United Kingdom to work together.
The hon. Member is absolutely right that there are wider dimensions, which include our friends and allies around the world. The Government have already been working with Governments around the world to make sure that we deal with the repression and oppression that we are seeing in different places. He will remember well the way in which the United Kingdom stood so clearly with the Government of Canada to call out the illegal detention of Michael Spavor and Michael Kovrig. I am delighted to say that that will continue.
The hon. Member is right that working with police forces across the United Kingdom—including Police Scotland, which does excellent work—is really important, but it is also important that they have access to the resources that we are able to bring as the United Kingdom. The agencies that do so much to support us all are essential.
I am grateful for the hon. Member’s kind words about the National Security Bill. His support on that Bill has been incredibly important and demonstrates that this truly is a cross-party, cross-nation effort to keep the whole of the United Kingdom safe. He can be absolutely assured that I will not hesitate to use the powers in the Bill should they be required.
The hon. Member’s question on the community is also really important. We need to make it absolutely clear that what we are resisting here is authoritarian Governments seeking to influence free people. We welcome people from across the world. We welcome people from communities that may be repressed at home but can be free here. It is essential that we champion those who can enjoy freedom here, and the Hongkongers are a clear demonstration that this Government and this country welcome those seeking freedom.
(2 years, 2 months ago)
Public Bill CommitteesI will make a couple of brief points. The broad thrust of the new schedule and the intention behind it seem absolutely fine, but I am interested in the tests that must be satisfied before an order is made. Under the previous schedule on disclosure orders, the judge has to be satisfied that there are reasonable grounds for suspicion, that there is substantial value in the information gained under the order and that the order would be in the public interest.
In contrast, here in new schedule 2, the judge has to be satisfied only that the order is sought for the purposes of an investigation and that it will enhance the effectiveness of that investigation. That seems a pretty low bar to allowing this pretty invasive procedure to be gone through. Why that choice of language? I guess it is modelled on the provisions that have been mentioned. I have probably not been as diligent as the shadow Minister has in doing my homework and tracking through the previous bits of legislation, and I will now do that. The information gained under these orders could be pretty intrusive, so we need to ensure we are not giving carte blanche to all sorts of intrusive investigations. I am a little bit concerned about the low level of test, compared with the test for disclosure orders.
My second, brief point is that paragraph 4 of the new schedule suggests that the person whose records are about to be trawled through can seek to vary or discharge the order. It is not clear to me how they would go about doing that, given that I suspect most orders will be made without any notice, and they can even be made by a judge in chambers. What assurance can we have that people will be able to challenge this potentially intrusive investigation?
The question as to why we have not addressed this sooner is a fair one. The UK’s investigation legislation is complex, as the hon. Member for Halifax knows only too well from the homework she has obviously done for our sittings. For example, in the Proceeds of Crime Act there are more than seven investigatory orders used in criminal and civil investigations. The consideration that has gone into this has naturally been complex, and it has required a lot of time and input. This Bill, as she knows very well, has been some years—and, indeed, some Ministers—in the making.
Let me be completely clear, because subsection (8) makes it completely clear: there is no requirement for a foreign power itself to register. We cannot compel foreign powers or entities to register; this is a compulsion on UK entities or individuals.
The scheme intends to increase assurance and transparency to activities being carried out for a foreign power, where the involvement of that foreign power might otherwise not be apparent. As such, we would not expect other Governments to register with the scheme in respect of activity that they themselves are undertaking. As the later “interpretation” clause will make clear, that includes any person acting in the capacity of an office holder, employee or other member of staff of the foreign power, or a person whom the Secretary of State reasonably considers to be exercising such functions.
This scheme has been designed to avoid interference with our obligations under international law regarding the diplomatic and consular relations between countries, as well as the need to protect routine Government-to-Government engagement—the official visits of officials, military and other agencies of a state, for example.
Secondly, subsection (2) sets out the definition of “arrangement”, which requires there to be direction from a specified foreign power or entity to a person. That element of direction is important because it envisages a power relationship between the specified foreign power or entity and the person. The specified foreign power or entity has told the person to carry out the activity, or arranged for it to be carried out. While in practice it is entirely likely for a direction to be delivered in the language of a request, the context of the relationship between the specified foreign power or entity and the person being directed will ultimately determine whether it falls within scope.
What happens if an intermediary is involved? What if a designated state power says to someone locally, “You arrange for these activities”, rather than saying to someone in the United Kingdom, “I want you to undertake these activities”? That falls within the terms of the new clause. That intermediary then instructs people in the United Kingdom to undertake activities. Does that not mean there is a gap in the clause and that people in the UK undertaking those activities would not have to register anything? It would be almost impossible to enforce against that intermediary requirement to register. Is there not a potential problem there?
My understanding is that—in fact, I will come back to that when I sum up, because the hon. Gentleman has raised an interesting point.
We consider a power relationship to include, for example, where the specified foreign power or entity has formally contracted a person’s support for an activity, or where it is paying a person to deliver a service. It could also include a situation where a specified entity is making a request of its subsidiary—again, the direction might be in the language of a request, but the power relationship would make it a direction. Where such formal structures are not established, a direction should include where a person is requested to act, but through the promise of compensation or coercion—for example, future payment, benefit or favourable treatment.
To be clear, though, it would not be enough for a specified foreign power or entity to simply provide funding in support of an activity—through subsidy or donation, for example. Nor could a generic request from a specified foreign power or entity be considered a “direction”—a request made through a public communication to a large distribution or mailing list, for example.
A power relationship, whether formal or informal, is necessary to ensure that unilateral activity on the part of the person is not within scope and nor is activity that is part of a collaboration and absent a power relationship. We shall set out in guidance what we intend by a direction so that it is clear to the public and to the courts what arrangements are registrable.
An arrangement also captures where a person is to arrange for activity to be carried out at the direction of a specified foreign power or entity, as well as where the person is to carry out the activity themselves. That is to ensure that a person in a direct arrangement with a specified foreign power or entity cannot avoid registration by simply contracting out the activity to a third party, creating a degree of separation between the specified foreign power or entity and the ultimate person who will carry out the activity.
Thirdly, I turn to the definition of “control”, where a specified entity is said to be subject to foreign power control. It is important that we capture the commonly used practice of foreign powers channelling state threat activity through private entities. To capture this effectively we have defined “control” under subsection (5) as being where a foreign power holds, be it directly or indirectly, more than 25% of the shares or voting rights of the entity, or the foreign power can appoint or remove officers of the entity.
Control can also be demonstrated where the foreign power has the right to direct or control the entity’s activities, allowing the Secretary of State flexibility if foreign powers exercise other significant forms of control that fall below those thresholds. The more than 25% threshold is in line with existing legislation on substantial control over an entity.
(2 years, 2 months ago)
Public Bill CommitteesIf the right hon. Gentleman will forgive me, I will come to that in a moment.
New clause 20 provides the Secretary of State with the ability to give a notice to a person who has registered with FIRS, or who should have registered with FIRS but has not. On receipt of an information notice, the person will be required to provide the information requested within the specified timeframe. Failure do so without a reasonable excuse will be an offence. Receiving an information notice does not mean that an individual is guilty of a FIRS offence or that they are engaged in wrongdoing. It is, fundamentally, a tool to provide reassurance that individuals are meeting their registration requirements.
I have a question about the new clause, and it may save the Minister from having to make a speech. With power, unlike with other notice powers, there seems to be virtually no limit on the nature of information that can be requested. There is no judicial oversight or right to challenge. It seems to be an incredibly broadly drafted power, and I do not understand why.
The hon. Member for Halifax has raised the question of oversight on various occasions and I have already committed to discussing it with her, so I will come back to that point. As for the nature of the information required, that will depend on the nature of the business. It is broad, as the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East correctly identified.
Where a person is suspected of committing a FIRS offence, the information gathered as a result of these notices can be used to support the investigation and prosecution of a FIRS offence. New clause 21 makes provisions clarifying that a person does not have to disclose any information that is protected by legal professional privilege or confidential journalistic material, or that would require them to identify or confirm a source of journalistic information.
Legal professional privilege, commonly referred to as LPP, or as confidentiality of communications in Scotland, is a fundamental tenet of UK law and protects those seeking legal advice and representation in the UK. It ensures that material such as communications between clients and their lawyers—and, in some circumstances, third parties—is protected from disclosure. LPP does not arise where a lawyer’s assistance has been sought to further a crime or fraud. Any disclosure requirement in FIRS that could have the effect of breaching LPP would fundamentally infringe the rights of individuals to receive confidential legal advice, where that advice is not for the purposes of enabling a crime, and their rights to a fair hearing.
There is also legal precedent for protecting against the disclosure of confidential journalistic material or sources of journalistic information, unless the power to require disclosure has been subject to prior or immediate after-the-event judicial or other independent or impartial scrutiny. The Government consider that protections for such material should also be included in FIRS to ensure adequate protections for journalists and their sources. The protections will apply even if a journalist or a recognised news publisher has to register under the enhanced tier of the scheme. The Government propose this new clause to ensure that FIRS upholds the rule of law and fair access to justice. It will ensure that there is adequate protection for confidential journalistic material and information related to journalistic sources.
New clause 25 allows the Secretary of State to make regulations about the publication or copying of information provided through registration. The ability to publicise certain information registered with the scheme is vital to delivering the aims of FIRS, by ensuring that the influence of foreign powers and entities is open and transparent. We intend to publish information registered under the primary or enhanced requirements that relates to the carrying out of political influence activities. The regulation-making powers also provide the flexibility to publish information registered about a wider range of activity under the enhanced requirements.
As I said earlier, however, that is to be determined alongside the decision to specify a foreign power or entity subject to a foreign power or control. Ensuring information can be publicised where it relates to the carrying out of political influence activities will help to strengthen the resilience of the UK political system against covert foreign influence. After all, sunlight is the best disinfectant. Not only will this ensure that the UK public are better informed of the scale and extent of foreign influence in our political affairs, but it will put a person actively seeking to avoid being transparent in a difficult position. Either they comply with the scheme’s requirements and expose their arrangements or activities, or they face potential enforcement action.
The information published will be limited to what is necessary to achieve the transparency aims of the scheme: for example, the name of the registrant, which could be an individual or an entity; the foreign power or principal for which political influence activities are to be carried out; or the nature and duration of such activity. Subsection (2) would allow the Secretary of State to specify or describe information or material that is not to be published. That is likely to include a situation where publishing the information would threaten the interests of national security, put an individual’s safety at risk or risk disclosure of commercially sensitive information.
Subsection (1)(b) would allow the Secretary of State to make provision for the copying of information provided through registration. It an important provision that will ensure data can be managed by the scheme management unit and shared with other enforcement agencies when necessary. As already mentioned, data will be managed in accordance with the Data Protection Act 2018 and GDPR. As with other parts of the registration scheme, we consider it appropriate for this level of detail to be outlined through regulations, which will also provide the Government with the flexibility to adapt should there be a need to make changes to what information is to be provided in order to meet the objectives of the scheme.
New clause 28 provides the definitions relevant to the registration scheme requirements. As we have discussed these terms in detail in relation to the requirements to which they apply, I do not consider that further examination is needed.
In my opening remarks, I explained that any arrangement with the Republic of Ireland or with a body incorporated or association under the laws of Ireland will be exempt from registration, as are activities to be carried out by such entities. This, again, ensures that the letter and spirit of the Belfast/Good Friday accord are protected, by avoiding interference with the right of citizens in Northern Ireland to identify as Irish. To achieve that in the drafting, subsection (2) clarifies that the Republic of Ireland is not to be considered a foreign power for the purposes of FIRS.
I will briefly emphasise how incredibly broadly and dangerously drafted new clause 20 is. All sorts of organisations will fall within the scope of the provisions; it could be a local business or a UK non-governmental organisation. Unless I am missing something, under the clause they can be asked by the Secretary of State in an information notice for virtually any information that she fancies helping herself to, with virtually no restriction whatsoever.
The new clause does not even require a link to some sort of ongoing investigation. There is no court oversight of the nature of the request, and there is absolutely no mechanism to challenge or appeal against any sort of information notice. If someone has been handed an absurd information notice and they refuse to comply with it, they can end up being prosecuted. As it stands, new clause 20 seems to be incredibly difficult and should be revisited.
I will come to the point made by the right hon. Member for Dundee East. He is absolutely right. Forgive me—that is a drafting error, which we will look at and tidy up.
On diplomatic staff, the hon. Member for Halifax makes a fair point. This is, however, diplomatic staff and their spouses acting in an official capacity—when they are conducting duties on behalf of their nation, and on behalf of the mission that they are sent to support. It is not supposed to be a blanket exemption; it is merely when they are acting in their role.
Who will manage the unit? A scheme management unit is expected to sit within the Home Office—that is, at least, the current plan—which will administer the scheme. It is unlikely that every registration will need to be scrutinised. More likely, the register will be a resource for public scrutiny. That is where the right hon. Member for North Durham, who is not currently present, was absolutely right: sunlight is the best disinfectant, and indeed disinfectant is the best sunlight.
I support the objective of the new clause. When we were debating some of the offences in part 1, the SNP tabled various amendments to try to make it clear that the national interest and the interests of the Government are not necessarily the same thing—often, they are not the same thing at all. It appears that judicial authority says that, in essence, it is for the Government to decide what the national interest is; that does not really assist the position. Whether or not this new clause is the answer is something we will have to revisit again, but I express sympathy with the intention behind it.
I welcome the spirit with which the hon. Member for Halifax has entered into this discussion, and I appreciate her points. Making illegal those matters that irritate Ministers of the Crown would certainly make my life at home significantly quieter, as it would silence my children. Sadly, I think that trying to make case law for my family would be problematic.
It is certainly true that there is a difference between the interests of Ministers and the interests of an individual Minister, whether that be an ordinary Minister or a Prime Minister, and national security. Case law in the United Kingdom already recognises that in considering any prosecution in relation to offences to which the provisions regarding prejudice to the safety of the interests of the UK apply. The UK courts already consider the nature and risk to the safety and interests of the UK. Case law already makes clear that
“the safety or interests of the United Kingdom”
should be interpreted as the objects of state policy determined by the Crown on the advice of Ministers. That is notably different from protecting the particular interests of those in office.
Again, I appreciate the spirit with which the hon. Lady has entered into the conversation, but the provisions in part 1 to which the safety or interests test applies are measures that disrupt and respond to serious national security threats, such as those from espionage, sabotage and threats to the UK’s most sensitive sites. As I am sure hon. Members will agree, it is right that appropriate conditions—such as the test of whether conduct is carried out for, on behalf of, or with the intention to benefit a foreign power—are in place to limit the scope of the offences to the types of harmful activity we are targeting.
The combination of the conditions we apply to measures in the Bill mean that not only are the offences themselves proportionate, but an appropriately high bar has to be met to bring a prosecution. These conditions take us firmly outside the realm of merely leaking embarrassing or unauthorised disclosures, or indeed whistleblowing or domestic political opposition. The Law Commission shared that sentiment in the evidence it gave to the Committee—of course I was not present, but given her reference to the length of time in politics I am sure she will understand that.
Individuals and groups might not agree with Government policy, but it still represents the policy that the Government have been elected to carry out, so disclosing protected information from a foreign power can never be the right response to that. It would not be appropriate for the courts to second guess the merits of Government policy in this way. On the basis that the courts are well able to judge the difference between national interest and personal interest, I hope that the hon. Member will withdraw the amendment.
(3 years, 5 months ago)
Commons ChamberLots of questions and loopholes have been identified. The fact that the Home Office had to issue hundreds of pages of guidance, even in the two or three weeks prior to the end of the transition period, shows that the issue has been difficult for it to address.
I come to what this debate should be about, which is looking forward to what can be done. We absolutely maintain that even now a declaratory scheme would be far preferable—people would still apply to the settlement scheme to prove their status, but at the very least the huge uncertainty would be removed and security would be delivered for them. Short of that, surely to goodness the transition period should be extended. There are a million reasons why that would be sensible—not least covid. Outreach work has been curtailed and embassies and scanning centres have been closed. People are not ready.
It is important to remember that this is not just a question of EU nationals being ready, but of employers, the Driver and Vehicle Licensing Agency, Department for Work and Pensions staff, landlords, local authority staff and bank staff having to be ready and NHS staff having to understand. As I said, the Home Office itself was still pumping out hundreds of pages of guidance in June and making tweaks to the system. I do not think the Home Office was ready for the end of the transition, and I do not think it can expect all those other organisations to be ready either. As I will mention, there is also an enormous backlog of cases.
Alternatively, the Government could at least remove the requirement for a reasonable excuse and keep the scheme open for the duration. It has to be open anyway, both for late applications and for people with pre-settled status who then go on to try to secure settled status. Why not simply allow people to come forward as it becomes necessary to secure their rights?
To be absolutely fair, the guidance on the reasonable excuse provision is reasonably generous, and more generous than it could have been, so I thank the Minister for that. But the very existence of that test plants huge seeds of doubt in people’s minds—if I have any doubt about whether my excuse will be accepted, am I putting myself at risk of enforcement action? I say that we should continue to encourage people to come forward, not discourage them.
That last proposal would be better than nothing, but it would not protect people from the impacts of the hostile environment in the meantime. That hostile environment is supposed to be undergoing an end-to-end review in the light of Wendy Williams’s Windrush report. The fact that the review has not yet been completed should be another ground for extending the grace period. More fundamentally, the hostile environment should be entirely suspended until the review takes place and its findings are implemented. All these are real, sensible, constructive options, open to the Government, that would ease the pain of the process. I hope the Government listen.
I turn now to a tiny number of examples of how difficult, technical and confusing the process has become. I am highlighting what groups such as the Joint Council for the Welfare of Immigrants and the3million are telling me. I do that to press the Minister for a response and to underline the case that there has at least to be an extension to the transition period.
First, I turn to the question of those who applied before the deadline but are still waiting for a decision. How on earth is it that, as I understand it, the backlog has risen to 570,000 cases? Back in October 2019, the resolution centre was able to conclude just over 400,000 cases, but in each of the three months up to the deadline, as I understand it, fewer than half that number were concluded each month, despite additional staff having been drawn in from the Post Office and elsewhere. Is that backlog not enough in itself to justify an extension?
Can the Minister tell us how many applications received in June were dealt with in the five-day target? According to EU settlement scheme statistics, applications from children comprise 15% of the total, with decisions on 25% of applications still pending; they also comprise around a quarter of applications pending for over three months. Why is that?
In theory, the full rights of people with outstanding in-time applications are protected while they wait—and that, of course, is welcome. But what is the reality on the ground? Already, all sorts of reports are coming in to representative groups about employers and landlords—and also the Home Office’s own Border Force staff—getting the checks wrong. That does not surprise me, because the situation is messy.
Some people with outstanding in-time applications will provide their prospective employer or landlord with a certificate of application to show that they have made the application. Some will provide a physical certificate, printed off, that leads to the employer contacting the employer checking service or the landlord checking with the landlord checking service. Others still will not have a certificate of approval but just an acknowledgement email; that, too, should lead to the checking service being consulted.
But in the last few days, the Home Office has started sending digital certificates of application to avoid the need for anyone to use the checking services, which can take a couple of days. The applicant will provide a code to the prospective employer or landlord, and when that is input into the system it should confirm that an application is outstanding. I hope hon. Members followed that, because all of us in this House are employers, but given that the guidance was issued only a couple of weeks before the deadline, I suspect that there are huge swathes of employers and landlords out there who do not have the first clue what somebody means when they approach them for a new tenancy or a new job and say, “Here’s my digital code. This should tell you that I have an application outstanding.”
I am absolutely delighted to hear this speech, because the hon. Gentleman is explaining the complexities of leaving a Union that we were part of for about 40 years, yet somehow he seems to assume that leaving this Union is really hard but that leaving one that includes the military, finance, pensions, homes and everything else is going to be incredibly easy. I am not quite sure whether he will explain that disconnect.
The point, as I have said, is that the Government could have made this process a hell of a lot easier. Government decisions have made this difficult, not anything else.
We know from research that discrimination is widespread when private actors have to undertake even basic checks, such as passport and visa checks, and it is blindingly obvious that the half a million people who are in the queue are going to face discrimination on stilts if they have to explain these processes. Other than telling employers and landlords to follow guidance, what more is being done to clamp down on and prevent this discrimination? What monitoring, even, is being done?
In theory, public bodies should find this easier, yet we hear of cases of universities not being prepared to confirm that students are eligible for home fee status, or the Student Loans Company not confirming eligibility for student finance until their status is decided. Just an hour ago, I learned of a universal credit case being turned down because, even though the national insurance number and date of birth all matched up, the Department for Work and Pensions could not verify the digital share code. What is the Home Office doing to identify and accelerate these cases to ensure that no one is denied the educational opportunities that they are entitled to? How will people be compensated when they have been wrongly refused entry to the UK, work or housing, or been charged for NHS treatment or incorrectly denied home fees or student finance because of a failure to apply the law correctly?
Another huge problem is that use of the checking service provides a landlord or employer with only a six-month guarantee of protection from prosecution, but why would an employer or landlord take on someone when they can have a guarantee of only six months’ rent or six months’ work? That is why it was wrong to end the transition while over 500,000 people were in this perilous position. A freedom of information request in May showed that 100,000 people had been waiting for over three months for a decision. That is a hell of a long time to be in this semi-legal limbo.
Finally on this particular topic, I understand that there are also significant numbers of cases where people have completed parts of the application process online but not the whole process—for example, even just the final “submit” stage. Is the Home Office taking steps to identify and reach out to those people as well?
Turning to people who apply late, or have applied late and are waiting for a decision, it is welcome that they can continue to access healthcare and that, if I understand it correctly, they can continue to exercise rights that they are currently exercising, such as keeping an existing job or social security benefit if they apply with 28 days’ notice. However, the huge gap here is that there is no right to take on a new job or new accommodation in England, or to claim a new social security benefit or use other services, so an important first question is why the Home Office thinks this is consistent with the withdrawal agreement, which states that pending a decision on any application, all rights will be deemed to apply to the applicant.
It is easy for the Government to say, “Well the process is quick and therefore these issues should not be widespread. Get the application in and then get on with your job hunt or social security application”, but, in practice, it is not that simple. We know that over 100,000 people had been waiting for more than three months in May, and remember, too, that, as we know from Windrush, it is precisely when people are making new job applications or applying for social security or a tenancy that they suddenly realise that they have not applied and should have done. Waiting for three months at these moments of crisis could destroy lives, with employment, accommodation and financial support all missed out on.
The Home Office has mentioned a process for accelerating certain cases, which is welcome, but how does that work? How can we ask on behalf of our constituents that their case is accelerated for these very good reasons? What will the criteria be for accelerating cases, what will the timescales be, and what does that mean for other cases and how long they will take?
Finally, on late applications, I previously asked the Minister what would happen if someone incurred health charges because they had failed to apply for the settlement scheme, but, having realised their error, they then went on to apply late and successfully showed that they had a reasonable excuse. If I recall correctly, the Minister suggested at the Home Affairs Committee that it would be ridiculous to then insist on those charges being paid. After all, they had had a reasonable excuse for a late application, but, as I understand it—I would love to be corrected—that is exactly what will now happen in England. How can that be justified? Why is it that someone who is considered to have reasonable grounds to apply late can still be held liable for healthcare charges incurred before submission of their justifiably late application? It seems an incredibly strange situation.
What about those who have not applied at all? I want everyone to apply, though late—I am sure we all do—so what is the Government’s strategy here? Is there not a danger that the reasonable excuse test is going to put people off, especially if, as suggested in the guidance, it has to be more strictly interpreted the more time goes on? Why is that advice there? Those who encounter border enforcement, whether the Home Office version or delegated private actors such as employers, are going to have 28 days’ notice to apply, but what has been done to make sure that some of the people most likely to have missed a deadline—vulnerable and marginalised groups, and maybe those with health issues or with poor English—understand what that notice means and what exactly is required of them? For example, is it going be available in different languages, will they be signposted for advice and what happens if that 28-day deadline is missed?
It is much more likely that people who have not applied will become aware of the problem only through an encounter not with Border Force, but with an employer, the DWP, a landlord or somebody else, so what work has been done to ensure that, rather than just saying no, they signpost and, in the case of Government Departments, assist them in ensuring that an application can be submitted. The Government are committed to funding grant-funded organisations supporting EU citizens with late applications until September. Why is it only to September? Can we have funding for beyond that as well?
Finally, I turn to the issue for those who actually get settled or pre-settled status. Even if somebody is successful, that is not the end of their problems, and others, as I have said, will speak about the lack of a physical proof of status. There are more than 2 million people with pre-settled status, and many of them will struggle to prove the five-year residence required for settled status. What support will be available to help them with equally vital applications, and what happens to those who fail to apply at the time when their pre-settled status expires?
The settlement scheme may have been designed to be straightforward, but its interplay with our complicated immigration system means that it just cannot be. I struggle to follow its implications, and I suspect many hon. Members will have struggled to follow them as well, yet guidance for employers and landlords was issued just a couple of weeks back. This has, I am afraid, at the end of the day, ended up being a rush job. Even if all our other ideas are rejected, at the very least we need a longer transition period, and for the umpteenth time, I do ask that the Minister meets the3million campaign group.
In closing, during the referendum the now Chancellor of the Duchy of Lancaster also promised that, after Brexit, Scotland would have immigration powers. That seems to have gone the same way as his promise to EU nationals. We have debated the devolution of immigration or at least some immigration powers before, and it is on these occasions that the normally very measured Minister tends to start engaging in tub-thumping rhetoric rather than the arguments in the discussion. I am not going to repeat all those arguments today, but report after report from the Scottish Government, academics, thinktanks and immigration lawyers offer myriad reasons why this should be done, and templates for how this could be done.