All 12 contributions to the Investigatory Powers (Amendment) Act 2024

Read Bill Ministerial Extracts

Thu 7th Mar 2024
Investigatory Powers (Amendment) Bill [ Lords ] (First sitting)
Public Bill Committees

Committee stage: 1st sitting & Report stage: 1st sitting
Thu 7th Mar 2024
Investigatory Powers (Amendment) Bill [ Lords ] (Second sitting)
Public Bill Committees

Committee stage: 2nd sitting & Report stage: 2nd sitting
Tue 23rd Apr 2024
Investigatory Powers (Amendment) Bill [HL]
Lords Chamber

Consideration of Commons amendments
Thu 25th Apr 2024
Royal Assent
Lords Chamber

Royal Assent & Royal Assent & Royal Assent

Investigatory Powers (Amendment) Bill [HL]

1st reading
Wednesday 8th November 2023

(8 months, 1 week ago)

Lords Chamber
Read Full debate Investigatory Powers (Amendment) Act 2024 Read Hansard Text
First Reading
15:08
A Bill to amend the Investigatory Powers Act 2016; to make provision about information supplied by, or relating to, the Judicial Commissioners; and for connected purposes.
The Bill was introduced by the Earl of Courtown (on behalf of Lord Sharpe of Epsom), read a first time and ordered to be printed.

Investigatory Powers (Amendment) Bill [HL]

2nd reading
Monday 20th November 2023

(7 months, 4 weeks ago)

Lords Chamber
Read Full debate Investigatory Powers (Amendment) Act 2024 Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Second Reading
16:04
Moved by
Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom
- View Speech - Hansard - - - Excerpts

That the Bill be now read a second time.

Lord Sharpe of Epsom Portrait The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)
- Hansard - - - Excerpts

My Lords, the number one priority of any Government is to keep our citizens and our country safe. The Investigatory Powers (Amendment) Bill seeks to make a set of targeted amendments to the Investigatory Powers Act 2016, which I shall refer to throughout as the IPA.

The measures in this Bill will support the security and intelligence services to keep pace with a range of evolving threats against a backdrop of accelerating technological advancements. Such advancements provide new opportunities for terrorists, hostile state actors, child abusers and criminal gangs. They also mean that data is generated in more places, in more formats and by more different entities than before. The security and intelligence services need to identify nuggets of threat in increasing quantities of data.

Importantly, the Bill will also ensure that we maintain and strengthen the world-leading safeguards that underpin the use of the powers in the IPA. The measures in the Bill are narrow and relatively modest in scope, which reflects the strength of the existing legislation, but they are none the less critical to the task of protecting national security and countering other serious threats.

It may be helpful to briefly remind the House of the parent legislation that this Bill seeks to amend. The IPA provides a clear legal framework for the security and intelligence services, law enforcement and other public authorities to obtain and utilise communications, and data about communications. These powers and the resulting capabilities are essential in supporting these public authorities in carrying out their statutory functions, including detecting and preventing terrorism, state threats and serious crime.

But since 2016 the nature of the threats we face has evolved, and we need to ensure that the UK’s investigatory powers framework remains fit for purpose. The use of these powers is underpinned by the IPA’s robust and world-leading safeguards—including the double lock for most of the powers, whereby a judicial commissioner must approve the decision by the Secretary of State to issue a warrant under the IPA. All use of the powers must be assessed as necessary and proportionate, with strong independent oversight by the Investigatory Powers Commissioner. The right to seek redress is available to anyone via the Investigatory Powers Tribunal.

I emphasise that this Bill is about delivering focused and targeted changes to the existing regime and not about creating new powers beyond those to which Parliament has previously given its agreement during passage of the IPA.

This Bill follows the publication of a statutory report on the implementation of the IPA in February this year by the previous Home Secretary, and a subsequent independent review by the noble Lord, Lord Anderson of Ipswich, which was published in June this year. These reports set out the operational case for change and have informed the contents of the Bill. I thank the noble Lord, Lord Anderson, for his considered review of the IPA; he was instrumental in its initial design as the author of A Question of Trust during his tenure as the Independent Reviewer of Terrorism Legislation.

Building on the areas of focus identified in the Home Office review, the noble Lord’s report focused on: the effectiveness of the bulk personal dataset regime; criteria for obtaining internet connection records; the suitability of certain definitions within the Act; and the resilience and agility of warrantry processes and the oversight regime. His review helpfully highlighted several areas in which the IPA could be improved, and we are pleased to say that this Bill aligns nigh on entirely with his recommendations.

Your Lordships may note that there is one area of the Bill that the review by the noble Lord, Lord Anderson, did not touch on: the changes to the notices regimes. This was subject to a separate public consultation, and the Government are grateful to those who responded for helping to shape this element of the Bill.

I will turn now to the main elements of the Bill. Part 1 deals with bulk personal datasets, more commonly known as BPDs, and makes changes to the way in which the intelligence services may use them. Building on the findings of the review by the noble Lord, Lord Anderson, the Bill provides a narrow group of provisions to: create a set of new safeguards for the retention and examination of BPDs where there is low or no reasonable expectation of privacy; allow for the extension of the duration of a BPD warrant under Part 7 of the Act from 6 to 12 months; and make clear that agency heads can delegate certain existing functions in relation to BPD warrants. Under the current regime, all BPDs—including those that are publicly or commercially available—must be subject to the double-lock warrantry process and strict examination safeguards.

While these safeguards are in many cases entirely appropriate, that is not always so, particularly where a dataset is publicly available and widely used. This has a detrimental effect on the agility of the agencies, particularly where these datasets could be used to develop new capabilities. It also inhibits their ability to work flexibly with allies and partners in academia or the private sector.

Creating a new regime for datasets that have low or no expectation of privacy will increase operational agility while ensuring that proportionate safeguards are in place, including prior judicial approval. This change will be an important step in preventing our agencies falling behind our adversaries.

The Bill also seeks to insert a new statutory oversight regime for examination by the intelligence services of third-party BPDs. Under the new measures, an intelligence service may examine a dataset on a third-party’s systems without taking control of the set itself. However, if the dataset is not publicly or commercially available to other users, the new warrantry process and requirements will apply. The regime will be subject to safeguards such as the double lock already in other parts of the IPA.

Part 2 will make changes to the role and remit of the Investigatory Powers Commissioner and their supporting functions. The Bill will enhance the world-leading oversight regime in the Act, including the role of the IPC. The changes will ensure that the regime is resilient and that the IPC can effectively carry out their functions. This will maintain and enhance the robust, transparent safeguards in the regime.

In addition to putting oversight of third-party BPDs on a statutory basis, the proposed amendments to the oversight regime aim to increase resilience and ensure that it remains fit for purpose. As highlighted in the then Home Secretary’s review, the IPA does not provide an easy mechanism to manage change. This has caused issues regarding the resilience and flexibility of the IPC and the wider IPA oversight regime, such as during the Covid-19 pandemic. The Bill therefore seeks to place the ability to appoint deputy investigatory powers commissioners and temporary judicial commissioners on to a statutory footing, to provide resilience where there is a shortage of judicial commissioners.

The Bill will also formalise some of the IPC’s non-statutory oversight functions—for example, their oversight of compliance by the Ministry of Defence of the use and conduct of surveillance and covert human intelligence sources outside the UK. The measures also provide greater legislative clarity in respect of the error-reporting obligations imposed on public authorities. The IPC has been consulted on all these measures and has endorsed the approach to ensuring that the oversight regime remains fit for purpose.

Part 3 makes changes to Part 3 of the IPA, which relates to powers for public authorities listed in Schedule 4 to the IPA to acquire communications data. CD is the data around the communication rather than the content of that communication. Section 11 of the IPA made it an offence for a relevant person within a relevant public authority to “knowingly or recklessly” obtain CD from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority. This will provide greater clarity to public authorities that they are not committing a Section 11 offence when acquiring CD from a telecommunications operator under those routes.

The Bill will additionally make targeted amendments to ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data in order to meet their statutory duties and obligations when administering public services or systems. Part 3 also makes a clarificatory amendment to the definition of CD in Section 261 of the IPA, to make it clear that subscriber data or data use to identify an entity will be CD.

Part 3 also makes changes to allow bodies with regulatory functions to acquire communications data. The use of regulatory powers under the IPA is limited to organisations such as Ofcom and the Information Commissioner’s Office for their regulation of telecoms operators. The Bill seeks to amend the IPA to expand the definition of regulatory powers to include public authorities with wider, lawfully established and recognised regulatory or supervisory responsibilities. The effect of this change will be such that authorities will be able to acquire CD using their own statutory powers and not rely on IPA powers. However, where the CD is being acquired with a view to using it for a criminal prosecution, authorities must use their IPA powers to acquire that CD.

Targeted changes will also be made to support the use of internet connection records by the NCA and intelligence agencies. The Bill will add a further condition which allows the service in use and time period to be specified within the application without the requirement that they are unequivocally known. This will enhance the ability of the NCA and the intelligence services to identify serious criminals, including paedophiles and people traffickers, helping to protect victims and counter threats to the UK’s national security.

Part 4 will ensure the efficacy of the existing notices regimes in the face of technological changes and the complex commercial structures associated with the modern digital economy. These measures have been carefully calibrated to address these issues in a proportionate way. Furthermore, the notices regimes have existed since the 1980s, and these reforms are just the latest iteration of that regime. This is not about introducing any new powers. The Bill will create a notification requirement which will allow the Secretary of State to place specific companies under an obligation to inform the Secretary of State of proposed changes to their telecommunications services or systems that could have an impact on lawful access. I wish to be clear that this is not a blanket obligation on the tech sector. It will be placed on companies on a case-by-case basis and with full consideration of the necessity and proportionality justifications of doing so each time.

Furthermore, the notification requirement does not give the Secretary of State any powers to intervene in the rollout of a product or a service or to veto such a rollout. It is intended to ensure that there is time for appropriate consideration of the operational impact and potentially for discussion with the company in question about possible mitigations. This notification requirement has replicated the existing notices standards wherever possible and is itself already part of the wider notices regime, where the Government are able to require companies under notice to inform us of relevant changes which affect their ability to provide assistance under any warrant, authorisation or notice.

The Bill also amends the effect of a notice during the review period. A notice must go through the full double-lock process before it may be issued to a company. On receipt of that notice, a company may request a review of that notice. Currently, the notice has no legal effect during the review period. The Bill amends this to require the company to maintain the status quo during the review period. This will mean that the company does not have to take any steps to comply with elements of the notice, other than to maintain its existing services at the point it is given the notice. The result will be that the company cannot take any action that will negatively affect the level of lawful access for our operational partners during the review period. This is without prejudice to the final outcome of the review and ensures that this outcome cannot be pre-judged.

The Bill also makes a clarificatory amendment to the definition of a telecommunications operator. This makes clear that large companies with complex corporate structures which together provide or control telecommunications services and systems fall within the remit of the IPA. It also clarifies that a notice may be given to one entity in relation to the capability of another entity. It does not seek to bring new companies into the scope of the IPA. Furthermore, the Bill creates a new safeguard for the renewal of notices. This will require a notice to be put through the full double-lock process after two years, if it has not been varied, renewed or revoked in that time.

Finally, Part 5 includes several minor changes to the IPA to ensure sufficient clarity and resilience within the regime. This includes increasing the resiliency of the triple lock, which is the additional safeguard for targeted interception and equipment interference warrants relating to members of relevant legislatures, such as this Parliament. Clauses in Part 5 will allow for the Prime Minister—in the event that they are unavailable—to delegate their responsibility for providing the triple lock to named Secretaries of State. This change is purely about ensuring resilience in the authorisation process and does nothing to alter the existing power or introduce any new power.

I conclude by highlighting the opportunity that the Bill affords us and the impact it will have on the safety and security of the UK and its citizens. Without making changes now, the ability of our agencies to tackle evolving threats—including terrorism, state threats, and serious crime—will be increasingly constrained. In the face of greater global instability and technological advancements, now is not the time for inaction. I welcome the further scrutiny that noble Lords will provide. From looking at the list of speakers, I am in no doubt that they will start with a typically insightful debate today. I beg to move.

16:19
Lord Coaker Portrait Lord Coaker (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I am sure the Minister was referring to me. But, seriously, I thank him for that helpful introduction and for the briefings that he and his officials have organised, including in buildings nearby later this week.

This is an important Bill, and we all need to ensure that it delivers effectively what we all wish for as we seek to defend our country and our freedoms against outside threats. I say to noble Lords including the Minister that we fully support the passage of the Bill, for the reasons that he outlined in his conclusions, and recognise the changed security environment that necessitates the need for this piece of legislation updating and improving the Investigatory Powers Act 2016.

There have clearly been significant changes to the threat picture, with developments that had perhaps not been fully foreseen over the last few years. Of course we have to remain vigilant against any terrorist threat, but even that has been overshadowed by other factors—in particular, the pace of geopolitical change and the extent of its impact on the UK and its people. The invasion of Ukraine, the weaponisation of energy and food supplies, artificial intelligence, the actions of Iran and the more aggressive stance with China in the South China Sea and beyond are just some of many examples. Importantly, this also manifests, as the Minister will know better than anyone, as threats such as economic espionage, the buying of influence, cyberattacks, disinformation and indeed, as we saw, the Salisbury poisoning. In the face of that hostile state activity, we have to change.

I join the Minister, and no doubt many others, in saying that we are very fortunate in having had the extremely helpful—and for me, I might add, understandable—report by the noble Lord, Lord Anderson, to guide us in this. It is also good to see other Members of your Lordships’ House who have extensive experience in this area to inform our debate. In congratulating the noble Lord, Lord Anderson, I shall raise some general points from his report and then deal with specifics as appropriate for a Second Reading debate.

It is of huge significance and importance that the noble Lord, Lord Anderson, did not produce a classified annex to his report. In an area of this importance and sensitivity, you obviously need secrecy and confidentiality, but there has to be as wide a public and parliamentary debate as possible. There are real issues of principle being discussed here, not least the right to privacy and the protection of an individual’s information or personal data. As I say, there is a need for the security services, law enforcement and others to act and to have the intelligence tools that they need, but the balance between national security, tackling serious crime and an individual’s privacy should and must, quite rightly, be a matter for public debate. When fundamental rights are at stake, that needs to be cautiously challenged, and this House will need to do that in Committee, while, as I say, fully supporting the overall passage of the Bill.

Chapter 10 of the report asks what comes next. Such is the pace of change and challenge, the noble Lord, Lord Anderson, recommends that, once this amending legislation is on the statute book, we need to move on very quickly to what comes next.

I shall turn to the Bill with some general comments, with the more specific questions coming in Committee. Bulk personal datasets are clearly important, and the Bill will allow a lighter-touch regulatory regime. The threshold will be where individuals have a low or no expectation of privacy in respect of that data. The Bill seeks to set out examples of the sorts of cases where such a regime would apply for the examination of material by the UK intelligence community. I believe there will need to be a careful debate about what such a threshold means. What does “low” mean? Would all such activity be subject to the approval of a judicial commissioner? Some have already expressed particular concern about new subsection (3A)(e), inserted into Section 11 by Clause 11(3), which says that communications data can be obtained

“where the communications data had been published before the relevant person obtained it”.

Does that mean it is available simply by having been published?

On a more general point, how does all this relate to the Data Protection Act, where personal data may be protected but is potentially not so by the new Bill? Big Brother Watch gives the example of the potential concern over Clearview, which has a mass of facial images—approaching 30 billion—harvested from social media. That could be considered a low-privacy database since the photos had been made public by the individuals, but the Information Commissioner’s Office found Clearview in breach of the Data Protection Act. This argument could therefore potentially be extended to many areas, such as Facebook posts, and will therefore need careful scrutiny, along with the more general point about the relationship between this Act and the Data Protection Act.

There are to be new proposals for internet connection records; they are clearly important, but changes are again being made. In particular, on the justification for target discovery—which, in essence, is a more generalised surveillance, if I have understood it correctly—is it the case therefore that there may not necessarily be a need for suspicion to lead to a particular form of surveillance? It is also interesting to note that, according to the report by the noble Lord, Lord Anderson, as I understand it, this extension or facilitation of target discovery for internet connection records should be limited to UK intelligence. So why have the Government extended this to the National Crime Agency as well as to the UK intelligence community? In other words, why has it gone beyond the recommendations of the noble Lord’s report?

The need for the communications of legislators to be secure and confidential—say, in discussing matters with constituents or other bodies—except in the most exceptional circumstances, is of real importance. Following the IPT case in 2015, there was legislation in the 2016 Act that tried to protect this principle by allowing any interception or obtaining of any communication to be allowed only with the so-called triple lock—in other words, after Prime Ministerial authority was given. The question this Bill seeks to answer is: what happens if the PM is, in the Minister’s words, “unavailable”? This seems to me to be a reasonable question to ask. We need to probe Clause 21 carefully and ask whether the inclusion of any Secretary of State is too broad a definition, what the involvement should be of senior officials, as laid out in the clause, and whether the proposed definition is correct. For example, would it not be better to specify the Secretaries of State as the Home Secretary or the Defence Secretary, or other senior Secretaries of State, rather than the broad blanket of any Secretary of State? The senior officials are explained, to an extent, but we need to explore in Committee whether we need to be more circumspect with what we mean by that.

We have also received a briefing from Apple, and it is important for us to reflect on its concerns. As I have made clear, we support the passage of the Bill, subject to proper scrutiny, which we and others will give in Committee, but Apple’s concerns need to be addressed by the Government in a public forum, to ensure trust and confidence in the new system we seek to introduce. Why is Apple wrong to have concerns about pre-clearance requirements?

On extraterritoriality, the noble Lord, Lord Anderson, says on page 57 of his report that he makes “no recommendation” on a policy issue for DRNs or the importance of end-to-end encryption. End-to-end encryption is a key security tool for us all, but it is also one that can be used, and is used, by malicious actors. We understand that, so how do we strike a balance between the necessity for the privacy and protection of an individual’s data and the need for security services and others to have potential access to that data to uncover serious crime or terrorist activity? In Committee, we need to discuss where that balance should be made and where that line should be drawn; it is an important area of discussion.

Throughout the report by the noble Lord, Lord Anderson, and the subsequent Bill before us, we see various adaptions of warrant processes, judicial oversight and the role of the commissioner, with many proposals. While we are generally supportive, we will need to examine these in more detail in Committee, but I have a few general points to raise now. For example, does the Bill help to sort out confusion in government? Incredibly, on page 28 of the noble Lord’s report, the MoD cannot, even when co-located in a hostile environment, transfer some data to the UKIC. Does the Bill sort that out? That is an important question that I put on the table for an answer—not necessarily now, but certainly in Committee.

Domestically, on the same page, we are told that it was a revelation to UK intelligence community officers to see how easily other government departments subject only to normal data protection requirements could access, retain and process bulk personal data. This Bill should not go through without the corresponding changes to policy and practice, highlighted by the above two apparent anomalies. No doubt there are many more. It would be a wasted opportunity were we not to address some of those examples which seem to draw attention to anomalies within the existing system which many of us would expect a Bill such as this to sort out.

Co-operating should not be as difficult as it seems to be. Openness and transparency are crucial so that we can be sure that, as far as possible, the number of various warrants applied for and refused is made public. More generally, what role is there for parliamentary oversight as well as the intelligence commissioner and so on? The Intelligence and Security Committee is our important eyes and ears on this matter. What part will it play in all this? Are its terms of reference, which I have said in other debates are in need of review, sufficient to allow the necessary level of scrutiny? If it is not appropriate for the committee to be involved, where is the parliamentary scrutiny? Where is the mechanism for reporting to Parliament? It would be interesting to hear that from the Minister. Yes, there are various commissioners and there is senior ministerial involvement, but what of Parliament? Parliament cannot be seen in areas as important as this as an afterthought or an irritant. It should be a proper custodian of our values in this difficult area.

I have laid out some of the key issues, although there are many more. I conclude by saying that, as the noble Lord, Lord Anderson, pointed out in his report, we cannot allow the debate to be characterised as being between those who stand up for security, for our country, and who understand what needs to be done, versus a privacy lobby that does not live in the real world. Of course, operational security cannot be compromised and changed threats require policy to be developed. We support the Government in this through the changes which are needed in this Bill. The challenge is to do so in a way that is consistent with our principles of democracy and human rights. Sensible debate and discussion surely will help us towards something that we all want—to build a consensus as far as possible over protecting our nation and allies against those who would do us harm, and not to undermine privacy or freedoms unless it is essential to do so.

16:32
Lord Fox Portrait Lord Fox (LD)
- View Speech - Hansard - - - Excerpts

My Lords, it is a great pleasure to follow the noble Lord, Lord Coaker. I look forward to a fascinating and intimidatingly expert debate. Before commenting on the Bill, I feel that it is important to contextualise what we are discussing today.

Many of us enjoy books that depict the intelligence services. In the main, the George Smileys who appear within their covers are practising in a world that is very far from the lived experience of most people in this country. However, the reality is very different. The work of the intelligence services impacts very many people’s lives in the UK. It is not just bombs and guns but drugs, people trafficking and other exploitation, financial and cybercrime, extortion and many other crimes. The perpetrators are Governments, terrorist organisations, criminal gangs and lone individuals. Crime and terror merge and are socially unjust activities that prey on the weak. The victims are most often the vulnerable and those with the least ability to resist. Within this depressing tapestry, we rely on our intelligence services to help keep us safe and we need a police force that can cope with the complexities of those crimes. Liberal Democrats wholeheartedly support the services that seek to do this and we welcome this debate.

We also believe that these vital tasks have to be balanced against the freedoms and liberties at the heart of our country’s values. Every new power must be weighed in that balance and the noble Lord, Lord Coker, just explained that from his perspective. As we have heard, this Bill proposes some specific amendments to the original Investigatory Powers Act 2016. I was not involved in the scrutiny of the Bill at that time; that fell to my noble friend Lord Paddick, and the noble Baroness, Lady Williams, was in the ministerial chair, so it is a new set of eyes looking at this legislation.

I remind your Lordships’ House of some of the key priorities that my noble friends here and my colleagues in the Commons applied to the 2016 Bill. The first of these is that there should be no weakening of encryption. The second is the vital role of judicial authorisation and the third is that, when it comes to the bulk collection of information or mass surveillance, British residents have a right to expect privacy. These principles were central to our response to the last Bill and will be to this.

Today’s Bill, as we have heard, is the product of deliberation over years. Your Lordships should particularly thank the noble Lord, Lord Anderson, for his work on it. However, given the time taken to get this far, it is very disappointing that the Government chose to introduce the Bill in such a rush that it gave just eight working days for parliamentarians and civil society to prepare for the specific scrutiny of it. If the Government were seeking to ensure that they took people with them, this is a way to antagonise them. There are already comments about haste being an effort to railroad people.

I am afraid my speech today is quite a long one because I did not have time to write a short one. I turn to the Bill. As the Minister set out, the original Bill established a set of protections under Part 7; this Bill introduces two new levels of security, Parts 7A and 7B. Part 7A is introduced in Clause 2 and concerns bulk datasets, as we have heard, with

“low or no reasonable expectation of privacy”.

These so-called low/no datasets may be in three types, each with slightly different rules.

I have enjoyed helpful discussions with the Minister’s department and for that I appreciate his facilitation and engagement. During those discussions, the basic explanation has been that these datasets are needed to train tools using machine learning, that they already exist and are being used in the commercial world, but the Part 7 process makes them at best clumsy and at worst impractical to be used by the intelligence services. I take those points. Furthermore, the introduction to Part 7A includes a requirement for approval from judicial commissioners. Had it not, this discussion would have been much harder.

If training Al tools is the stated prime mover for Part 7A, the inclusion of urgent data as one of the three types of data clearly indicates it is also needed for ongoing investigations. I can imagine why urgent data might be needed, but it is the investigators who will define the urgency. Additionally, new Section 226BC refers to a relevant period of three working days between the acquisition of the urgent data and full judicial approval. Yet, after three days, the judicial commissioner may decline to permit the use of the data that has already been employed in an investigation using rapid Al-enabled analysis.

Taken together, I have my worries. There needs to be a duty to immediately notify the judicial commission. Secondly, there should be guardrails helping define “urgent” and finally we need to discuss how information discovered using data that is subsequently ruled ineligible is, shall we say, unremembered. Without these, the use of low/no datasets in this way for operational issues is concerning.

I have gone into this in some detail because I see it as a serious operational concern but also because I wanted to illustrate the sort of scrutiny the Government should expect from these Benches throughout this debate. There are other examples as we go through the Bill, but I will refer to those only broadly now. Clause 5 introduces a second new category of approval, Part 7B, this time for datasets held in third party assets to which the intelligence services have access. As far as I can deduce, this brings into the orbit of the IPA data which was previously not included and mandates both Secretary of State and judicial commission levels of approval. Unless I learn otherwise, that is a good starting point.

That said, we will seek to initiate explicit discussion around the use of medical, genetic and genomic data and how this can be protected. Here I note that anonymised data can be relatively easily reassigned, so anonymity in health databases is no actual protection. This is important on several levels, not least for public confidence in the digitisation and legitimate use of this very important information.

Part 2 allows the deputisation and delegation of some of the powers to broaden the number of people responsible involved. I just ask whether the Minister believes that this heralds a massive increase in workload.

In Part 3, I thank the Minister for his explanations around Clause 11, which I shall read carefully, and I will be coming back for some more details about how that will work in practice. Clause 14 creates a new condition for the use of internet connection records by the intelligence services and the NCA. Broadly, this removes the need for exact times when seeking connection records, substituting time ranges. This seems acceptable, as long as the Minister can assure your Lordships’ House that this will still require Secretary of State and judicial commission approval.

Part 4 moves into the area of retention notices and away from issues covered by the report of the noble Lord, Lord Anderson. I believe that Clause 15 is focused on bringing inbound roaming on foreign SIM cards into the frame, so I would appreciate details of how this will work. For example, if I am in the UK using a SIM that I bought in Dubai from a UAE-based telecoms provider, how does the intelligence officer proceed?

Clause 20, as we have already heard from the noble Lord, Lord Coaker, is one that has already raised eyebrows in the industry. Proposed new subsection 258A requires telecoms operators to inform the Secretary of State if they propose to make changes to their products or services that would negatively impact existing lawful access capabilities. In reality, this can include changes in encryption, a topic which has recently been on a rocky journey through the passage of the Online Safety Act. This Bill proposes a number of changes, building on the current regime set out in the 2016 Act, that relate to decryption of private messages for law enforcement purposes. In short, we believe the amendments would, or at least could, grant the Home Secretary more extensive powers to intervene in, and in some cases block, communications providers’ operational decisions, including enhancing privacy settings for users, with potential knock-on implications for end-to-end encryption on those services for everyone. I think more debate will be needed in this area.

There are other issues of timing, the possible length of a review, extraterritoriality and the level of judicial commission oversight at the notice level. I am sure I will be told by the Minister that this is a narrow interpretation, but it is an interpretation that has legs outside your Lordships’ Chamber. How will this power be used and what are the implications? Will we perhaps see British law officers beating a path to California to serve these notices? In a sense, how far does this go?

Finally, Part 5 invokes some interesting questions, some of which the noble Lord, Lord Coaker, has already asked and we will surely want to probe. We will want to introduce a requirement that the Investigatory Powers Commissioner is informed of, and records in their annual report, the number of warrants authorised each year to permit surveillance of Members of relevant domestic legislatures. For now, perhaps the Minister could tell your Lordships’ House what the process is for gaining permission to intercept and examine the Prime Minister’s communications.

We will also be probing two other important areas on which there is no time to expand today. The first is specific protections to avoid either cementing or introducing systemic bias against certain sections of the community from the AI models of the future that will be built as a result of this legislation. The second is the use of facial recognition technology on the back of the tools created using the low/no databases, a point that the noble Lord, Lord Coaker, raised.

To conclude, we are concerned that the Bill could push legislation further past the point of balance that we started to discuss. We need to ensure that judicial oversight extends right through the activities enabled by the Bill, and there should be no weakening on the encryption issue. I hope the Minister views this critique in the spirit of constructive support that I have sought to invoke, and I look forward to the rest of the debate and the further stages of the Bill. As he can see, our work will be built on the foundation that British residents have a right to expect privacy.

16:45
Lord Anderson of Ipswich Portrait Lord Anderson of Ipswich (CB)
- View Speech - Hansard - - - Excerpts

My Lords, I thank noble Lords who have referred kindly to my independent review of earlier this year, a short sequel to the much longer reviews, A Question of Trust and the Report of the Bulk Powers Review, that I was commissioned to conduct, with all-party agreement, in advance of the Investigatory Powers Act 2016.

Given the controversy surrounding electronic surveillance at that time, in the wake of Edward Snowden’s disclosures, the IPA had a remarkably smooth parliamentary passage—although I say that as someone who was outside Parliament at the time. I put that down to the detailed preparation that preceded that Bill, including reports from the ISC and from RUSI, and of course to the work of the draft Bill committee, chaired by the noble Lord, Lord Murphy of Torfaen, who I am delighted to see in his place. I remember being questioned by its members, including the noble Lord, Lord Strasburger, and Suella Fernandes MP, as she then was. That committee made 86 detailed recommendations, practically all of which found their way into the Act. How much time and testosterone can be saved—and was saved in that instance—by debating these important issues before a Bill is published in final form.

The IPA replicated and, indeed, enhanced the very considerable powers conferred by its predecessor, RIPA, on our intelligence agencies and police. However, its emphasis on transparency and effective oversight, in particular by the judge-led Investigatory Powers Commissioner’s Office—IPCO—with its excellent technical support, brought it into the modern age. I believe we have seen the tangible benefits of that in recent years; I will give three short examples.

The UN special rapporteur on the right to privacy, who had previously described our arrangements as “worse than scary”, reported in 2018 after an inspection visit to the UK that, thanks to the balance struck by the IPA, the UK

“can now justifiably reclaim its leadership role in Europe as well as globally”.

The English Court of Appeal overwhelmingly rejected an extensive series of challenges to the IPA in August this year, citing the authority of the European Court of Human Rights, which, rather more than the EU’s court in Luxembourg, has shown itself impressively ready to accept the use of bulk collection powers, properly safeguarded.

In addition, judicial approval of warrants, introduced here by the IPA but long familiar in North America, was instrumental in securing our data access agreement with the United States—a world first, which, given the American ownership of so many big internet platforms, is of particular significance to law enforcement on this side of the Atlantic.

Therefore, the IPA has been good for this country, including by helping to secure the international acceptance and co-operation that are ever more essential to the fight against organised crime and threats to national security.

However, the Minister is right to say that in limited areas, the IPA is in need of what I call running repairs. The Home Office invited me earlier this year to look at some of those areas which it had identified as in need of attention. Other parts of the Bill, including elements of Parts 1, 3 and 4, fell outside the scope of my review. In my report published in June, I largely accepted the Home Office diagnosis, although my prescriptions were in some respects different from its. In particular, in relation to the bulk dataset issues that occupy Part 1 of this Bill, I thought it important that the borderline between Part 7 and the proposed new Part 7A of the IPA, concerning datasets in which there is a low or no expectation of privacy, should be patrolled at the moment of decision not just by the intelligence agencies themselves but externally by independent judicial commissioners.

Since my report was submitted in April, there has been a convergence of views on this issue and on others, one of them in relation to the NCA and Clause 14, which was touched on by the noble Lord, Lord Coaker. I am grateful to the Security Minister and to the noble Lord, Lord Sharpe, for our discussions and the open spirit in which they took place.

The Minister knows that it has not always been my habit to give an unqualified welcome to Home Office Bills; judging from the Statement that was debated earlier this afternoon, I cannot guarantee that things will be any different in future.

I understand that Ministers like to come to this place with a few concessions in their back pocket, and there is no harm in that. But too often, elements of the Bills that arrive with us have a lopsided look; one suspects, rightly or wrongly, that they are the opening gambit in a concession strategy, whereby the energy of this House is occupied with the tabling and discussion of amendments, only for the Government eventually to concede what they had a good mind to do all along. This can be both frustrating and counterproductive; those who mistrust the Government see their worst fears confirmed by the initial version of the Bill, while those who trust them are reluctant to express that support, lest the ground be cut from under their feet.

It is to the credit of those concerned that I do not believe that such an approach has been taken with this Bill. No doubt it is capable of improvement; I welcome the challenges that have been made by NGOs and by the noble Lords, Lord Coaker and Lord Fox, not least because I was not able to consult in quite such specific terms as I would have liked on the proposals that were put to me by the Home Office. Indeed, there are a few points that I may seek to probe in Committee. But I consider that the Bill is an honest attempt to strike a fair balance in these difficult areas. We risk reversing the operational gains that it promises if we overload the Bill with unnecessary safeguards, or seek radically to reshape the judgments that it makes.

We need powerful weapons to combat the scourges of hostile state activity, terrorism, fraud, people trafficking and child sexual abuse, and we need to embed them in a strong framework that includes the gold standard of prior judicial authorisation for the most intrusive powers. This Bill gives us both those things, and we should not discard or devalue either.

History suggests that the lifespan of investigatory powers regimes is no more than 15 years or so, and technological developments mean that we are likely to be working towards a more fundamental revision of the IPA by the end of the decade, if not before. My report contains some ideas on what these technological developments are and how the process might be started, but for the time being I am glad that time has been found for this necessary Bill. I am happy to give it my support.

16:52
Lord Bishop of St Albans Portrait The Lord Bishop of St Albans
- View Speech - Hansard - - - Excerpts

My Lords, I too thank the noble Lord, Lord Anderson of Ipswich, for his very helpful and excellent work in his area. With the rapid acceleration of technology and technological capacity, I recognise the need for this Bill to be updated. In this context, I welcome the Government’s sense of urgency in addressing the changing landscape in this area, and seeking to close those gaps that potentially endanger both the security and the safety of our nation. My right reverend friend the Bishop of Leeds had hoped to be here today, as he has taken a particular interest in this area, but he is detained elsewhere. We would both like to express two concerns that we believe must be addressed as this Bill is debated in your Lordships’ House.

First, the proposed amendments give the intelligence services vastly expanded powers not only to investigate individuals but to harvest and exploit vast amounts of personal data—not just of crime or terror suspects but of anyone. The collection of bulk datasets of personal details, including facial images and social media activity, is far reaching and potentially indiscriminate, so we must rightly be concerned about how effective any safeguards might be in controlling the power that such access gives to our intelligence services. The risks, particularly under a regime less ethically aware than those we are used to in this country thus far, are substantial. The weakening of safeguards risks endorsing the need for updating surveillance capacity, at the same time as threatening basic human freedoms.

Secondly, it has become clearer by the day that we are developing technical capacity well ahead of the ethical consideration of risk. Ethical thinking might well be deemed inconvenient by those who wish to forge ahead with greater advances and greater security provision. However, to fail to address ethical considerations now will simply leave us, at best, running fast to catch up later once the train has left the station and is already at full speed away in the far distance—and, at worst, having compromised personal and societal freedoms and having changed the nature of a free society.

The current proposals are likely to lead to a broad and vague definition of “public safety” in which the security and powers of the state in one area reduce essential personal freedoms. To that extent, I believe the helpful comments made by Big Brother Watch should be taken seriously and answered comprehensively if we are to be fully aware of the trade-off between two goods: public safety and personal privacy.

No one would wish to stand in the way of His Majesty’s Government’s intention to tackle terrorism, state threats, serious organised crime such as child sexual exploitation, illegal migration and fraud. These need to be faced head-on. The question is whether the proposed extensions contain sufficient safeguards to ensure that the mass of law-abiding citizens in a free society are not caught up in a form of mass surveillance in which they cannot trust that justice and privacy will be upheld.

When the Bill was first passed in 2016, the then Home Secretary said

“it is … right that these powers are subject to strict safeguards and rigorous oversight”.

It is essential that the Bill meets those conditions, but I worry that it does not do so in all places in its current form. We look forward to interrogating the Bill as we take it through its later stages.

16:56
Lord Murphy of Torfaen Portrait Lord Murphy of Torfaen (Lab)
- View Speech - Hansard - - - Excerpts

That was an interesting speech by the right reverend Prelate the Bishop of St Albans, because he put his finger on the dilemma of any legislation like this: the balance between liberty as a subject on the one hand and the security of our citizens on the other. That has become increasingly complicated as the years have gone by.

As the noble Lord, Lord Anderson of Ipswich, has mentioned, I was asked by the then Home Secretary, Theresa May, to chair a Joint Committee of both Houses of Parliament to deal with the original Investigatory Powers Bill exactly eight years ago this week. She asked me because I had been chair of the Intelligence and Security Committee. We met for about three months and made 86 recommendations, nearly all of which were accepted by the Government. Those recommendations were nearly all about the balance between liberty and security, which the right reverend Prelate referred to. The committee had 57 witnesses, including the noble Lord, Lord Anderson, and 148 written submissions. The process that took place all those years ago was vital for this sort of Bill. For various reasons we have not had that, and perhaps we will come to that in Committee.

That balance is also reflected in the work of government. For example, when I was Northern Ireland Secretary I had to sign warrant after warrant to deprive our own citizens of their liberty. They did not know it, of course, but that is what we were doing. If we had not done so, the chances are that many hundreds if not thousands of people would have perished in Northern Ireland, and indeed in Britain, because of the way in which the intelligence services were able to infiltrate the IRA and the loyalist paramilitaries.

Of course, a major recommendation of that committee was to have a review of the legislation five years after the legislation had been finished in Parliament. We have been very fortunate that the noble Lord, Lord Anderson of Ipswich, has actually conducted that review. I read it on the weekend. It is a lot to read on a weekend—138 pages—but it is, although on a very difficult subject, a relatively easy read for lay people such as myself. It is thorough; it is full of common sense, and it is practical. In the absence of a pre-legislative committee of both Houses, the review has, in a way, replaced that. Without the noble Lord’s review, we might not have the same Bill in front of us as we do now.

I agree with every single one of the noble Lord’s recommendations and, indeed, in Committee, there may well be more recommendations that this House can put before the Government. I hope that we do not get into a situation where we have to vote on those, but that we can have proper discussions between Members of this House and the Government on what those might be. They could cover internet communications records, bulk personal datasets, the issue of telecommunications companies and their notification of changes in the way they operate—all these things are significant. I just want to touch on one, which is of interest to all of us in here, and that is how we deal with parliamentarians.

The Wilson doctrine is as old as Harold Wilson, of course: it was a long time ago that that happened. I understand that, because we now need three people, including the Prime Minister, to consider these matters, but if the Prime Minister is incapacitated—as Boris Johnson was when he had Covid at that time—what do you do? Presumably, you go to the Secretary of State to be able to deal with that issue. I think that is sensible, but I take my noble friend Lord Coaker’s point that it should not be just any Secretary of State. It should be confined to either the Foreign Secretary, the Home Secretary, the Defence Secretary or the Northern Ireland Secretary; in other words, Secretaries of State who have experience of dealing with warrants, because these are such hugely important matters.

I also want to take up the point that my noble friend made about the Intelligence and Security Committee itself. The Minister will answer whether the committee has been consulted on these proposals: if it has not, it should have been and if it has, it would be useful for us as parliamentarians to know what it said. That is of vital importance to us.

Clearly, we need to update how we deal with the evil and unpleasant people who threaten our security and our lives. The technological innovation in the past eight years has been absolutely dramatic and will get even more dramatic as the years go by. My noble friend mentioned China, the war in Ukraine and Russia, and all those other authoritarian countries that exist on our planet. That is going to get worse. He also mentioned how much more sophisticated criminals now are, so we have to keep up with all this. What struck me in the last six or seven weeks, in the horrific and terrible war that we now see in the Middle East, was that the intelligence services of Israel, which were notably good, obviously failed. It could have been that if they had worked, we might not have had the horror that we now see in the Holy Land. I support this Bill, but I also support it on the basis that it has had immense scrutiny from the noble Lord, Lord Anderson; but there is still work to be done and I look forward to debating it in Committee.

17:03
Lord Strasburger Portrait Lord Strasburger (LD) [V]
- View Speech - Hansard - - - Excerpts

My Lords, I apologise before appearing—or, more precisely, not appearing—before your Lordships in this manner, but I understand that there has been a failure in the parliamentary network and I cannot appear in video; it was either by telephone or smoke signals, so I will settle for the phone.

I should begin by declaring my interest as chair of Big Brother Watch, which campaigns for the privacy and freedom of speech of the citizens of our country and seeks to protect them from unwarranted intrusion by the state into their lives and their data. Big Brother Watch has managed to rapidly prepare a briefing for parliamentarians about this Bill, and I commend it to Members of this House. It sets out five areas of concern, which I will cover later in my contribution.

However, Big Brother Watch had to work at pace to complete the briefing for this Second Reading because the Government published the Bill only on 8 November, just eight working days ago. I wonder what the reason could be for this rushed processing. Could it be that the Government want to avoid the thorough examination that this detailed and complex Bill needs? If so, the small number of Members who are ready to speak about it today—just 11, including the Minister—suggests that this strategy might have worked. Therefore, my first question for the Minister is to ask for an explanation of why so little time has been given to prepare for this Second Reading.

I sat on the Joint Committee that carried out the pre-legislative scrutiny of the original Investigatory Powers Bill in 2015 and 2016. The noble Lord, Lord Murphy of Torfaen, whom I am pleased to follow in this debate, was the chair of that committee and a very good job he did too. My view eight years ago was, and still is, that bulk data collection—that is, the interception or collection and indefinite storage of everybody’s innocent internet, phone and computer communication—is a serious intrusion on every citizen’s privacy and requires very strong judicial oversight.

Those who support this mass surveillance seek to reassure us by saying that if you have nothing to hide you have nothing to fear. However, in truth do we not all have something to hide that we would prefer to keep to ourselves? That is why we shut the toilet or bedroom door behind us. That is why we do not speak in public about troubling issues in our family or friendship circle such as addictions, unwanted pregnancies, financial woes and the like. There are some things that we just feel are private—the kind of information that, in the wrong hands, can be used to demean or blackmail any of us. That detailed knowledge about every individual in the country could be used by an unscrupulous Government—who are considering ignoring laws and treaties, for example, if that rings any bells. They could use it to identify all citizens of a particular religion, political persuasion, sexual proclivity or whatever, to single them out for disadvantageous treatment or worse—much worse.

The state is collecting this personal information about us all and we cannot predict who in a future Government will get their hands on it and might totally misuse it. All I can say with certainty is that East Germany’s Stasi would have thought that every day was Christmas if it could have laid its hands on such a rich source of intimate data about all its citizens. Therefore, we must achieve a balance between the privacy needs and rights of individual citizens and protection of those same citizens from terrorists and serious and organised crime. It is not an easy balance to get right. I fear that the Government are still erring in favour of capturing too much data about innocent citizens—of course, the vast majority of us.

There is another very strong reason for not engaging in the collection of everyone’s data. The problem is that the useful information about terrorism or organised crime gets buried in a blizzard of useless data about the vast majority of us who are innocently going about our lives. In 2016, the Joint Committee on the Draft Investigatory Powers Bill heard startling evidence about the problem that this causes for security services from a gentleman called Bill Binney, a retired technical director of the United States National Security Agency and a bit of a folk hero in the intelligence community because he predicted with great accuracy when the Russians would invade Afghanistan just by analysing the patterns of their military signals. However, later in his career Mr Binney concluded that the NSA’s policy of collecting the data of all American citizens was unconstitutional, so his team devised software called ThinThread. It used smart collection to pick out for inspection only the communications of known terrorists, those they were talking to—and who those people were talking to.

The management of the NSA instead chose to go down the road of collecting 100% of the data through a highly expensive project, Trailblazer—which was later abandoned—and ignoring Bill Binney’s method of giving the analysts a much smaller but richer and more relevant set of data. The consequence was that the NSA missed the data that it already had in its systems which would have alerted it to the plot to attack the twin towers on 9/11. If only the NSA had known that it had it and had looked at it. We know that the NSA did have it because shortly after 9/11, Mr Binney’s team ran its ThinThread software against the NSA’s database at the time of 9/11 and found six of the 9/11 conspirators and their command centres. Mr Binney shocked the committee by revealing that 9/11 could, and should, have been prevented—if only the American security analysts had not been swamped with useless information.

The price paid by the American people for their security services’ predilection for bulk data collection was very high indeed. Yet here we have in this Bill the continuation of that folly by our own intelligence services. I invite noble Lords to recall the terrorist attacks of the last 20 years and that, almost every time, it was later revealed that the perpetrators were known to the police or the intelligence services. Our people being swamped with irrelevant data must have contributed to the failure to further investigate these suspects before they acted.

The Government will no doubt argue that the advent of artificial intelligence makes it more possible for them to search for needles in haystacks. That may well be so, but some of that advantage will be negated by the massive explosion of data volumes they are now collecting from a wide variety of sources, especially social media and video. The fact remains that they are still holding, and have available for inquiry, huge amounts of data about all of us in this House and in this country—all of it at risk of being misused. Bill Binney’s solution was to immediately encrypt the 99.9% of the data that was of no interest to protect it from snooping, official or unofficial. In the UK we have none of that protection.

The Investigatory Powers Act, to the credit of the then Government, sought to reassure the public that there are limitations on the use of personal data by law enforcement and the security services, and how those limitations are policed. However, it is worth noting that it was also disclosed that several intrusive powers have been used on the British people for many years, without any such constraint. That was because they had been in use without the consent or even the knowledge of Parliament. If it had not been for the brave whistleblowing of Edward Snowden, the contractor to the American National Security Agency, the scandal of the UK’s surveillance powers would not have been revealed to Parliament and may never have been addressed.

We need an Edward Snowden-type whistleblower every few years to keep our security services and our Government honest, because the safeguards that are in place to ensure compliance by the security services and prevent misuse of these highly intrusive powers seem to be inadequate, as illustrated by the TechEn case. This was a very serious breach of the statutory safeguards in the Investigatory Powers Act and the Regulation of Investigatory Powers Act 2000. It was the subject of the scathing judgment against the Security Service and the Home Office by the Investigatory Powers Tribunal in January this year. MI5 admitted that it had been aware, since May 2016, that there was a very high risk it was in breach of its statutory obligations concerning the holding of personal data under both Acts. It also admitted that it should have immediately reported to the Investigatory Powers Tribunal but failed to do this for three years.

The Investigatory Powers Tribunal found that

“there were serious failings in compliance with the statutory obligations of MI5 from late 2014 onwards”—

that is, two years earlier than MI5 admitted—and that those failings should

“have been addressed … by the Management Board”.

It was also strongly critical of the Home Office’s failure to inquire further into MI5’s long-standing compliance failures, after being made aware of them several times since 2016. The tribunal found that the Secretary of State breached their duty to make adequate inquiries as to whether the statutory safeguards were being met, and that warrants were issued after late 2014, through to 5 April 2019, that were unlawful and did not meet the safeguarding requirements imposed by the Investigatory Powers Act and RIPA. Other breaches of the safeguards were alleged, but we do not know the tribunal’s verdict on them because they were covered only in the secret part of the judgment.

As the noble Lord, Lord Anderson, whom I also thank for this thorough review, points out:

“MI5’s previous non-compliance has led to it being the subject of particularly rigorous oversight by IPCO with four extraordinary inspections taking place in 2019”.


He later warns that the TechEn case is a

“salutary reminder of the principle underlying the IPA: that exceptional powers require strong and independent external oversight”.

We would do well to remember those words when we come to consider the Bill in detail. There is clear, authoritative evidence that all is not well with the compliance mechanism in the Investigatory Powers Act. Some of us predicted this during the Bill’s consideration in this House. We also called for judicial authorisation to manage the risk of these suspicionless electronic surveillance powers, which are on a scale never seen before in a democracy. Instead, the Government set up a much weaker double-lock system, and now we see the consequences. So my second and third questions for the Minister are: what are the Government’s plans to seriously improve compliance with the Investigatory Powers Act, and will they now recognise that the current supervision regime is failing and needs to be replaced with much stronger arrangements? On a related matter, my fourth question is: when will the Government introduce regulation of a highly intrusive technology that is running riot in policing and security with absolutely no rules, safeguards or oversight—namely, facial recognition?

I turn to this Bill. There are five primary concerns that will be covered in detail in future stages in this House. As has been discussed, it weakens the safeguards against the intelligence services collecting bulk datasets of personal information by potentially harvesting millions of facial images and mass social media data. The Bill’s creation of a vague and nebulous category of information where there is deemed to be a low or no reasonable expectation of privacy is a concerning departure from existing privacy law, in particular data protection law. Such an undefined category requires agencies that are motivated to process such data to adjust safeguards according to unqualified assertions about other people’s expectations of the privacy of their data. On the contrary, data protection law is constructed according to the sensitivity of the information rather than guesswork about the individual’s expectation of privacy concerning personal information. In my view, this provision needs to be worded more tightly.

It weakens safeguards when authorities harvest communications data—for example, membership of and Facebook posts to a racial equality group could be seen as data available to a section of the public as defined in this Bill, and therefore the authorities may wrongly believe that they consequently possess lawful authority to obtain associated communications data from the platform. Once again, more precise wording is needed.

Thirdly, it expressly permits the harvesting and processing of internet connection records for generalised mass surveillance, which is a much wider purpose than originally envisioned.

Fourthly, it increases the number of politicians who can authorise the surveillance of British parliamentarians and members of other domestic legislative bodies. Politicians are not above the law but, given their important constitutional role, spying on them must require the highest authority—namely, that of the Prime Minister.

Fifthly and finally, it attempts to force technology companies, including those overseas, to inform the Government of any plans to improve security or privacy measures on their platforms so that the Government can consider serving a notice to prevent such changes. I am sorry to say that the Government must be suffering from delusions of grandeur if they think that Apple, for example, will agree to desist from improving the privacy protection of its products or to produce an iPhone with downgraded privacy features especially for the UK. Superior privacy for its customers is one of Apple’s main selling features, and it is not going to forfeit that to please the current Government in a small part of its worldwide market.

We have much to discuss when this Bill reaches its Committee stage. In the meantime I look forward to hearing the Minister’s response to my four questions at the end of this debate.

None Portrait Noble Lords
- Hansard -

Order!

Baroness Bennett of Manor Castle Portrait Baroness Bennett of Manor Castle (GP)
- Hansard - - - Excerpts

I apologise to the noble Lord.

17:19
Lord Evans of Weardale Portrait Lord Evans of Weardale (CB)
- View Speech - Hansard - - - Excerpts

Not at all.

My Lords, I do not intend to make a long speech. This Bill proposes an important but, I suggest, relatively modest updating of the existing authorisation regime for the use of surveillance powers. It is also based on the excellent and clear review undertaken by the noble Lord, Lord Anderson, who has been thanked many times already and to whom I also give my thanks. His expertise and good judgment in these areas is widely acknowledged, not least within the police and intelligence agencies themselves.

The Investigatory Powers Act 2016 was significant in that it brought the authorisation of surveillance powers into the modern, digital age. Before the 2016 Act, the legal justification for surveillance was achieved by stretching and interpreting laws from an earlier era to cope with new conditions. The 2016 Act addressed modern needs directly with an unprecedented degree of frankness about what was actually possible and necessary. The Act also recognised the highly intrusive nature of investigatory powers that were being authorised and therefore matched those intrusive powers with strong and independent oversight mechanisms.

I respectfully disagree with the right reverend Prelate the Bishop of St Albans: I do not believe the Bill vastly expands the powers of the intelligence agencies. In some areas, it introduces more controls, but it is also very careful to balance any powers with independent oversight. The noble Lord, Lord Strasburger, helpfully drew our attention to the effectiveness of independent oversight where problems have arisen, and he demonstrated that the agencies are drawing attention to areas of failure and that the oversight mechanisms are making the appropriate decisions as to what needs to be done about it. I reassure the right reverend Prelate the Bishop of St Albans that, certainly in my experience, the agencies are extremely conscious of the ethical dimension of their work. In terms of both their external relationship with oversight bodies and their internal discussions, ethical factors are strongly considered and taken seriously.

We are all aware of the speed with which data capabilities, new platforms and artificial intelligence as a whole are developing. It is important that the law should be updated from time to time to keep up with the art of the possible. Data is at least as important as interception when it comes to preventing the very real security threats that we face from causing damage. If we do not update the law, one of two things will happen: either security will be put at risk, or those using the powers will rely on an increasingly creative and elaborate interpretation of the law to keep up with a new situation. We cannot operate within old legislation; neither of those alternatives is desirable, so a new Act is needed.

The key proposals in the Bill seem to be the new regime for bulk datasets and the arrangements for bulk datasets held by third parties but to which the intelligence agencies have access. Neither of these proposals involves a significant increase of intrusion into individual privacy, and in each case, tough oversight controls remain in place. On bulk personal datasets, the 2016 Act created what, in retrospect, appears to be a rather odd situation where the intelligence agencies are not able to use completely open data—such as Wikipedia data—without quite stringent authorisation, but which any member of the public can access without permission. A police force can also access that data without restriction. Our close intelligence allies can do so too, but our own security and intelligence agencies cannot. The same constraints apply for historical or open datasets of the sort that are needed to train artificial intelligence systems to operate effectively.

I cannot think of any good reason why these constraints are needed in their current form, and they have a negative impact on the speed and flexibility with which the agencies can respond to threats. I am therefore glad to see that the Government’s proposals for a less restrictive approach to datasets where there is no or low expectation of privacy have been included. The Investigatory Powers Commissioner will continue to police the low/no boundary so that there is no risk that the less stringent regime will be misapplied or that there will be any form of mission creep. I therefore support the Government’s proposals.

On third-party datasets, the situation appears to some extent to have been reversed, in that access to sensitive data held by third parties is currently not covered by as stringent a regime. This appears to be a small loophole in the 2016 regime, and it is right that access to such datasets should be brought within the authorisation regime, as the Bill proposes. Events since the 2016 Act, including the war in Ukraine, increased state threats and political interference and recent terrible events in the Middle East all mean that the security threats that we face and from which the intelligence agencies help to protect us are at least as acute today as they were seven years ago. At the same time, the technical environment within which the agencies work has changed very fast, and it is right that we should update the legislation that enables them to succeed in their work. I therefore support the proposals in the Bill.

17:26
Baroness Bennett of Manor Castle Portrait Baroness Bennett of Manor Castle (GP)
- View Speech - Hansard - - - Excerpts

My Lords, I apologise to the noble Lord, Lord Evans: my enthusiasm to reinforce the contribution of the noble Lord, Lord Strasburger, who I think made many important points in this debate, got me carried away.

I am delighted to present the Green Party’s position on this Bill. I am very aware of the depth of expertise in this debate, but I reinforce the comments of the noble Lord, Lord Strasburger, in reflecting on the narrowness of the contributions and the short time your Lordships’ House has had to absorb this Bill. I note that I am the only female contributor on the speakers’ list for this debate, which is perhaps one measure of the lack of diversity of views that have been able to participate. I also note that we are talking about further strengthening the Investigatory Powers Act, which, when it was brought in in 2016, was known universally as the snoopers’ charter. Liberty described it as

“the most intrusive mass surveillance regime of any democratic country”.

Since then, a number of court cases brought by Liberty have brought in some restrictions in terms of the operations of the Act, which I very much applaud, but the Act was also subject to a petition from 130,000 people to speak out against the snoopers’ charter. Of course, the speed at which we are operating now makes it very difficult to get such level of public engagement as we saw in 2016.

We are talking about a further erosion of privacy and, as many noble Lords have said, this is a question of balance, but we are tilting the balance very clearly with these amendments to the snoopers’ charter. What is particularly worrying is that this Bill is about granting the security services access to bulk data, which will clearly be used to build what are known as artificial intelligence machine learning models. In essence, the Bill lays the foundation for the Government to use rapidly developing artificial intelligence—so-called; I prefer to call it big data wrangling—in mass surveillance. Not only does this have huge ethical ramifications, but its adoption in surveillance would be extremely irresponsible, given that we do not know how these technologies are going to evolve in future. We have talked about trying to keep up with where they are, but we are potentially opening the door to let them race ahead much further than we can currently comprehend, as we stand in the House today.

In other contexts I have drawn to your Lordships’ attention the rapid increase of privatised medical testing and the widespread advertising of it that we have seen. The noble Lord, Lord Fox, referred to genomic data. What is being assembled is a huge amount of intensely private information about individuals, and if that is then to be opened and exposed to the state on a mass, untargeted basis, that surely is cause for grave concern.

The Bill gives the Government unprecedented powers to monitor and target the entire British population and lays the foundation for use of artificial intelligence in surveillance. This is indiscriminate surveillance. Anyone can be monitored, regardless of whether they are a suspect. This is a complete assault on our right to privacy and raises a real question to ask about the Universal Declaration of Human Rights.

Coming down to some of the detail, Clauses 1 to 4 allow for the mass trawling of social media and for the Government to collect data from every person’s web use, and Clause 14 allows the Government to obtain information from companies around every person’s web use—whereas, before, they were able to look only at specific data. In addition, the potential use of artificial intelligence as part of this Bill means that the Government could in theory identify everyone who is behind every single anonymous social media account, meaning that nobody would have anonymity online.

I am well aware that many people express concerns about anonymity and the behaviour of anonymous accounts online. Here I declare my position as co-chair of the All-Party Parliamentary Group on Hong Kong. I am delighted that the UK has welcomed many exiles from Hong Kong who have sought refuge in the UK, but they remain deeply fearful about the very long arm of the Chinese state. Similarly, we have seen that many Russians have had good cause for concern about the long arm of the Russia state, which, despite the best efforts of our intelligence service, has proved itself capable of reaching within our borders. Anonymity is crucial to some people’s safety in the world. Lest we think of this as being just about states regarded as hostile by the UK Government, let us all remember the fate of Jamal Khashoggi and the actions of our friend and ally Saudi Arabia in his horrific death.

The widespread use of surveillance means that this Bill would push the UK further away from what are considered democratic norms. What is more, as a number of other speakers have already said, this blanket surveillance is not necessarily effective. There is a real risk that, the more information you collect, the harder it is to see the needles in the haystack. This Bill erases some of the checks and balances already in place.

We have seen how far this can go. Again, looking on the international stage—what China is doing to its Uighur population, what it has done in Tibet, and what is happening in Burma—these are situations where the more surveillance there is, the more issues arise. If the UK is heading in the wrong direction, what kind of model are we creating on the international stage? The UK likes to present itself as a leader, a model of democracy, speaking up for democracy in international contexts. We must not be a leader in allowing further steps towards autocracy.

I think it was the noble Lord, Lord Coaker, who spoke of how these technologies have often been used in discriminatory ways. We know that the police, certainly, have unfairly singled out people based on their identity, and that has had dangerous, damaging consequences, both in relation to the treatment of individuals and in relation to communities’ views of the police and our security services. If artificial intelligence is added into this mix, we know that there are built-in biases in the way in which the databases have been developed, and that is a real issue.

We also know—I declare an interest here—that the police and security services in the UK have made disproportionate efforts to monitor politically active individuals, trade unionists and whistleblowers. Providing the police and the security services with greater surveillance capacities means that people who are acting democratically in our society could be—in fact, almost certainly will be—subjected to further unwarranted surveillance. As a number of other noble Lords have said, the fact that Part 5 of the Bill allows further extension of the Prime Minister’s powers to approve interception and examination of MPs’ communications is a cause for grave concern.

To conclude, I will share an experience from the weekend. On Saturday, I was at a protest against the proposed new coal mine in Whitehaven in Cumbria, which is opposed by, among others in your Lordships’ House, the noble Lord, Lord Stern of Brentford. He made similar points to mine about the messages we are sending to the international community. The slogan was “No Time for a Coal Mine”. At that protest, there were 100 or so supporters, and the four of us who were speaking had all advertised this fact on social media beforehand. For nearly all the two and a half hours we were there, flying above us was what I am told was a police drone. There were at this protest of 100 people—all advertised and entirely peaceful with no plans for direct action—at least six police officers, one of whom filmed my contribution and all the other contributions. That is the experience of people peacefully protesting within the UK.

There was another story at the weekend that 15 government departments are monitoring the social media activity of potential critics and compiling files to block them from speaking at public events. This is the experience that people have of the UK state today. We have savage reductions in the right to protest; we have deeply concerning directions of travel, and the Bill is a further step in that direction.

17:36
Lord Carlile of Berriew Portrait Lord Carlile of Berriew (CB)
- View Speech - Hansard - - - Excerpts

My Lords, stimulation comes in many forms, so I think I can say, without any disingenuousness, that it is stimulating to follow the noble Baroness, Lady Bennett. Having heard her and the noble Lord, Lord Strasburger, I feel that I should start with a bit of my own experience, that of dealing with those extraordinary and usually highly intelligent people who work in the various security services. It is outrageous to assume that they would look into an individual’s credit card transactions or anything like that in the way that has been implied by at least two speeches that we have heard. I believe—indeed, I know—that their contributions have been key to the introduction of this Bill and that they have done it with intellectual integrity and with only one thing in their mind: the interests of their country, in which they live. Listening to the noble Baroness, I have a fear that she and I, at least in our minds, live in completely different countries.

The noble Lord, Lord Strasburger, expressed some extraordinary conspiracy theories which just do not exist and which, in my judgment, are—I hesitate to use the word, but I will—misleading. Both the speakers to whom I have referred have been on a safari into irrelevant issues which are not pertinent to the reality of what we are discussing. In the years since 9/11, the date on which I became the Independent Reviewer of Terrorism Legislation—to be succeeded some years later by the brilliance of the noble Lord, Lord Anderson of Ipswich—various Governments all over the world have been challenged repeatedly by both evolving change and unexpected events affecting the terrorist threat landscape.

I suggest that the amount of legislation we have had since 9/11 has reached the point at which the Government should give consideration to a consolidation Bill, a codification in which all counterterrorism, interception and counterextremism legislation is included so that we have a living instrument to which lawyers, police officers, the security services and, of course, parliamentarians concerned can refer—a single place in which all this legislation is kept. This Bill is an example in some parts of the way in which extra legislation is being added piecemeal, although it is fair to say that legislation.gov.uk at least tries to include in Bills, if looked up online, the additional parts that have been created. It really is a time for codification, and the template for that is the Sentencing Code, which was created by Professor Ormerod when he was at the Law Commission.

I used the phrase “terrorism threat landscape” deliberately. Terrorism and related forms of extremism have morphed into one of the major and enduring geopolitical issues. It started with the word “terrorism”, but, since 9/11, these issues have become part of the defence and national security policies in every single country, including our own. It was a surprise when national security originally appeared as part of the defence strategy, but it is now completely established in that context.

Attempts to disrupt the stability of sovereign Governments, sovereign Governments themselves disrupting other Governments and the rise of new international factions are all matters that affect our debate; we have to understand the context of what we are considering. I thank the Minister for ensuring that your Lordships have been fully informed and have been given plenty of time; this has been a matter of discussion for a long time. My noble friend Lord Anderson reported some time ago on the background and primary considerations behind the Bill; I too add my special thanks to him for his excellent, detailed report, which is the foundation of the Bill.

Let us consider the context. The first responsibility of our Government is to keep their citizens safe and free to go about their legitimate business and interests. When we go to a concert, as in Manchester, for example, or to a shopping centre, again, as in Manchester, or come and go to this Parliament, along the streets outside without disturbance, which has not been everyone’s experience in recent days, we should be kept as free and safe from the terrorism threat as is possible within the legitimate constraints we set ourselves as a free society. That does not mean that we should resile for one minute from what we rightly regard as fundamental freedoms, but how fundamental those freedoms are is open to argument based on the assessment of proportionality that was mentioned earlier.

In that context—specifically in connection with bulk data, a major part of the Bill—we need to be realistic. In the years since some of us first handled house brick-sized mobile telephones that slotted into racks in our cars—at the time, I was a Member of the other place—we have ourselves given away, to a wide audience, private matters that, in the past, were closely protected. When we—the middle-aged and older men here, for example—buy clothes online, we give away details of our anatomy, including our shoe and waist sizes. That the security services have any interest in that sort of thing is a myth, but we have given away a huge amount of our information. To allow the state to use that information to catch terrorists seems to me to be a reasonable balance, if that use is circumscribed by the high level of judicial protection that the Bill provides and, in some respects, enhances.

When we speak about bulk data, we should bear in the mind the donation we have made of information, sometimes our most intimate details, and we should reflect on the public interest in allowing the authorities, subject to the protections built into the Bill, to use that bulk data—even the meta data that tells them when we made our calls and to whom, and from whom, they have occurred—to carry out their prime duty to protect the public. Maybe, from time to time, there will be people whose information has been mistakenly or improperly prepared, but they are provided, in this country and in this Bill, with greater legal protections than in any other country that I know.

This is an appropriate and good Bill. The Committee should not be distracted by mythology; it should seek to make the Bill better—but within its existing context.

17:44
Baroness Manningham-Buller Portrait Baroness Manningham-Buller (CB)
- View Speech - Hansard - - - Excerpts

Will your Lordships allow me to speak in the gap? I had not intended to speak in this debate because I knew that my noble friend Lord Evans is more up to date than me. I think my noble friend Lord Anderson has had enough praise already, but I shall add a bit. I promote the noble Baroness, Lady Bennett, because nobody else of her gender was going to speak in this debate. I shall make a few comments on the things that have been said. The noble Lord, Lord Murphy, talked about the balance between liberty and security. Of course that is an issue, but there is no liberty without security. Without making sure that our electoral proceedings, our secrets and our citizens, whether shopping or going on the Tube, have safety in their lives, there is no real liberty. I think sometimes it is an artificial distinction.

I noticed that my noble friend Lord Evans and my successor but one, Ken McCallum, the current head of MI5, gave a public speech in California recently at the Five Eyes conference—a first—and it was reported. There were three things he talked about as really at the top of his concerns: first, whether arising out of the tragic events in the Middle East there would be a resurgence of terrorism in that area; secondly, cyber; and thirdly, the threat to our democracy, including our electoral process, from various states. It is not an accident that the law governing the Security Service emphasises that it is there to protect parliamentary democracy. I find quite strange the idea that it is a threat to it.

I would also like to, I am afraid, dismiss as ignorant the spurious argument that having too much information means that you do not find the people you should have found. As my noble friend has said, you can know of people in this country, and MI5 will know some about whom it has significant concerns, but it does not know what they will do. It is also constrained, rightly so, by the law, and cannot suggest to the police that they arrest people unless there is a good case to do so, any more than it can mount intrusive surveillance unless there is a good case to do so.

The final point I would make in endorsing again what my noble friend has said is that my colleagues in the service and in the other agencies were very conscious that the law gives us powers that are not given to the normal citizen. The Murdoch press occasionally took them with the interception of phones, but they are not given to the normal citizen. They are given to the agencies and the police within the law. Precisely because they are not normal abilities to intrude into people’s privacy, that work has to be done with great care to the highest ethical standards and only when proportionate and necessary. Excuse me for delaying the conclusion of this important debate, but I did not think I could sit patiently and not make those remarks.

17:48
Lord Ponsonby of Shulbrede Portrait Lord Ponsonby of Shulbrede (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I think the whole House will be grateful for the noble Baroness’s intervention speaking in the gap. I thank the Minister for facilitating the briefings which we have had and will have in the coming days on the Bill.

The Bill makes changes to the 2016 Act, as we have heard. The 2016 Act provides a framework for the use of investigatory powers by the security and intelligence agencies, law enforcement and other public authorities. They include the power to obtain and retain communications. It also created the post of Investigatory Powers Commissioner and includes a number of safeguards for the use of such investigatory powers, including a two-stage procedure for obtaining authorisations. Many of the powers in the 2016 Act were pre-existing, as we have heard, and already being used by intelligence and law enforcement agencies. The Government stated that one of the intentions behind introducing the 2016 Act was to bring together and build on the statutory powers already available. The Government explained that the Act was also required to replace emergency legislation passed in 2014, the Data Retention and Investigatory Powers Act, which was subject to a sunset clause.

I agreed with the point made by the noble Lord, Lord Carlile, about the desirability of developing some sort of living instrument and a consolidation Bill to try to bring these pieces of legislation together.

The Bill before us proposes changes which include the creation of a new condition for the use of internet connection records to aid target detection, introducing a less stringent regulatory regime for the retention and examination of bulk personal datasets where individuals have little or no expectation of privacy, and a new notification requirement that can be issued to selected telecommunications operators, requiring them to inform the Government of proposed changes to their products and services that could negatively impact the current ability of agencies to lawfully access data.

I was going to say something about the contributions of the noble Lord, Lord Anderson, to the review of this legislation. My understanding is that all the noble Lord’s recommendations have been accepted by the Government, and I too express the Opposition Front Bench’s gratitude for the work he has done on this.

The Bill is a relatively short Bill of six parts, 31 clauses, and two schedules. I was going to step through its various elements, but I will not do that because it has been adequately covered by speakers earlier in this debate.

Like other noble Lords, I have received emails from industry and advocacy groups raising concerns about the Bill. On 7 November, a Financial Times piece reported that firms, including Apple and Meta, have signalled that they may withdraw from the UK market if they can no longer offer end-to-end encryption to their customers. I will quote from the concluding paragraph of a letter I received from Apple:

“The Home Office’s proposals to expand the IPA’s extraterritorial reach and to grant itself the power to pre-clear and block emerging security technologies constitute a serious and direct threat to data security and information privacy. To ensure that individuals have the tools to respond to the ever-increasing threats to information security, the Home Office’s proposal should be rejected”.


The piece, which I am sure we all received, then went on to explain their concerns about providing what they refer to as a back door into end-to-end encryption, and how that undermines the firms’ business model and the security of many other groups operating elsewhere in the world. It is right that we take the points raised by these commercial providers seriously, and maybe we will address them as the Bill progresses.

Similarly, online privacy advocacy groups such as Open Rights Group and Big Brother Watch have expressed their concerns, and we have heard from the noble Lord, Lord Strasburger, and the noble Baroness, Lady Bennett, today. It is worth saying that I agreed with every word of the noble Lord, Lord Carlile, when he said that he and I live in a different country from that spoken about by the noble Lord and the noble Baroness. We need to consider the concerns being addressed in the Bill, but also the wider context that other countries and other very large companies have access to bulk datasets—maybe not our bulk datasets—and are using that data in ways that we need to understand and pre-empt, if they are working against our national interest.

I conclude by talking about my own experience as an engineer, which is relevant to the debate we have just had. It used to be my working life to deal with very large datasets, make predictions based on them, and inform management about those predictions. One of my experiences was that it is very easy to mislead oneself because one is analysing large amounts of data. One needs to be realistic and at the same time see the possibilities of these extremely large datasets. It is a huge challenge. Huge amounts of data are used just to process them, and the maths and the imagination behind it is developing as we speak. The Bill in front of us now is a relatively modest step in the road, and we need to keep reviewing the processes available to us and reviewing the legislation to try to underpin them.

17:55
Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- View Speech - Hansard - - - Excerpts

My Lords, I thank all noble Lords who have spoken. There have been many expert and valuable contributions to today’s debate. I particularly thank the noble Lords, Lord Coaker, Lord Ponsonby and Lord Fox, for their broad and very constructive support for the Bill. Obviously, I very much thank—again—the noble Lord, Lord Anderson, for his work. I also thank the noble Lords, Lord Murphy and Lord Evans, and particularly the noble Lord, Lord Carlile, who I thought was very eloquent, for their contributions. I thank the noble Baroness, Lady Bennett, for provoking the noble Baroness, Lady Manningham-Buller—a thing I am always very reluctant to do.

The support was more qualified from the right reverend Prelate the Bishop of St Albans, but I hope to assuage his concerns in my remarks and will certainly endeavour to deal with some of the concerns of the noble Lord, Lord Strasburger, who asked whether we were trying to avoid detailed scrutiny. The answer is: absolutely not. The Bill was ready, having followed the detailed and expert scrutiny of the noble Lord, Lord Anderson—as noted by the noble Lord, Lord Carlile—and, of course, we could not pre-empt what might be in the King’s Speech. In the case of this Bill, parliamentary time currently allows. We have engaged extremely extensively and, frankly, the country needs it. That is a very compelling set of circumstances behind introducing the Bill now.

I feel I ought to take issue with the fact that the noble Lord, Lord Strasburger, said that the country, or all countries, “need a Snowden” occasionally. As I understand it, it has been alleged that people died because of the activities of Snowden, so I am not sure that that is a generally fair point.

I will deal with the questions raised in as much detail as I can in the time available and will start with bulk personal datasets and, in particular, privacy. I thought the noble Lord, Lord Carlile, gave an excellent speech on this subject, but obviously there are concerns so let me do my best to assuage them. The Bill creates a new regime for the retention and examination of bulk personal datasets where there is a low or no reasonable expectation of privacy. The nature of these datasets means that individuals to whom the data relates would have low or no reasonable expectation of privacy in relation to the datasets so, for example, an individual may have consented to the data being made public or the data has already been manifestly made public by the individual. That includes categories of datasets such as public and official records, news articles, content derived from online video-sharing platforms, and publicly available information about public bodies.

For example, a dataset that is likely to meet the test of having no or only a low expectation of privacy is the Companies House register, a government register of company information that is open to the public to search online and download. I have noted the recommendation of Big Brother Watch and I read it in some detail. I think it is based on a misunderstanding but perhaps it is worth going back into the reason why we are making these changes now. The way the existing regime was designed did not foresee the exponential increase in the use of, complexity of and changing nature of data. The scale and different kinds of data that are now available is unrecognisable in comparison to the picture in 2016. It did not foresee the extent to which cloud and commercially available tools would make analysis of datasets possible, the extent to which publicly available data would increase in value for the intelligence agencies compared to sensitive data which used to be obtained through traditional covert powers, and the extent to which intelligence agencies would need vast quantities of publicly available data to train machine learning models.

The intelligence agencies have been inhibited from maximising opportunities when compared with the private sector and academia, as well as our adversaries, as a result of the gold-plating of some of the Part 7 regime. It is important to note that the datasets would not necessarily be authorised under the new regime in Part 7A solely by virtue of their being publicly or commercially available, and that is particularly important when considering datasets which have been hacked and/or leaked.

On the subject of safeguards, there are of course safeguards in place to prevent misuse of the powers in the Bill. The safeguards that will apply to bulk personal datasets with low or no expectation of privacy will be calibrated to reflect the intrusion that is likely to arise from their retention and examination, ensuring that the rights of the individuals to whom the data relates is adequately protected while also enabling the intelligence services to make more effective use of these datasets. This will include requiring prior judicial authorisation on whether a category of datasets or an individual dataset can be considered to meet the test for authorisation under the new Part 7A regime; that is, that they meet the test for low or no expectation of privacy.

In answer to the noble Lord, Lord Fox, the Bill creates an obligation on the head of an intelligence service to stop any activity that relies on any data discovered in a BPD where the low or no reasonable expectation of privacy assessment no longer applies. The safeguards are being recalibrated to ensure that the regime better reflects the threats and opportunities of the modern world, but they remain robust, with the important protection of judicial approval at their heart.

Internet connection records were referred to by the noble Lords, Lord Coaker and Lord Strasburger, among others. They asked why there are no specified time limits for the period that internet connection records can be sought under the new condition. The driver for this change is to enable the intelligence services and the National Crime Agency alone—I will come back to the National Crime Agency—to carry out target detection to identify previously unknown high-harm offenders. The current requirement for unequivocal knowledge of the time a service is accessed, which service is accessed, or the identity of a person, before an internet connection record can be sought is preventing this from happening. So, it is important we do not create similar conditions under this proposal which will continue to restrict this critical investigative work.

These investigations will be targeted and case-specific, so it is not possible to include a time limit which could work across the range of investigations being undertaken. However, I can reassure noble Lords that requests will be time-bound based on the specifics of the case and they will be driven by intelligence, not used as speculative fishing exercises. Furthermore, the new condition is also limited in terms of the purposes it can be utilised for. It can, and I stress this, be used only for national security and serious crime purposes. It is important to note that there are several other safeguards in place, including a requirement for the request to be both necessary and proportionate. A request that sought records over a very long period of time is highly likely to be neither necessary nor proportionate, and all ICR requests are subject to independent ex post facto oversight. All ICR requests are valid for only one month and an application must be renewed at the end of that period.

The noble Lord, Lord Coaker, asked why this is being extended to the NCA. I recognise that the noble Lord, Lord Anderson, initially proposed that the new condition should extend only to the intelligence services, although I understand that he now sees value in it being extended to the NCA because the NCA plays a vital role in protecting children from sexual exploitation and abuse, so it is essential that it has all the tools at its disposal to counter that particular threat.

The noble Lord, Lord Fox, asked about roaming data, and in particular subjects of interest using a foreign SIM card. On that example, in the circumstances where a subject of interest was using a SIM card obtained in a third country and was therefore using international roaming while in the UK, under the proposed amendments an exception for this data will be made, allowing UK telecoms operators to retain it under a retention notice which has been double locked. This will then allow operational partners with the appropriate authorisation to access the retained data when necessary for the purpose of prevention and detection of crime and, again, protecting national security.

On the subject of the notices reforms and the tech companies, which I think most noble Lords referred to, some tech companies have expressed concerns in public fora in advance of the Bill’s publication that these measures may place onerous or burdensome obligations on an operator, could undermine security or could allow the Secretary of State to prevent technical or relevant changes. I assure all noble Lords that these concerns are misplaced. The Bill does not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures by companies, contrary to what some tech companies have incorrectly speculated. Rather, we are making a series of adjustments to ensure that the notices regime continues to be effective in the face of modern technologies and the structures of companies in the modern digital economy.

None of the measures in the Bill seeks to reduce the competitiveness of UK tech firms, or indeed to discourage innovation. Careful consideration has been given with regard to these measures, striking a balance to ensure that the law enables us to mitigate the risks posed by changing technology, while still promoting technological innovation and the legitimate interest in increased privacy of the majority of our citizens.

These measures do not create any new acquisition powers but will maintain the efficacy of long-standing powers. We therefore do not anticipate that they will put disproportionate burdens on businesses. Rather, they formalise processes that are already in place.

The Government support technological innovation and advances and have always been clear that we support strong end-to-end encryption, as long as it does not come at a cost to public safety. Together with our international partners, we believe that tech companies have a moral duty to ensure that they are not blindfolding themselves and law enforcement to abhorrent crimes such as child abuse and terrorism on their platforms. These amendments will not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures.

On a question asked of me by the noble Lord, Lord Fox, with regard to notices and the pre-clearance requirement, these amendments do not introduce a requirement for pre-clearance for the Secretary of State regarding the rollout of new technologies and security measures by companies. Fundamentally, the changes to the notice regime are about ensuring that the decisions on public safety are made by Ministers and are subject to judicial oversight as Parliament intended and as the public would expect, to keep them safe.

On the triple lock, noble Lords—in particular the noble Lords, Lord Coaker and Lord Murphy—asked for clarification as to whether the Prime Minister could delegate an authorisation requiring the triple lock to anyone they wanted to. I can reassure noble Lords that that is not the case. The Bill proposes that the Prime Minister will designate in advance a group of Secretaries of State who could authorise the warrant on his or her behalf. The alternative approver would need to be a Secretary of State and not the same Secretary of State who authorised the warrant at the earlier stage of the triple lock. I hope that provides the necessary reassurance on the restrictions that will be in place under this clause. Restricting the decision on suitable deputies is for the Prime Minister to decide, but it is clear that there needs to be sufficient resilience in the system to ensure that there are enough alternative approvers with the necessary experience.

The noble Lord, Lord Coaker, also asked me about ISC oversight and parliamentary oversight. He will be aware that the Intelligence and Security Committee examines the policies, expenditure, administration and operations of the UK intelligence community, and sets its own agenda and work programme. Obviously, it will maintain that oversight function for the measures in the Bill, but I can tell the noble Lord that the Security Minister will spend some time with him on the subject of the Bill next week, which I hope will assuage any concerns.

I need to go into the subject of safeguards in more detail in light of the speeches given by the noble Lord, Lord Strasburger, the noble Baroness, Lady Bennett, and the right reverend Prelate the Bishop of St Albans. I assure noble Lords that the measures contained in the Bill, and in the IPA, are underpinned by a robust and world-leading safeguards regime. They are not failing.

Numerous safeguards exist to prevent the misuse of investigatory powers, ensuring that they are used in accordance with the law and in the public interest. The Bill contains measures that will introduce new safeguards and improve the resilience of the Investigatory Powers Commissioner. We are improving oversight and increasing safeguards to ensure that powers in the IPA are not misused.

Strong safeguards are already in place to ensure that investigatory powers are used in a necessary and proportionate way. That includes independent oversight by the Investigatory Powers Commissioner’s Office and a right of redress through the Investigatory Powers Tribunal.

The powers can be used only for the statutory purposes set out in the Act, including in connection with the most serious crimes and national security. We are also taking the opportunity to strengthen safeguards in other parts of the regime—for example, by creating a new statutory oversight regime for the intelligence agencies’ access to datasets held by third parties rather than retained by the agencies themselves.

On the subject of retention, the noble Lord, Lord Strasburger, talked about data being held indefinitely. However, retention of data is subject to stringent safeguards under the IPA. It can be retained only provided it is necessary and proportionate, and it is not authorised indefinitely. This is regularly reviewed, and records of holdings are subject to inspection by the Investigatory Powers Commissioner’s Office.

The noble Lord, Lord Strasburger, also referenced the recent TechEn judgment. The investigations carried out by the Investigatory Powers Commissioner and his team in response to TechEn are evidence that the oversight, transparency and safeguarding arrangements provided for in the IPA are working as they should. In the Liberty judgment of 2019, the High Court found that

“The safeguards contained within that Act are capable of preventing abuse”.


While the TechEn case outlined widespread corporate failings between the Home Office and MI5, these issues are historic and the Home Office has taken steps internally to increase collaboration with MI5 and ensure that there is appropriate resourcing in place within the relevant Home Office teams responsible for investigatory powers.

I also wish to be clear that there has been no finding by the tribunal that MI5 misused the data in question nor any suggestion of this at any time during this process. As the then Home Secretary, Sajid Javid, noted in 2019,

“none of the risks identified relate in any way to the conduct and integrity of the staff of MI5”.—[Official Report, Commons, 9/5/19; col. 30WS.].

Finally, I reference the endorsement that the tribunal has provided on the robustness of the oversight regime and safeguards contained within the IPA, including the adequacy of the measures available to the Investigatory Powers Commissioner. TechEn does not, therefore, suggest that the system is fundamentally flawed but shows that it works as intended when non-compliance occurs.

Many noble Lords have made important points about balance in this debate, particularly regarding privacy. I particularly note the noble Baroness, Lady Manningham-Buller, whose comments were spot on. It is fair to express concern about the impact that the Bill will have. Privacy is at the heart of the IPA, and this will remain the case under this Bill. The IPA contains robust, transparent and world-leading safeguards centred around considerations of intrusion into privacy. This includes a requirement for investigatory powers to be used in a necessary and proportionate way, with independent oversight by the Investigatory Powers Commissioner and redress through the Investigatory Powers Tribunal. The Bill builds upon these already world-leading safeguards, further strengthening the oversight regime, as I have just outlined. I also note that in 2018, the then UN special rapporteur on the right to privacy noted that the introduction of the IPA allowed the UK to claim a global leadership role in the protection of civil liberties. I note that this was not referenced by the noble Lord, Lord Strasburger, but I am sure that he would like to read that notification.

The noble Lord, Lord Carlile, made some very good points about codification of the various laws in this space. I defer to his extensive knowledge. I will also ensure that his thoughtful remarks are noted in the appropriate parts of government. Obviously there is very little that I can comment on regarding this now, however.

I have endeavoured to address the contributions made by noble Lords today. I apologise if I have missed any questions that were asked of me. I will scour the record and write if that is the case. I express my commitment to further engagement with noble Lords. I look forward to further discussions as the Bill continues its passage, as we seek to ensure it achieves the crucial objective of making our country and our citizens safer. For now, I commend this Bill to the House.

Bill read a second time.
Commitment and Order of Consideration Motion
18:13
Moved by
Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom
- Hansard - - - Excerpts

That the Bill be committed to a Committee of the Whole House, and that it be an instruction to the Committee of the Whole House that they consider the Bill in the following order:

Clauses 1 to 13, The Schedule, Clauses 14 to 31, Title.

Motion agreed.
House adjourned at 6.14 pm.

Investigatory Powers (Amendment) Bill [HL]

Committee (1st Day)
Scottish Legislative Consent sought.
15:23
Clause 1 agreed.
Clause 2: Low or no reasonable expectation of privacy
Amendment 1
Moved by
1: Clause 2, page 3, leave out lines 24 to 27 and insert—
“(b) the extent to which information contained within the personal data has been made public as a result of steps deliberately taken by the data subject;”Member’s explanatory statement
This amendment would ensure the definition of a low privacy bulk personal dataset is in line with the definition set out in Schedule 10 of the Data Protection Act 2018.
Lord Coaker Portrait Lord Coaker (Lab)
- Hansard - - - Excerpts

My Lords, before I get to the specifics of my Amendment 1, I will make some general remarks. I thank the Minister and all his officials for their very helpful briefing and the collaborative way in which they have approached the Bill. As he knows, we support the Bill, but we will seek clarification and further information about a number of clauses and the details in them.

It is important for me to say that this is the Committee stage, so some significant details will be explored that will be helpful to us. Indeed, on my own part, there may be one or two misunderstandings as to the actual meaning of certain parts of the Bill. None the less, it is an important Bill and an important step forward for our country and its security; I think we all want to see it be as successful as it can be.

This group of amendments deals with bulk personal datasets. These include personal data where a large majority of people included will not necessarily be relevant to an intelligence investigation. Currently, all BPD warrants must go through a double-lock process of approval via the Secretary of State and then a judicial commissioner, and must be renewed every six months. Agency heads must also perform certain functions associated with the warrant.

As the importance of data-based intelligence grows, the Bill rightly includes several measures to make it easier and quicker to analyse various datasets. Individual BPDs considered to have a low or no expectation of privacy could be approved by intelligence agency heads if urgent or if they fall into a category approved by a judicial commissioner. For urgent cases, judicial commissioners have three days to review the warrant.

BPD warrants will need to be renewed only after 12 months, instead of six, which seems sensible. Some functions can be delegated from heads of agencies to an official while maintaining overall responsibility. The Bill also ensures that third-party BPDs—mostly commercially held data—are regulated similarly to other BPDs. The double lock of the Secretary of State and the judicial commissioner would remain for all BPDs, apart from ones considered urgent by the Secretary of State. For urgent cases, a judicial commissioner would have three days to review the warrant. Again, much of that is very sensible and improves the current situation.

I tabled my amendments in the spirit of probing what the Government mean, and I will ask some questions for clarity. Amendment 1 probes why the definition of low-privacy datasets differs from existing data protection legislation. Being the sort of person I am, yesterday I read the relevant section of the Data Protection Act 2018. It differs from Clause 2, where the Minister lays out:

“Low or no reasonable expectation of privacy”


for authorisations and the various factors to be taken into account. Given that the Data Protection Act also talks about access to data, about intelligence services having to have consent and about intelligence agencies having various conditions applied to them when seeking authorisations to access data, it would be helpful to the Committee to understand which applies to the authorisations and how the various pieces of legislation interact with each other. Otherwise, we have what is included in this Bill as well as what is included in the Data Protection Act 2018. Amendment 1 seeks to understand where and how the two relate to each other, whether one supersedes the other and whether the Data Protection Act is now irrelevant to the authorisations laid out in the Bill. It would be helpful for us to understand that.

15:30
My Amendment 16 seeks to ensure that the Intelligence and Security Committee is involved in the overall oversight of what is happening. The Government included in new Section 226DA in Clause 2 an annual report, so they have accepted the idea, which my amendment lays out, of having an annual report. But noble Lords will see that my amendment, rather than having the report going just to the Secretary of State as the Government propose in new Section 226DA, seeks to understand why the Government would not want such a report to go to the Intelligence and Security Committee as well. Indeed, my noble friend Lord West has put a similar amendment exploring the same point. It would be useful for the Committee to understand why the Government have excluded the Intelligence and Security Committee from such oversight.
The Minister will know that I was exercised by the role of the Intelligence and Security Committee with respect to the National Security Act during its passage. Again, it is important to understand what role the Government feel the Intelligence and Security Committee has with respect to the changes and amendments included in this Bill. Therefore, at this stage, my Amendment 16 simply probes that. It is a probing amendment; I just want to understand what the Government’s view of the Intelligence and Security Committee should be and how they have come to a view, in new Section 226DA in Clause 2, that they feel an annual report is important but that it will go only to the Secretary of State and not to the Intelligence and Security Committee. It seems a bit strange.
Again, because it is important for the Committee to understand what the Government’s definition of serious crime is, noble Lords will see that my Amendment 17 to Clause 5 would use the definition of serious crime as in Section 263 of the Investigatory Powers Act 2016. It is just to ensure that we understand the definition of serious crime that we are using in the Bill vis-à-vis the earlier Act. My understanding is that in Section 263 of the Investigatory Powers Act 2016, serious crime is defined as
“an offence for which a person who has reached the age of 18”
in England and Wales, or 21 in Scotland or Northern Ireland,
“and has no previous convictions could reasonably be expected to be sentenced to imprisonment for a term of 3 years or more”,
or if various other conduct such as violence is included. Can the Minister confirm that that is the definition to be used? While he does that, can he just underline whether there is any problem with the difference in age in Section 263—18 in England and Wales, and 21 in Scotland and Northern Ireland—with respect to this? For my own clarity—I apologise to noble Lords if it is obvious to everybody else—how does this Act apply to children under 18 and what are the consequences with respect to that for the changes there?
I have some other specific questions for the Minister. How does the Bill ensure that the sensitivity of information is central to whether a dataset is used, not just whether it has been made public? How does the Bill ensure—within it, not necessarily in guidance—that sensitive information such as facial images and medical information is correctly identified as sensitive information that should go through the double lock? Frankly, there are some questions to be asked about what the access should be to that anyway.
What measures are there to know whether an individual’s data has been made public? What will be considered “editorial control”? How can the intelligence community ensure that it does not rely on others to assess data sensitivity? Again, to help us with the definition, what will count as urgent when considering whether a bulk personal dataset should be approved without prior involvement of the judicial commissioner?
As I said to the Minister, we accept the changes the Bill is bringing forward; it will improve the situation. There are much-needed amendments in this group and the others we will discuss, but the clarifications I have asked for should help those who seek to interpret the Bill, and, indeed, those who will use the increased powers in it. With that, I beg to move.
Lord Fox Portrait Lord Fox (LD)
- View Speech - Hansard - - - Excerpts

I rise to speak to Amendment 2 and several others in this group in my name. This amendment probes the extent to which paragraphs (d) and (e) of proposed new Section 226A(3) depart from current privacy laws. Like the noble Lord, Lord Coaker, we seek clarification. Also like the noble Lord, as far as we are concerned the purpose of this Committee is to probe, get information and understand how the Government interpret some of the measures in the Bill.

Bulk personal datasets represent the largest part of the Bill, and this amendment primarily probes the differences in the definitions in the Bill and those set out in Schedule 10 to the Data Protection Act 2018. The Bill creates a new and essentially undefined category of information where there is deemed to be low or no reasonable expectation of privacy: so-called low/no datasets. This is a departure from existing privacy law, in particular data protection law. With regard to low-privacy bulk datasets, the relevant circumstance, in Schedule 10 to the DPA, is that

“information contained in the personal data has been made public as a result of steps deliberately taken by the data subject”.

This is a different standard from the expectation of privacy in the new BPD category, whereby information is considered low privacy according to

“the extent to which the data is widely known about”

and if it

“has already been used in the public domain”.

As your Lordships will observe, there is a big difference between those two definitions. For example, whereas facial images from public CCTV may be considered low-privacy BPD under the Bill, they would be considered personal data and possibly subject to sensitive processing under the DPA. As the Minister knows, this is a contentious area of law, and a real-life example is Clearview AI’s database of 30 billion facial images harvested from social media platforms for highly facial recognition searches. Some could have been classified as low privacy, as the photos have already been made public by the individuals, but the Information Commissioner’s Office found Clearview AI in breach of the DPA.

Similarly, a database of all public Facebook or other social media posts could be argued to be a low-privacy database, despite the fact that it will be a comprehensive database of billions of people’s social networks, sexual orientations, political opinions, religion, health status and so on. Under the DPA, much of this data qualifies as sensitive personal data, incurring extra protections when it comes to retention and processing, regardless of whether the information can be considered to have been made public.

The DPA would still apply to the intelligence agencies in processing—at least, that is our view, and we would like to like the Minister to comment on that—but under the Bill as drafted the contradictory standards would also apply. How do these two standards work together? I assume the department has looked at the likelihood of possible challenges to this new category of data, and indeed the likelihood of such challenges being successful, so it would be helpful if the Minister could enlighten us in that regard.

Schedule 10 to the DPA sets out circumstances in which the agencies can conduct sensitive processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; data concerning health or sexual orientation; biometric or genetic data that uniquely identifies an individual; and data regarding an alleged offence by an individual. Does Schedule 10 apply in the case of data identified as “low” or “no” by the Bill?

An example highlighting the potential divergence is data that has been hacked and then leaked out. While not deliberately made public, as per the DPA requirement, it is arguably public and available in the public domain. What is the Minister’s view as to how the Bill regards that sort of data in a low/no context? To test this, the amendment seeks to strengthen the condition in proposed new Section 226A(3)(b) by aligning it with the test in the Data Protection Act for sensitive processing. Data protection law is currently constructed according to the sensitivity of information rather than the individual’s expectations of privacy concerning personal information. As we know, expectations differ greatly from reality, and from person to person. The central questions this poses are: why does the new Bill deviate from Schedule 10 to the DPA, and how will the DPA and the IP work together using the new definition of this Bill?

We are debating a small number of quite large groups today which, unfortunately, means that quite a number of my amendments appear one after another. I will speak as briefly as I can, but I am afraid there is quite a lot of detail coming up. I will speak first to Amendments 4, 5, 6 and 7. Amendment 4 probes the purpose for which bulk datasets will be used by the intelligence services. Amendments 5 and 6 probe the circumstances in which an authorisation is urgent and therefore not authorised in advance by a judicial commissioner. Amendment 7 would require the person granting an authorisation in urgent cases to immediately notify the judicial commissioner that they have done so.

These amendments are similar in purpose and spirit to Amendment 3 from the noble Lord, Lord Anderson, which I have co-signed and support. The basic explanation from the Government for proposed new Part 7A has been that these datasets are needed to train tools using machine learning and that they already exist and are being used in the commercial world, but the Part 7 process makes them difficult for the intelligence services to use. If training AI tools is the stated prime mover for Part 7A, the inclusion of urgent data as one of the three types of data clearly indicates it is also needed for ongoing investigations.

In that regard, proposed new Section 226BC refers to a “relevant period” of three working days between the acquisition of the urgent data and the granting of full judicial approval, giving the relevant service three days to work with data and information that might eventually be ruled out of bounds by the judicial commissioner. All the amendments are intended to understand how Part 7A is to be used in operations, rather than tool training, and what urgent circumstances are envisioned that would negate the need for prior JC approval of an authorisation.

Amendment 4 seeks to restrict the application of Part 7A powers to training and learning functions of the intelligence services, meaning that operational purposes would be excluded. This is designed to get the Minister to explain the operational needs which define an urgent need.

Amendment 5 removes the ability of a person to grant an authorisation if there is an urgent need. Clearly, this gives the Minister a chance to justify why such data might be operationally needed. Amendment 6 provides a definition of what might be considered “urgent circumstances”. The Minister might want to contribute a different definition, but we feel the definition of “urgent” should be included in the Bill. Amendment 7 provides an additional safeguard by requiring a JC to be notified immediately where an authorisation has been granted in an urgent case. This essentially creates an opportunity to close the potential gap between when the data is deployed and when the JC rules on its admissibility—but not, of course, removing the gap entirely.

15:45
Amendment 8, also in my name, probes the meaning of “reasonably practicable”. We need an explanation from the Minister about the meaning of “reasonably practicable” in the context of new Section 226D(2). New Section 226D relates to circumstances where, during the course of the examination of bulk personal datasets, it becomes clear that the data is not in fact of a type where individuals could have no or low reasonable expectation of privacy in relation to the data. At that point, the head of the relevant intelligence service must, so far as is “reasonably practicable”, ensure that anything in the process of being done in relation to the bulk personal database stops as soon as possible. Quite simply, can the Minister please explain in what circumstance it would be possible to stop all activity in relation to that particular bulk personal dataset?
Amendment 9 takes that argument a little further. On the face of it, it is intended to ensure that, when an authorisation ceases to have effect or never had effect, the intelligence services must forget the information or knowledge acquired during the period the authorisation was done. This is connected with the previous amendment. As we have already discussed, using urgency as a reason, the new powers in Part 7A could lead to some bulk personal datasets with the lowest safeguards being used for at least three days before a JC rules the dataset out of scope.
So, in the circumstances described when discussing the previous amendment, where there is a realisation that the BPD being examined is not in fact of the kind where it could be authorised, how can we be sure that the intelligence services will essentially forget the information gleaned in the meantime—and similarly if the JC declines to warrant that activity? With this amendment we are giving the Minister a chance to tell us that of course there is no possible safeguard to ensure that the information or knowledge acquired during the time the authorisation was still in effect cannot be used or relied upon for anything once the authorisation ceases to have effect. In other words, once the information is in the consciousness of human beings, it is there and it is impossible to get rid of—so, at the very least, this means that the discussion we had over the preceding amendments is highly relevant. At worst, it indicates that we have an undefined urgency applied to a self-defined low/no dataset and therefore there is a wormhole in the rules allowing unwarranted datasets to be used for three days that would otherwise not qualify for a Part 7A warranty.
I am looking forward to hearing the noble Lord, Lord West of Spithead, on his amendments. In support of the third one, I will say that the latest ISC report into international partnerships recommends that the Prime Minister should provide the ISC with a full copy of the confidential annex of the annual report of the Investigatory Powers Commissioner. I believe this is probably pushing in that direction.
While we are discussing the ISC and a diversion from the Bill, we heard recently Dominic Raab admitting that while he was a Minister he ordered an intelligence-sharing activity that he knew opened up an individual to a real risk of torture elsewhere. I would be grateful if the Minister could confirm that this was the case and that the policy that excuses Ministers of the Crown when they do this is called the Fulford principle. Can he confirm that? Perhaps the Minister can explain to your Lordships’ House—as I say, either now or in writing—how this differs in substance from extraordinary rendition. Can he also explain how this self-confessed activity squares with the UK’s obligation under the convention on torture?
Returning to the Bill in hand, Amendment 11
“requires the annual report to include details of the number of authorisations sought and granted under new Part 7A”.
Bulk personal data appears to be widely used; 177 warrants were sought and approved in 2021. What is not clear is how many of these would qualify for the new 7A category of approval. It is also not clear from the Bill whether in future we will know the number of annual BPD warrants, as there is no explicit proposal for these to be included in the IPC’s annual report. This amendment seeks to make it explicit that they are reported in this way.
I am sure the Minister would agree that it is a reasonable—indeed, modest—request to understand how this permissive legislation is being used, not least because it seems that the application of the existing laws has not been totally smooth. In its most recent report, covering the period of 2020-21, the Investigatory Powers Commissioner’s Office, the IPCO, found that the Secret Intelligence Service had retained bulk personal datasets “in error” and “without a warrant”, and had “serious gaps” in its
“capability for monitoring and auditing of systems used to query and analyse BPDs”,
involving
“several areas of serious concern”.
It also found that the agencies were responsible for 29 errors involving BPDs, the second highest area of the investigatory powers for errors. Errors can include, for example, officers accessing an individual’s record without reason.
We say again that Part 7A contains extensive new powers. We need appropriate oversight and transparency. This is a small but important amendment to which I hope the Minister would have no difficulty agreeing.
Amendment 14 deals with Clause 5 of the Bill, and relates to third-party bulk datasets, where
“the intelligence service has relevant access … to a set of information that is held electronically by a person other than an intelligence service”.
The definition of “relevant access” includes where
“the type and extent of the access available to the intelligence service is not generally available”.
With this amendment, we are simply asking the Minister to put on record a more detailed explanation of what type of information this might consist of, and what is meant by “not generally available”.
Amendment 18
“is intended to confirm that genomic and genetic data is included in the definition of sensitive data under this section”.
It is a simple probing amendment, intended to ensure that our understanding of the Bill is correct. I suggest that the upcoming data Bill will also deal with this, so there are some cross-references we need to establish here before the next Bill arrives. In the Bill, “sensitive personal data” is defined under Section 202(4) of the 2016 Act, which in turn cross-references Section 86(7) of the Data Protection Act 2018. Section 86 of the DPA lists
“genetic data for the purpose of uniquely identifying an individual”
as sensitive personal information, so this amendment seeks to confirm that genomic and genetic data is included in the definition of sensitive personal data that might be included in health records, and that, as such, an application to examine any third-party dataset must explicitly state this.
In conclusion, Amendment 19
“requires the Secretary of State granting an authorisation in urgent cases to immediately notify a Judicial Commissioner that they have done so”.
This amendment is similar in intention to an amendment tabled to Clause 2, but this time regarding the powers in new Part 7B. Again, we are trying to understand what the urgent circumstances might be that would require examination of a third-party dataset without waiting for approval from a judicial commissioner, and therefore, as a safeguard, we would like the JC to be immediately notified that an authorisation has taken place. We have debated this to some extent under Part 7A, and I can imagine the crossover, but it would be useful to know if there are any differences between how Part 7A approval and Part 7B approval would be taken under these two circumstances.
Lord Anderson of Ipswich Portrait Lord Anderson of Ipswich (CB)
- View Speech - Hansard - - - Excerpts

My Lords, I welcomed this Bill at Second Reading, and the warmth of my welcome has not diminished. However, I am pleased to see so many amendments down to Part 1. As the noble Lord, Lord Fox, has said, the new rules for certain bulk personal datasets do not displace or dilute the currently applicable protections under the Data Protection Act, but they are probably the most operationally significant of the changes that we are looking at, and therefore can only benefit from careful scrutiny of the kind that noble Lords have so enthusiastically invited.

I have one general comment. Despite some of the kind words that were said about my report at Second Reading, I was not asked to design this Bill from scratch, nor to comment on anything as precise as a provisional text. Rather, my task was to assess proposals that were put forward by government and that in some cases evolved during the currency of my review. Although I did run a consultation as part of my review, its value was reduced by the rather limited amount I was able to say about the Part 1 proposals and some of the others. So although I did receive a handful of very helpful responses, there will certainly be points that did not occur to me and to which others were not able to alert me. The Bill is also, of course, in some respects more detailed than my recommendations. I look forward to hearing the Minister’s response to the various amendments in this group.

I will say a quick word about each of the amendments in my own name; there are only two. My probing Amendment 3 I offer to the Government as a Christmas present, as I thought it might suit them. If for any reason they do not like it—and I suspect they may not—then that is up to them; we can hardly force it on them. The background is this: it seemed to me that the question of whether individuals have a low, or no, expectation of privacy might depend in part on the use to which the datasets will be put. If, for example, an agency were prepared to commit to using a dataset only for training a large language model and not for operational purposes, perhaps that might be one of the factors pointing towards a low/no classification. The agencies and the Government politely explained to me—if I paraphrase correctly—that this was not a very practical suggestion, so I did not push it further, save to mention the point in paragraph 3.51 of my report.

Sure enough, the anticipated use of a dataset is not one of the factors listed in new Section 226A(3), where the factors are set out. But turn over the page to new Section 226BA, which deals with category authorisations, and there you see in subsection (3) that a category authorisation may describe a category of BPDs by reference to—among other things—

“the use to which the data will be put”.

My question to the Minister is simply this: if the use to which a dataset will be put can be relevant to the formulation of a category of low/no datasets, then why is it not relevant to the assessment of an individual dataset as low/no or otherwise? The Minister’s answer may be that the list in new Section 226A(3) is not exhaustive and that there is no reason why intended use should not be one of the circumstances taken into account under subsection (2) when considering whether a BPD is low/no. In that case, can he explain why intended use is not mentioned in new Section 226A when it is mentioned in new Section 226BA?

16:00
Is there a risk—I look here at the legal Benches—that the omission from new Section 226A of a factor that is included elsewhere might imply to whoever may have to interpret this new Act that we in Parliament did not wish intended use to be considered under new Section 226A? If we had, the argument would go, surely we would have said so, as we do later. As I said, I am probing only, but I would be glad for anything the Minister could say to help make this clear.
My Amendment 15 is a very minor one. It relates to the third-party bulk dataset regime—what will become Part 7B of the 2016 Act. The effect of Clause 5 of the Bill is to introduce a degree of regulation where there was none before in circumstances where an intelligence agency has relevant access to a third-party bulk dataset. My only point is that I am not clear why that access has to be electronic, as provided for in new Section 226E(2)(c) on page 14 of the Bill. That appears to mean that, if the third-party were to print the dataset off and press it into the eager hands of the intelligence agencies, there would be no relevant access and therefore no regulatory constraints.
Perhaps the Minister will tell me that this is very old-fashioned and that, in practice, in the modern world, access to an electronic dataset will always be electronic. Indeed, the Minister is nodding. In that case, surely my point still stands. If access is always electronic, why is it necessary to specify that access must be electronic before the safeguards kick in? Surely paragraph (c) on page 14 implies that access may be non-electronic and disapplies the safeguards in those circumstances. I am still a bit puzzled. If there is a point in the last line of new Section 226E, I hope the Minister will explain what it is.
Lord West of Spithead Portrait Lord West of Spithead (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, if I suddenly fall over, it is not excitement over my amendments but that I have a brand new starboard knee, which is still slightly wobbly, so I might look a little wobbly at times.

Noble Lords will recall that the Investigatory Powers Act was introduced as a result of the Intelligence and Security Committee of Parliament’s 2015 report, Privacy and Security, which recommended that a new Act of Parliament be created to

“clearly set out the intrusive powers available to the Agencies, the purposes for which they may use them, and the authorisation required”.

However, as the noble Lord, Lord Anderson, recognised in his recent report, which he referred to, there have been a number of changes since the Act was introduced. We now face a very different threat picture from that which we did in 2016, with an increased threat from state actors such as China, Russia and Iran, and a significant rise in internet-enabled crime, including ransomware and child exploitation. The pace of technological change has been incredible. Developments in the fields of data generation, cloud services, end-to-end encryption, artificial intelligence and machine learning have all created challenges, as well as opportunities, for law enforcement and the intelligence community.

The Intelligence and Security Committee, of which I am a member, therefore welcomes the introduction of this Bill. The ISC has considered classified evidence relating to the Bill and questioned all parts of the intelligence community and Ministers on the need for change. However, as ever, the devil is in the detail. The committee considers that there are several areas in which the Bill must be improved and, in particular, safeguards strengthened.

Parliament must ensure that the balance between privacy and security is appropriate, and that there is sufficient independent oversight of the work of the intelligence community, given the potential intrusiveness of its powers. The Bill seeks an expansion in the investigatory powers available to the intelligence services. While this expansion is warranted, any increase in investigatory powers must be accompanied by a concomitant increase in oversight. I have previously spoken about the refusal of the Government to update the remit of the ISC, or to provide the necessary resources for its functioning, such that it has

“oversight of substantively all of central Government’s intelligence and security activities to be realised now and in the future”,—[Official Report, Commons, Justice and Security Bill Committee, 31/1/13; col. 98.]

as was the commitment given by the then Security Minister in the other place during the passage of the Justice and Security Act.

The House has made known its views on this long-standing failure during debates on several recent national security Bills, including the National Security and Investment Act, the Telecommunications (Security) Act and the National Security Act. However, despite repeated attempts by this House to ensure effective oversight, this has been ignored by the Government. The Government cannot continually expand and reinforce the powers and responsibilities of national security teams across departments and not expand and reinforce parliamentary oversight of those teams as well. The committee expects the Government to take this opportunity to bolster the effective oversight they say they value. If they do not, then they should expect that Parliament will. I therefore call upon the Government once more to update the ISC’s memorandum of understanding to ensure sufficient oversight of all intelligence and security activities across government. Indeed, this was the quid pro quo that Parliament expected during the passage of the Justice and Security Act 2013, and I trust that Parliament will take the same view now.

I turn to Amendment 10, which is designed to close a gap in oversight. Proposed new Section 226DA requires that each intelligence service provide an annual report to the Secretary of State detailing the individual bulk personal datasets that they retained and examined under either a “category authorisation” or an “individual authorisation” during the period in question. My amendment would ensure that there is independent oversight of this information, rather than just political oversight. The amendment would provide that the annual report be sent also to the Intelligence and Security Committee of Parliament and the Investigatory Powers Commissioner. IPCO has a degree of oversight included in the Bill already, since judicial commissioners approve both individual and category authorisations at the point of issue and approve the renewal of any authorisations after 12 months. This is not full oversight. Further, there is currently no democratic oversight at all of category authorisation, which is not appropriate. My amendment would ensure that IPCO and the ISC have oversight of the overall operation of this new regime.

Noble Lords will note that I have also tabled an amendment to notify IPCO of any new individual datasets that are added to category authorisations by the intelligence services. That amendment would work alongside this, and the ISC considers that the combination would provide an appropriate balance of real-time and retrospective oversight for these new powers. It is vital that the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation are not watered down by the changes under this new Bill. Instead, they must be enhanced in line with the increasing investigatory powers. This is what the ISC seeks to achieve by the amendments I have tabled today.

Amendment 12 is consequential on the amendments that I have just talked about.

I speak now to Amendment 13. Part 7A of the Bill provides for a lighter-touch regulatory regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of the data is deemed to have a low or no reasonable expectation of privacy. Approval to use such a dataset may either be sought under a category authorisation—which encompasses a number of individual datasets that have similar content or may be used for a similar purpose—or by an individual authorisation, where the authorisation covers a single dataset that does not fall neatly within a category authorisation or is subject to other complicating factors. In the case of a category authorisation, a judicial commissioner will approve the overall description of any category authorisation before it can be used. A judicial commissioner will also approve any renewal of a category authorisation after 12 months and the relevant Secretary of State will receive a retrospective annual report on the use of all category and individual authorisations.

This oversight is all retrospective. What is currently missing from the regime is any form of real-time oversight. Under the current regime, once a category authorisation has been approved, the intelligence services then have the ability to add any individual datasets to that authorisation through internal processes alone, without any political or judicial oversight. This would mean relying on the intelligence service to spot and rectify any mission creep, whereby datasets might be added to a category authorisation in a way that was not consistent with the definition of the original authorisation, which lasts up until the 12-month marker for renewals.

While we have every faith in the good intentions of the intelligence services—and I do not mean that in a joking way, because we have been amazingly impressed by them—no legislation should be dependent on the good will of its subjects to prevent misuse of the powers granted therein, particularly where those powers concern national security. The ISC therefore seeks to fill that very worrying gap.

My amendment proposes a new section in Clause 2—proposed new Section 226DAA—which would ensure that the IPCO was notified whenever a new individual bulk personal dataset was added by the agencies to an existing category authorisation. Notification would simply involve the agencies sending to the Investigatory Powers Commissioner the name and description of the specific bulk personal dataset as soon as reasonably practicable after the dataset was approved internally for retention and examination by the intelligence services.

The amendment would require not that the use of the dataset be approved by the IPCO but merely that the commissioner be notified that it had been included under the authorisation. It therefore does not create extra bureaucracy or process. Indeed, it provides for a flow of real-time information between the intelligence services and IPCO, to allow for the identification of any concerning activity or trends in advance of the 12-month renewal period. Any such activity could then be investigated by the commissioner as part of its usual inspections. The ISC believes that this amendment strikes the right balance between protecting the operational agility of the intelligence services and safeguarding personal data at any level of sensitivity.

Noble Lords have already considered my related amendment, to provide the annual report to the IPCO and the ISC, as well as to the Secretary of State. The committee believes that this combination of real-time oversight through the notification stipulated in this amendment and retrospective oversight, through the involvement of judicial and political oversight bodies, is necessary to provide Parliament and the public with the reassurance that data is being stored and examined in an appropriate manner by the intelligence services.

I repeat my entreaty to the House: the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation must not be watered down by the changes under this new Bill; they must be enhanced in line with the increasing investigatory powers.

Lord Hope of Craighead Portrait Lord Hope of Craighead (CB)
- View Speech - Hansard - - - Excerpts

My Lords, I have added my name to Amendments 3 and 15 in the name of the noble Lord, Lord Anderson. I have nothing to add to what he said in support of Amendment 15, but I shall add a word about Amendment 3, which was the subject of the Christmas present of the noble Lord, Lord Anderson. It requires one to look a little more carefully at proposed new Section 226A(2), which provides as follows:

“In considering whether this section applies to a bulk personal dataset, regard must be had to all the circumstances, including in particular the factors in subsection (3)”.


What the noble Lord, Lord Anderson, is seeking to offer the Minister the invitation to include is the use to which the datasets are to be put. He draws strength for that proposition from what one finds in new Section 226BA(3), in which express reference is made to the use to which the datasets will be put. It can be said in support of this proposal that it seems a little strange not to include the use to which the datasets are to be put, if they are mentioned expressly in new Section 226BA(3). I suppose that one could say that, since new Section 226A(2) is very widely phrased and includes all the circumstances, that the Christmas present of noble Lord, Lord Anderson, is already there as already there as one of the circumstances, but it is probably happier to include it expressly, just for the avoidance of doubt. It is for the avoidance of doubt that the strength can be found in the proposal that he has put forward.

16:15
To return to Amendment 1, what the noble Lord, Lord Coaker, was doing with it, as he explained, was to draw attention to a difference in the wording in Clause 2: the wording to be found in new Section 226A(3)(b) does not follow precisely what we find in Schedule 10 to the Data Protection Act. I respectfully suggest that the wording in the Bill unpacks the wording of the schedule that the noble Lord, Lord Coaker, has reproduced in his amendment. I think that unpacking it in the way that the Bill does is helpful: it identifies two situations in which one could say that the data subject has taken a step, deliberately, to make the information public. One is where the individual does so himself, and the other is where the individual consents to the data being made public.
I think that the Bill achieves greater clarity than did Schedule 10 to the Data Protection Act, and therefore I respectfully suggest that, while the noble Lord, Lord Coaker, is absolutely right to draw attention to the difference in the wording, what we see is improved wording and I would support the wording of the Bill rather than that in the amendment which he has put forward. I hope he will not mind my suggesting that, but it is very helpful that he has drawn our attention to it. To be able to congratulate the Bill on improving on wording is something worth noting.
Lord Murphy of Torfaen Portrait Lord Murphy of Torfaen (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I support my noble friends Lord Coaker and Lord West with regard to the Intelligence and Security Committee amendments. In 2005, when I became the chair of the Intelligence and Security Committee, nearly two decades had passed since the committee originally started life, when people did not really understand what it was all about. It had not been accepted, particularly, by agencies or by the Government, but over those 20 years, it became accepted. After I left, in 2007, even more changes to the powers and responsibilities of the committee were made, to such an extent that the ISC is now a significant and serious part of our constitutional landscape. But I fear that, over the last number of years, that has slightly declined.

I understand, for example, that the ISC has not met a Prime Minister—there have been lots of them, of course—over the last number of years, nearly a decade. Certainly, when I chaired it, we met the Prime Minister every year or so. It is an indication, I suspect, of what the Government think about it if they do not see it as so important as to meet the head of the Government now and again. I hope that is wrong, but I am sure the Minister will enlighten the House later as to what he and the Government think about the importance of the ISC. It is hugely significant; it is serious.

I shall move briefly on to the significance of the ISC with regard to the passage of the original Investigatory Powers Act, some years ago now, in 2015-16. I had the privilege of chairing the Joint Committee of both Houses on that Bill, and the ISC simultaneously was taking a huge interest in what it contained. For example, I met the then chair of the ISC, Dominic Grieve KC, and the committee itself produced a report on how it thought the original Act could be improved. I just hope that this small but important Bill—which I entirely support, by the way—mirrors what happened to the original Bill, so that the Government can indeed meet the ISC, at a ministerial level and at an official level, and have a proper dialogue as to how they see the ISC working after the Bill goes into law. I hope I can get some assurances from the Minister that that will happen.

It is an important Bill, the ISC is an important body, and they should operate together in a very special way. I wholly support the Bill, but I support the amendments from my two noble friends.

Lord Carlile of Berriew Portrait Lord Carlile of Berriew (CB)
- View Speech - Hansard - - - Excerpts

My Lords, it is a pleasure to follow the noble Lord, Lord Murphy, who has served with such distinction on the issues we are discussing this afternoon. I do not want to repeat what I said at Second Reading; I spoke in support of the Bill in general terms, and I remain in support of it. The only additional thing I would say is that we should not allow unnecessary amendment of the Bill to create a sort of legislative game of Dungeons and Dragons in which a bureaucratic labyrinth would be created which can be met in a much more practical way. On the whole, the Bill is pretty practical about a modern problem—a more modern problem than existed, say, 10 years ago—which has to be addressed in real time and sometimes with great urgency in that real time.

I want to say something that follows from what the noble Lords, Lord Murphy and Lord West, said about the ISC. I hope that we can tease a little more information out of the Minister, who has been extremely helpful to all of us who are interested in the Bill. I can see, and I would be grateful if the Minister would tell us, that there might be some practical problems relating to national security in the way in which the ISC was informed about problems arising under the provisions in the Bill when it becomes an Act. It would be helpful to the Committee if the Minister were to say from the Dispatch Box that the Government certainly do not exclude the involvement of the ISC in the consideration of the Bill. I should also be very grateful if he would say that the Home Secretary would regard it as a duty to inform the ISC on his personal responsibility if issues arose which ought, in the national interest, to be the subject of information to the ISC. Thus, the ISC might be able to report on these issues without too much bureaucracy being involved and any arguments about what is or is not disclosable in a wider way concerning national security.

Baroness Manningham-Buller Portrait Baroness Manningham-Buller (CB)
- View Speech - Hansard - - - Excerpts

My Lords, I do not know whether I can help the noble Lord, Lord Fox, on his question of urgency. One of the things that the Security Service and the other intelligence agencies do is deal with matters of life and death, of imminent terrorist threats, of states pursuing one of their dissidents. There is many an occasion when moving at vast speed outside the hours when IPCO is available is necessary and proportionate. I am out of date, so it is hard to give lots of current examples, but many a time there is an urgent need to move fast to try to save life.

On the point from the noble Lord, Lord Murphy, about the ISC—we will come on to look at these amendments in more detail—as far as my service is concerned, we did not need to get used to the ISC in that we had been demanding its creation for a number of years, with resistance from the Prime Minister of the day until it actually came into being. And when it did, we very much welcomed it.

I have hardly had more pleasure since I have been in this House than from the amendment in the name of the noble Lord, Lord Fox, on seeking to forget stuff. Like some noble Lords, I have difficulty in remembering things—I am sorry, I should speak only for myself—but if I was legislated to forget something, it is almost certain that I would be capable of remembering it.

Lord Fox Portrait Lord Fox (LD)
- Hansard - - - Excerpts

That is exactly the case.

Lord Sharpe of Epsom Portrait The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)
- View Speech - Hansard - - - Excerpts

My Lords, I am grateful for the contributions to this debate, which have been very interesting. I thank all noble Lords for the points raised. I shall do my very best to address all of them and apologise in advance for going into significant detail. I also thank everyone in the Committee for their broad support for the Bill.

I will start with the low/no privacy factors on bulk personal datasets, which I will henceforth call BPDs, and the various amendments relating to the test set out in Clause 2, to be applied when an intelligence service is considering whether a particular dataset is one that can be retained, or retained and examined, under new Section 226A in the new Part 7A. This test requires that regard must be had to all the circumstances, and that particular regard must be had to the factors set out in new subsection (3). The list of factors is not exhaustive and other factors may be considered, where relevant.

Schedule 10 to the Data Protection Act is related to Section 86 of that Act, which is concerned with sensitive processing of personal data by the intelligence services. Schedule 10 sets out a list of conditions which must be met for such processing to be lawful for the purposes of the Data Protection Act. There is a risk that applying these words here, in a different context and for a different purpose, may be seen to create a link, albeit fallacious, between the type of datasets that will be retained and examined under new Part 7A and sensitive processing under the Data Protection Act. For that reason, their inclusion here risks doing more harm than good, as the noble and learned Lord, Lord Hope of Craighead, noted.

In any case, the safeguards in new Part 7A are already sufficient to ensure due regard for privacy. Every dataset proposed to be retained, or retained and examined, must be individually authorised. In addition to the test at new Section 226A, as new Section 226B makes clear, an individual authorisation may be granted only if it is both necessary and proportionate.

The factors have been chosen because they are most relevant to the context in which the test will be applied and have been drawn from existing case law. They provide a guide to the decision-maker in reaching a conclusion as to the nature of the dataset. Furthermore, a form of prior judicial approval will apply to all authorisations so that there is independent oversight of the conclusions reached.

Amendment 1, tabled by the noble Lord, Lord Coaker, seeks to replace factor (b) with language drawn from Schedule 10 to the Data Protection Act 2018. Factor (b) is concerned with the extent to which an individual has made public the data in the dataset, or has consented to the data being made public. The Government do not consider the amendment necessary. I am sure the noble Lord’s aim is to improve the safeguards in the Bill, and he has drawn inspiration from existing precedent to do so in an effort to bring consistency across statute. However, the amendment fails to achieve that aim, and risks creating an unclear and unnecessary link between this Bill and the Data Protection Act, which I have already explained. I will return to the Data Protection Act in due course.

Amendment 2, tabled by the noble Lord, Lord Fox, probes the inclusion of factors (d) and (e), relating to publicly available datasets that are already widely known about or are already used in the public domain—for example, in data science or academia. As I mentioned, the test in new Section 226A is one in which

“regard must be had to all the circumstances”.

The removal of factors from new subsection (3) would not, therefore, fundamentally change the test; it would mean simply that the decision-maker would not be bound to have particular regard to the absent factors. This amendment would, in fact, result in less transparency in the considerations the intelligence services apply when assessing expectation of privacy in relation to Part 7A authorisations.

The Government consider it important that particular regard is had to these factors. I know that noble Lords particularly enjoy the example of the “Titanic” manifest. It is a useful example of where such factors would be relevant, as it is a dataset that is widely known about and widely used, and contains real data about real people who would, unfortunately, no longer have an expectation of privacy. I also point to the helpful example in the independent review by the noble Lord, Lord Anderson: the Enron corpus. This is a large dataset of emails that came into the public domain following the investigation into the collapse of the Enron Corporation. Although initially sensitive, the dataset has been available in various forms for almost 20 years and is widely used in data science. It is right that such datasets are in scope of the new regime.

The noble Lord, Lord Fox, asked specifically about the extent to which these factors depart from existing privacy laws. The law concerning the reasonable expectation of privacy is likely to develop over time, and new Section 226A is intended to be sufficiently flexible to accommodate future changes. Rather than departing from the law, new Section 226A is intended to ensure that the intelligence services can continue to apply the law as it develops.

On Amendment 3, I thank the noble Lord, Lord Anderson, for tabling this helpful probing amendment. I am afraid the Government do not think it is necessary in order to achieve what we understand the intended effect of the amendment to be. The amendment does, however, provide an opportunity to better explain the difference between what the Bill calls “individual authorisations” and “category authorisations”. An individual authorisation will authorise the retention, or retention and examination, of a dataset under the new Part 7A being inserted into the Investigatory Powers Act—which I will henceforth refer to as the IPA—by this Bill.

All datasets that are to be retained under Part 7A must have an individual authorisation. Individual authorisations are subject to prior approval by a judicial commissioner unless the dataset described falls within an existing category. A category authorisation will not authorise the retention, or retention and examination, of a dataset. Instead, it is a mechanism through which a judicial commissioner’s permission may be sought in order to depart from the normal rule on prior approval, but only in respect of datasets that meet a particular description.

16:30
The description of a category may set out the use to which the datasets will be put to assist the judicial commissioner in making their assessment. Once approved, this description is called a “category authorisation”. So, as your Lordships will see, although the nomenclature of each type of authorisation is similar, they serve quite different functions.
The noble Lord’s amendment is concerned specifically with the test in the new Section 226A. As is clear from the jurisprudence, the test to be applied when determining whether an individual has a reasonable expectation of privacy—and therefore whether a dataset could be authorised under Part 7A—is one that takes into account all circumstances. There is no one-size-fits-all test, but this language ensures that thorough consideration is given to all relevant information in support of each individual authorisation, as reflected in the wording of subsection (2) of new Section 226A.
Of course, the law does not stand still and the jurisprudence in this area will certainly change as society’s expectations change. New Section 226A is therefore intended to encapsulate the essence of the jurisprudence while remaining flexible enough to accommodate future changes. That is why the factors are a non-exhaustive list.
I assure the noble Lord, Lord Anderson, that the fact that a relevant consideration does not explicitly appear within the list of factors in subsection (3) does not mean that it cannot and should not also be considered. In fact, quite the opposite is true: subsection (2) of Section 226A makes it clear that regard must be had to all the circumstances, as noted by the noble and learned Lord, Lord Hope. That will include, so far as is relevant, the use to which the intelligence services intend the dataset to be put once it is authorised. Further detail on this is set out in the draft code of practice which was published on GOV.UK last week. I believe that it will be found in paragraphs 4.11 to 4.20.
It is not the case that the Government disagree with the noble Lord’s amendment, simply that our view is that the amendment is not necessary for the reasons I have outlined. I trust this has provided the clarity that the noble Lord sought. I ask him to not move his amendment, but I am open to discussing the Government’s position further should he not be satisfied by my explanation.
The noble Lord, Lord Fox, via Amendment 4, seeks to probe the purposes for which the datasets—with which Part 7A is concerned—will be used by the intelligence services. It is no secret to say that bulk personal datasets, or BPDs, are used by the intelligence services in multiple ways to support their statutory functions. For example, BPDs play an important role in investigations, notably as “building block” intelligence, where analysts can pull together an assessment of the possible meanings of disparate pieces of fragmentary intelligence.
It is also envisaged that Part 7A will better enable our intelligence services to use BPDs for the purpose of developing the capabilities they need to be able to continue to do their important work, such as the training of machine-learning models, as the noble Lord noted. I note that the review by the noble Lord, Lord Anderson, sets out the many important uses to which BPDs are put.
The amendment proposed would severely and unnecessarily curtail the use to which the datasets may be put and would unnecessarily impede the intelligence services in their ability to carry on their work should the regime not allow for the authorisation of datasets that support the full range of the agencies’ functions.
The noble Lord asked about editorial control and public versus private. The question of whether a dataset meets the low or no reasonable expectation of privacy test will be assessed on a case-by-case basis, having regard to all circumstances, including the factors set out in the Bill. The draft code of practice sets out further detail on this, with paragraph 4.16 stating:
“This might be relied upon if the dataset consists of a set of news articles where a level of responsible review and scrutiny has already been applied to the dataset”.
Other than that, it would be inappropriate for me to speculate as to how a particular dataset might be dealt with under the proposed regime.
The noble Lord also asked what happens if an officer examining a BPD discovers that it contains more sensitive data. Section 226D of the low/no regime contains a mechanism to ensure that any information of that type or particularly sensitivity is handled appropriately. The code of practice sets out that in the event of an analyst discovering sensitive data, the relevant intelligence service must take certain steps. First, the head of the intelligence service must ensure that anything in the process of being done in relation to that data is stopped as soon as is reasonably practicable—I will come back to that. The intelligence service must then treat that part of the low/no BPD as if the relevant authorisation has been cancelled. The relevant information must be removed from the low/no dataset and either deleted or a Part 7 warrant sought in respect of that information.
I now turn to Amendments 5 to 9 and 19, tabled by the noble Lord, Lord Fox. Proposed new Section 226 (6B) in Clause 2 of the Bill enables the head of an intelligence service to grant an individual authorisation in respect of Part 7A without prior judicial approval, in circumstances in which there is an urgent need to do so. I am sure noble Lords will understand that there are circumstances in which our intelligence services must act urgently, as the noble Baroness, Lady Manningham-Buller, has just noted. There are existing urgency provisions throughout the IPA for that reason. The circumstances in which an authorisation is considered urgent are set out in the draft 7A code of practice, which the Government published on GOV.UK last week. They include where there is a threat to life or of serious harm, or if there is an urgent intelligence or investigative opportunity. These circumstances are well understood in the operational world and there is no need to depart from the established criteria here.
Part 7B, the third-party bulk personal dataset regime, is intended to mirror the well-established urgency circumstances and the Part 7 processes, to the extent possible. To be clear, the urgency provision is not a means by which scrutiny can be avoided or safeguards weakened. As set out at proposed new Section 226B in Clause 2 of the Bill, with further detail in the draft code of practice for Part 7A, a judicial commissioner must review an authorisation within three working days and decide whether to approve the decision to grant it. Of course, it is envisaged that the circumstances in which a Part 7A authorisation is required will be rare. However, as the noble Lord, Lord Anderson, noted in his report, there are operational circumstances where urgent co-operation might be necessary, and it may not be possible to seek prior judicial authorisation in the operational window available, as the noble Lord, Lord Carlile, also observed. We discussed one such case at Second Reading, in which the MoD were co-located with the intelligence services in a hostile environment and were unable to fully collaborate due to the existing restrictions in Part 7. I hope I have set out clearly how the urgency procedures operate and that there may of course be circumstances in which they prove necessary.
Amendment 8 seeks to probe the meaning of the expression
“so far as is reasonably practicable”
in Clause 2, under proposed new Section 226D(2). This form of words is not novel. It is a well-known expression that appears elsewhere on the statute book, including at several places in the 2016 Act. These are important words because without them, the head of the intelligence service would be legally obliged to put a stop to anything that is being done both immediately and without any regard to the consequences of doing so.
Given the nature of the work that our intelligence services do to keep our country safe, I am sure noble Lords will appreciate that there are circumstances in which immediately stopping something that is already in train may not be possible, and if it is possible, it may not be safe to do so. The heads of our intelligence services are accountable for the actions of their respective organisations, as I explained earlier. They are best placed to make decisions of this kind, and it is important that they be able to do so. However, that does not give them carte blanche to do as they please. As I also explained, the Investigatory Powers Commissioner will be obliged to keep Part 7A under review, including compliance with proposed new Section 226D.
Turning to Amendment 9, I am sure noble Lords were as surprised as I was to hear that the noble Lord thinks that the intelligence services ought to “forget” intelligence they have gathered, creating a clear risk that could jeopardise national security and be contrary to their statutory functions, as well as Article 2 of the Human Rights Act, on the right to life.
Lord Fox Portrait Lord Fox (LD)
- Hansard - - - Excerpts

If the Minister and indeed the noble Baroness had listened to what I said, they would know that I do not think it is forgettable; I just wanted the Minister to confirm that point.

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- Hansard - - - Excerpts

Thank you; point taken.

Section 226D provides a mechanism to achieve what I understand the intent of the amendment to be. It is clear that remedial action must be taken if it is discovered that Section 226A does not apply or no longer applies to part of a dataset authorised under Part 7A. Anything in the process of being done must be stopped as soon as possible, and that part of the authorisation is treated as cancelled. The effect of that part of the authorisation being treated as cancelled is that the data to which it relates must be deleted unless there is some other lawful basis for its retention. It may well be that it is appropriate for the intelligence service to continue to retain the data. That is why subsection (3), in effect, puts that part of the dataset back into the decision-making machinery in Section 220 of Part 7 of the IPA—so that such a decision can be made. We provide a fuller explanation of that in the draft code of practice for Part 7A, at paragraphs 4.26 and 5.39.

In conclusion on this amendment, if the noble Lord is suggesting that any actionable intelligence that has been identified while the agency was operating on the basis of that retention and examination being lawful under Part 7A should not be acted on, I am afraid I must playfully suggest that it is he who ought to forget his amendment.

I turn now to the various amendments on reporting on BPDs, including several that seek to amend the provisions set out in Clause 2, under Section 226DA, which require the heads of the intelligence services to provide an annual report on Part 7A to the Secretary of State. The first amendment proposed by the noble Lord, Lord Fox, Amendment 11, seeks to mandate that certain statistical information in a given year—specifically, the numbers of authorisations sought and granted—be provided to the relevant Secretary of State. This amendment is not necessary or appropriate. First, those Secretaries of State who are politically accountable for the intelligence services will have in place arrangements to that end and may demand of the relevant intelligence service any additional information he or she feels necessary. This may go beyond the level of detail the noble Lord has proposed be included in the annual report and may be more frequent. This is not a matter for the Bill, because the exact information the Secretary of State requires may evolve over time. Secondly, if this sort of specific reporting requirement is found to be necessary or desirable, it is more appropriate for inclusion in a code of practice, rather than being in the legislation. Indeed, the draft code of practice for Part 7A sets out some relevant details under paragraph 7.4.

I turn now to Amendments 10 and 12, proposed by the noble Lord, Lord West, and I take this opportunity to reassure him and the noble Lord, Lord Murphy. On behalf of the Security Minister, we thank them for their valuable work on the ISC and for the constructive engagement with the Bill Committee to date. I am pleased to see the noble Lord, Lord West, in his place today, and I am glad that he is on a more or less even keel.

The amendments the noble Lord has tabled would require the intelligence services to provide the same annual report that they provide to their Secretary of State, on the operation of Part 7A, to the ISC and the Investigatory Powers Commissioner. I do not believe that this additional requirement would provide the enhanced oversight of the regime that the amendments purport to provide. The annual reporting requirement is a formal statutory mechanism by means of which the Secretaries of State will receive information from the intelligence services about their use of Part 7A on an annual basis. This is a mechanism intended to ensure effective political oversight by the Secretary of State.

The ISC is a committee of Parliament. Oversight by the ISC is neither of the same nature as, nor a replacement for, the oversight of the Secretary of State. The ISC, as a committee of Parliament, already has a long-standing and well-established role in the oversight of the intelligence services to which these provisions will apply, and that role will continue here.

Sending the annual report to the Investigatory Powers Commissioner will not increase the level of independent oversight provided, for the following reasons. First, the Investigatory Powers Commissioner will be required to keep this new regime under review, as he does with the current Part 7 regime, and he will continue to report annually on his findings. Secondly, the information these amendments seek to include in the annual report is already information that the draft code of practice will require the intelligence services to keep, as is clear from paragraphs 7.1. and 7.2. The commissioner, and anyone acting on his behalf, has access to all locations, documentation and information systems as necessary to carry out a full and thorough inspection regime. The intelligence services are legally obliged to provide all necessary assistance to the commissioner, or anyone acting on his behalf, including by providing documents and information.

The noble Lords, Lord Fox, Lord Murphy and Lord West, asked about the continued engagement with the ISC. On both the policy proposals informing the Bill and the Bill itself, through a combination of ministerial, operational and official engagement, we have maintained continual engagement, which includes recent sessions with the Security Minister and the agency heads. As I said earlier, we are grateful to the committee for its engagement and scrutiny of the Bill. We will continue to involve it throughout the Bill’s passage, and I am more than happy to take the noble Lords’ comments back to the Home Office and make sure they are widely understood.

Amendment 13 would see the intelligence agencies notify the Investigatory Powers Commissioner every time an individual authorisation is granted in reliance on a category authorisation. I have already set out the distinct processes for individual and category authorisations under new Part 7A. As I set out earlier, categories will be authorised only with the prior approval of a judicial commissioner. IPCO inspectors will then be able to review the individual authorisation granted in reliance on a category authorisation during their regular inspections of the intelligence services throughout that time. Category authorisations will expire at 12 months and will then need to be renewed and that decision reapproved by a judicial commissioner.

16:45
It is important to remember that the Government are delivering these reforms to ensure that the services have the operational agility they need to effectively carry out their statutory functions. The safeguards in new Part 7A are calibrated to reflect the level of intrusion associated with the dataset to which new Section 226A applies. The intelligence services do not presently notify IPCO when they add a new dataset to a class warrant under the existing Part 7 regime. The Investigatory Powers Commissioner’s Office reviews these additions on inspection as part of routine oversight, so there is no need for a more onerous dataset-by-dataset approach here. It would therefore not be appropriate to place greater restrictions where the data in question under the new Part 7A would have a lower expectation of privacy.
Amendment 16, proposed by the noble Lord, Lord Coaker, seeks to insert an annual reporting requirement into the Part 7B regime. Noble Lords will be aware from reading Clause 5 that, as with the rest of the existing Act and the Bill, the Part 7B regime will be subject to stringent and robust oversight by the Investigatory Powers Commissioner. For new Part 7B, this includes the application of the judicial double lock for warrants under this part. The Part 7B regime will also be included within the Investigatory Powers Commissioner’s annual report, which will provide further transparency and accountability. To add an extra requirement in the Part 7B regime for a similar report to be produced by the intelligence services for the Investigatory Powers Commissioner and the ISC would be unnecessary and duplicative. For these reasons, the proposed amendments do not provide additional meaningful oversight, and therefore I invite the noble Lord not to move them.
Amendments 14, 15, 17 and 18 all relate to third-party BPDs. The Government cannot agree with Amendment 15, tabled by the noble Lord, Lord Anderson of Ipswich, on the basis that it would damage the overall efficacy of the third-party BPD regime and impair the operational agility of the intelligence services. The Bill introduces safeguards regarding the intelligence services’ examination of third-party BPDs on the system of third parties. These safeguards are designed to mirror, to the extent possible, the existing IPA Part 7 regime. Under the existing Part 7 regime, a BPD exists only if it is available electronically for analysis, and it is the general rule that any examination of a BPD would also happen electronically. It does not follow that in this day and age an intelligence service would seek to examine a BPD in hard copy. Such an approach would be astonishingly inefficient given the sheer scale of the data available. It could also increase the intrusion on privacy and would prohibit the intelligence service from overlaying the results against other electronically retained datasets, which in turn would risk intelligence failure and general operational inertia. This is also true of third-party BPDs, as the access and examination of a third-party BPD will always take place electronically, and this concept needs to be clearly reflected in the third-party BPD regime to ensure clarity and consistency around when the third-party BPD regime is engaged and when it is not.
On Amendment 14, tabled by the noble Lord, Lord Fox, as noble Lords are aware, the proposed regime is designed to ensure that the intelligence services’ access and examination of third-party BPDs are clearly defined and underpinned by the appropriate level of safeguards and oversight. The inclusion of “not generally available” within the proposed regime sets clear guard-rails for the intelligence services to follow in respect of what does and does not constitute a third-party BPD. For example, if a third party sold or provided access to a dataset to the general public but offered a smaller customer base, such as Governments or law enforcement agencies, the ability to query or access extra data fields, this additional activity would clearly fall within the scope of the third-party BPD regime, as the access is not generally available. Removing this clear test from the proposed regime would seriously inhibit and impede the conduct and operational agility of the intelligence services, as it would bring into scope a much broader range of datasets that would be available to the general public, even going as far as requiring a warrant to undertake activity such as browsing the internet.
I thank the noble Lord, Lord Coaker, for tabling Amendment 17 and am happy to explain why the Government cannot support it. Section 263 of the IPA contains the definition of serious crime that is relied on by the majority of the powers contained in the Act, such as the interception and equipment interference provisions. It is this same definition of serious crime that is relied on in the Part 7B regime. It has been explicitly clear since the IPA came into operation that the definition of serious crime contained in Section 263 applied to the relevant provisions of the Act unless otherwise stated. It would therefore be inconsistent to explicitly reference the Section 263 definition in the Part 7B regime, when the rest of the IPA relies merely on the general definition of Section 263. This would create confusion and inconsistent interpretations around which serious crime definition is being applied.
On Amendment 18, tabled by the noble Lord, Lord Fox, the current definition of “sensitive personal data” contained in Clause 5 draws on the definition of sensitive personal data contained in the existing Part 7 BPDs regime, which in turn relies on provisions in the Data Protection Act 2018. It is therefore illogical to introduce a different definition in one section of the proposed third-party BPD regime in respect of sensitive personal data and to diverge from the Data Protection Act in this way. I also point out that the relevant provisions in the Data Protection Act already refer to genetic data where it is processed for the purposes of identifying an individual. Therefore, it is not necessary to reference it explicitly in Clause 5.
Finally on the subject of the age of children, my understanding is that this relates to the difference in the age of criminal responsibility in the relevant legislature for each devolved area, but I will confirm and write to the noble Lord if that is not correct.
I hope that my rather lengthy explanations—for which I apologise—have provided reassurance to noble Lords. There may be further conversations to be had on certain areas, but I hope that I have given a clear rationale to noble Lords for the Government’s position and that they will not seek to press their amendments.
Lord Coaker Portrait Lord Coaker (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, that was an extremely helpful response from the Minister and shows the importance of tabling probing amendment sometimes: to get things read into Hansard that can be referred to.

With respect to the point around children, I would be grateful for the letter to be made available to other Members of the Committee. Again, that was a helpful point and helpful clarification, should it be needed. I also very much agree with him—to show my point about the importance of things being read into Hansard—about my Amendment 17, but it was helpful for the Minister to read into the record the definition of serious crime to be used throughout the Bill, so that there is no ambiguity with respect to that.

I totally agree with what the noble and learned Lord, Lord Hope, said about my Amendment 1. I think the wording in the Bill is better than that contained in Schedule 10 to the Data Protection Act 2018, but I wanted that to be read into the record so that we had it there. I agree with his criticism of my Amendment 1, but the reason I tabled it was exactly to get the point that he made in criticising my amendment, which the Minister reinforced—if the noble and learned Lord understands my logic.

The points made by the noble Lord, Lord Anderson, with respect to Amendment 3 raise an issue. The Minister’s response to that was, “Well, it’s a non-exhaustive list so it’s not necessary, but I’m happy to talk to the noble Lord about it”. One wonders where that will get to. It will be interesting for the Committee to see the outcome of that. I thought that Amendment 3, of all the various amendments, was particularly useful and again drew out whether the factors listed in Clause 2 are the right ones, or whether they need adding to. It was important that the Minister clarified that it is not an exhaustive list.

There is one area that I think may need to be looked at further, as mentioned by my noble friends Lord Murphy and Lord West, and the noble Lord, Lord Carlile, if I understood his remarks properly. We need to clarify the role of the Intelligence and Security Committee. I note the Minister’s reassurances, but what is its role? The clear point of difference between what I would say and what my noble friends Lord Murphy and Lord West and others would say is that we are talking here about parliamentary oversight. The Government have an annual report which goes to the Secretary of State. That is political oversight of a sort but it is not parliamentary oversight. The whole point of the ISC being set up was to give parliamentary oversight to all these sorts of matters. We have a Bill before us called the Investigatory Powers (Amendment) Bill, which deals with all sorts of issues of national security and the powers that the intelligence agencies and others should have on our behalf. It is only right and proper that the Intelligence and Security Committee should have a role that is properly defined within the legislation before us. That is one aspect that I need to reflect on and discuss with other Members of your Lordships’ House and with my noble friend Lord West, as our member of that committee.

That is the one area where, to be honest, I was not satisfied with what the Minister had to say. Notwithstanding Amendment 3, and all the other points made to the noble Lord, Lord Fox, and many others, the definitions the Minister has helped clarify and the various ways he has sought to ensure that people understand the Government’s intent have been extremely helpful to the Committee. With that, I seek leave to withdraw the amendment.

Amendment 1 withdrawn.
Amendments 2 to 13 not moved.
Clause 2 agreed.
Clauses 3 and 4 agreed.
Clause 5: Third party bulk personal datasets
Amendments 14 to 19 not moved.
Clause 5 agreed.
Clauses 6 to 10 agreed.
Clause 11: Offence of unlawfully obtaining communications data
Amendment 20
Moved by
20: Clause 11, page 30, leave out lines 38 and 39
Member's explanatory statement
This amendment is intended to probe the legal basis for surveillance of the type of data described in new subsection (3A)(e).
Lord Fox Portrait Lord Fox (LD)
- Hansard - - - Excerpts

My Lords, Amendment 20 is intended to probe the legal basis for surveillance of the type of data described in new Section 11(3A)(e). This amendment would prevent public authorities—councils, police forces, intelligence agencies, government departments including the DWP and HMRC, the Gambling Commission, the Food Standards Agency, and many more—having “lawful authority” to obtain and use communications data from a telecommunications or postal operator solely because the information is available to the public or a section of the public even if only on a commercial basis.

Communications data is defined in the IPA as data that may be used to identify, or assist in identifying, the sender, recipient, time, duration, type, method, pattern, or fact of a communication, along with the system used to make a communication, its location and the IP address or other identifier of any apparatus used. The broad list of public authorities able to obtain communications data is set out in Schedule 4 to the IPA.

Clause 11 of the Bill before us now amends the Section 11 IPA offence of unlawfully obtaining communications data from a telecommunications or postal operator. Whereas the IPA currently defines an offender as,

“A relevant person who, without lawful authority, knowingly or recklessly obtains communications data from a telecommunications operator”,


this Bill would add a list of examples to the Act of what constitutes lawful authority.

17:00
We are, for example, concerned about one such example, in new subsection (3A)(e), which states that
“where the communications data had been published before the relevant person obtained it … ‘publish’ means make available to the public or a section of the public (whether or not on a commercial basis)”.
I hope that makes the point.
It is not the case in law that data that is available to the public or a section of the public is, as a result, information that can be subject to surveillance, absent a lawful authority. The public or semi-public nature of the information does not provide a lawful authority for intrusive surveillance in and of itself. Accordingly, it is well-accepted that a legal basis is required for various types of “public” surveillance.
This thesis is directly contradicted by the addition of paragraph (e) of new subsection (3A), which states that
“cases where a relevant person has lawful authority to obtain communications data from a telecommunications operator or postal operator”
include situations,
“where the communications data had been published before the relevant person obtained it”.
We are uneasy about the change proposed in the Bill to assert that there is a lawful authority to obtain communications data from operators simply on account of the data being publicly or semi-publicly available. This amendment probes that issue to get the Minister to explain to your Lordships where we are on that.
Your Lordships will be pleased to know that there are not quite as many of my amendments in this group, but there are two more to which I shall speak. Amendments 23 and 25 would restrict the changes relating to internet connection records in Clause 14 to use by the intelligence services only. I should say that these amendments are inspired by the report by the noble Lord, Lord Anderson.
Internet connection records, or ICRs, are essentially web logs that
“contain rich data about access to internet services”
and
“can reveal appreciably more about”
individuals “than their telephony records”. Can the Minister confirm, for example, that no other European or Five Eyes country has surveillance laws that allow for the compulsory generation and retention of ICRs or web logs?
That stated, this amendment is not seeking to make that no longer the case, because currently ICRs can be obtained under Section 62 of the IPA, where the time and use of a service is known or the person’s identity is known. Clause 14 would amend Section 62 of the IPA to add a further purpose for which ICRs can be used for target discovery—that is, generalised surveillance. I think it would be helpful for the Minister to put on record why this change is being made and to perhaps explain how in fact it will “improve target detection” and
“assist in detecting new subjects of interest”.
This is an important change and it is important that the reasons around it are fully articulated from the Dispatch Box.
The Explanatory Notes acknowledge the risks of such open-ended powers:
“It is recognised that such queries are highly susceptible to imprecise construction”.
The notes also acknowledge the complexity of utilising such broad query powers in practice and the requirement of
“subject matter expertise to formulate appropriate queries to derive the correct subset results”.
So the safeguards as they stand are few and essentially rely on the new condition being limited to national security and serious crime.
In his review of the operation of the IPA, the noble Lord, Lord Anderson, recommended that, if ICRs are expanded in the way currently proposed in this Bill, the new conditions should be restricted to the intelligence agencies, at least at first. However, the Bill goes further and provides these new powers to the NCA. We would like the Minister to explain why that decision was taken and why is it proportionate and necessary for the NCA to have these powers. The wider the use of these powers is spread, the more likely it is that the essential expertise that is required will not be available. I believe that was one of the motivations behind the contraction of that use. I beg to move.
Lord West of Spithead Portrait Lord West of Spithead (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I stand to address the clause stand part notice for Clause 13 and also Amendments 21, 22, 24 and 26. The aim of looking at the clause relates to the communication data disclosure powers. The current IPA wisely restricted the number of public authorities that are able to compel the disclosure of communications data from telecommunications operators, given the potentially intrusive nature of this power. Consequently, authorities such as the Environment Agency or Health and Safety Executive are currently required to take further procedural steps in order to compel disclosure of communications data. They must obtain either an authorisation under the current IPA, a court order or other judicial authorisation, or regulatory powers in relation to telecommunications or postal operators, or they must obtain the communications data as secondary data as part of a valid interception or equipment interference warrant.

However, the Bill before us seeks to remove these restrictions for a wide range of public regulatory authorities and restore their ability to compel the disclosure of communications data from telecommunications operators in service of their statutory regulatory or supervisory functions. The Government’s argument for removing these restrictions is that a broader array of communications now fall into the category of communications data, and that a wider number of organisations now constitute telecommunications operators. As a result, the current restrictions prevent some regulatory authorities from acquiring the information necessary to exercise their statutory functions, in a way that was not anticipated at the time of the original legislation.

It is argued that this is particularly relevant to bodies with a recognised regulatory or supervisory function, which would collect communications data as part of their lawful functions but would be restricted under the current Act if their collection was not in service of a criminal investigation. In particular, the change is focused on improving the position of certain public authorities responsible for tax and financial regulation, whose powers were removed in 2018 as a result of the rulings of the European Court of Justice.

Clearly, such bodies must be able to perform their statutory functions effectively, but we have been told that this Bill delivers only “urgent, targeted changes needed”. That is not the case here. These sections represent a sweeping restoration of powers across a wide number of public bodies, most of which have no national security or serious crime function.

The original Act was very particular about the purposes for which communications data could be gathered under the legislation and by which bodies. It ensured that this power was tied to national security and serious crime purposes only, to avoid impinging on the right to privacy without very good reason. Clause 13 and its related schedule fly in the face of this very deliberate policy in the original Act, and overturn Parliament’s careful deliberation of the point.

Will the Minister confirm which bodies will have their powers restored under this legislation? Which of those bodies have reported a significant reduction in their ability to perform statutory functions as a result of the IPA? Have some bodies been more effective than others? Might it be possible and appropriate to significantly pare back this list of organisations?

At present, the case has not been made. We need to be satisfied that these powers are given to those bodies which cannot adequately function without them. It cannot be the case that some are simply given these powers back by default. I am prepared not to take this amendment to a vote if the Minister can assure the House the Government will bring forward their own amendment, which restores these powers in a more limited and targeted way.

The next stand part notice is consequential on that one being taken.

I move on to Amendments 21, 22, 24 and 26. These seek to remove the ability of the agencies to internally authorise the use of a new broader power to obtain internet connection records for target discovery. The agencies would instead be required to seek approval from IPCO, thereby creating an element of independent judicial oversight.

As I noted previously, Clause 14 creates a new broader power for the agencies and the NCA to obtain ICRs for the purpose of target discovery. It represents a significant change from the current position, removing the current demand that the exact service used and the precise time of use be known. Instead, the agencies will be able to obtain ICRs to identify which persons or apparatus are using one or more specified internet services in a specified period—a far broader formulation.

After consideration of the relevant classified evidence, the ISC agrees with the intent. However, the newly expanded power is potentially very intrusive. It allows the agencies to obtain ICRs from a range of internet services over a potentially long period of time and could, therefore, potentially intrude on a large number of innocent people. Parliament must therefore ensure that there are appropriate safeguards in place.

The ISC acknowledges that there are safeguards in place relating to the obtaining of ICRs. However, in all cases relating to national security and economic well-being, the agencies are able to authorise use of this newly expanded power internally. They make the assessment as to whether it is necessary and whether it is proportionate. There is no independent oversight of the agencies’ assessment.

The Government may argue that the ability of the agencies to authorise use of this power internally replicates the existing provisions when authorising the obtaining of ICRs for target discovery or target development. They will also no doubt refer to how the noble Lord, Lord Anderson, said in his report that “arguably” the potential intrusiveness of this newly expanded target detection power is no greater than the existing provisions for obtaining ICRs.

In the ISC’s view, the new provision—which is considerably broader than the existing target discovery power, removing the need to know the exact service used and the precise time of use—is significantly more intrusive than existing provisions. Consequently, greater oversight is required to ensure that the power is always used appropriately. This is not because we expect the agencies to act in bad faith but because independent oversight is essential, acting as a counterbalance to the intelligence community’s intrusive powers and providing vital assurance to Parliament and the public.

This amendment and the two linked Amendments 24 and 26 therefore remove the ability of the agencies to authorise use of this power internally. The agencies would instead be required to seek the approval of an independent judicial commissioner from IPCO in order to authorise the obtaining of ICRs under this new broader power.

Incorporating this independent judicial oversight would ensure that use of this power is always necessary and proportionate and strikes the right balance between security and privacy. It also aims to minimise any burden on the agencies. It does not, for example, incorporate the “double lock” mechanism, which is used for the most intrusive powers under the Investigatory Powers Act.

We recognise that the Government may wish to bring forward their own amendment to include provision for urgent cases; therefore, I do not propose to move this amendment to a vote at this stage. It should, however, indicate to the Government the ISC’s firm view that independent judicial oversight in this area is essential.

I will say a little more about Amendment 22. This amendment seeks to limit the purposes for which the new, broader target discovery power, which has been introduced under Clause 14, could be used. Clause 14 creates a new, broader power for the agencies, and the NCA, to obtain internet connection records for the purposes of target discovery. Target discovery is a great deal more intrusive than target development, potentially intruding on the privacy of a great number of innocent individuals. This is why we must tread very cautiously in this area and be quite satisfied of the need for the power, and that it is tightly drawn and properly overseen.

Currently, in order to obtain ICRs for target discovery, the agencies must unequivocally know the precise service used and the precise time of use by the unidentified individual. It is, therefore, very tightly drawn. The new target discovery power removes these requirements, allowing the agencies to obtain ICRs to identify which persons or apparatuses are using one or more specified internet services in a specified period. Noble Lords will recognise how potentially broad this is by comparison.

17:15
The ISC agrees with the noble Lord, Lord Anderson, who, in his excellent report reviewing the Government’s proposals for this Bill, agreed with the principle behind this change. The ISC has considered the classified evidence and recognises that, due to technological changes, the current power is less useful than envisaged due to the absolute precision it requires. We recognise that the agencies should be able to use ICRs and that this new target discovery power would help them and law enforcement in detecting and disrupting internet-enabled criminal activity.
However, as the noble Lord also recognised, Parliament deliberately imposed a high bar for authorising obtaining internet connection records given their potential intrusiveness. The noble Lord, Lord Anderson, also recommended that the purposes for which this new, broader target discovery power could be used should be limited to national security and serious crime, as well as limiting the use of such a power to the intelligence community. The Bill departs from the noble Lord’s recommendations in both respects. Not only does it include the National Crime Agency as well as the intelligence community but it allows the intelligence community to use the new, broader target discovery power for a third, far less defined purpose of
“the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security”.
The ISC recognises that the inclusion of economic well-being in this clause is linked to the statutory functions of the agencies. MI5, for example, is required under the Security Service Act 1989
“to safeguard the economic well-being of the United Kingdom against threats”.
Equally, one of the purposes for which SIS and GCHQ can exercise their functions under the Intelligence Services Act 1994 is
“in the interests of the economic well-being of the United Kingdom”.
That does not mean, however, that those statutory functions should be transposed automatically. This new, broad power is potentially very intrusive, revealing communications data about how a large group of potentially innocent individuals are accessing the internet. It does not therefore follow that Parliament should permit it to be used for all agency work.
Given the potential intrusiveness of the new power, it must be constrained appropriately. Therefore, in addition to requiring independent judicial oversight, which is the subject of a separate amendment, this amendment would prevent the agencies using the newly expanded power for the purposes of economic well-being. This would restrict use of the power to national security and, in urgent cases, serious crime, thereby preventing the broadly defined and vague concept of “economic well-being” being used as a catch-all justification for its exercise. This seems a more proportionate response and more in line with the recommendations of the noble Lord, Lord Anderson. Perhaps the Minister could explain to the Committee why this purpose is needed—surely national security is what we should be primarily talking about—and indicate whether he will now reconsider this clause.
Lord Anderson of Ipswich Portrait Lord Anderson of Ipswich (CB)
- View Speech - Hansard - - - Excerpts

My Lords, I will make a brief comment on two aspects of Clause 14 which have been developed today and which were considered in my report. Amendments 23 and 25 in the name of the noble Lord, Lord Fox, would restrict the changes relating to internet connection records in Clause 14 to the intelligence services only. The noble Lord correctly noticed that, while I support the use of ICRs for the new target detection purpose in condition D1, I mentioned at paragraph 4.18 of my report that it would be

“open to Parliament to require further safeguards”

and suggested that those safeguards include

“making the extra condition available only to UKIC”—

in other words, the intelligence services—

“at least in the first instance”.

I pointed out a range of safeguards that already apply to ICRs. These are fully set out in the draft addition to section 9 of the code of practice that was helpfully provided in advance of these debates. I also pointed out, by way of mitigation to my proposal that only UKIC should have access, that

“working arrangements … could facilitate the use of UKIC powers in the service of NCA or CTP in particular”.

That is as much as I am told I can say on working arrangements, though noble Lords may be able to use their imaginations.

Clause 14, instead of going for this workaround, opted to give the NCA, though not counterterrorism policing, its own direct access to the new power. It is certainly true that the NCA has primary responsibility for many of the crimes where the new power may prove most useful—in particular, child sexual abuse, where it has strong potential. I will listen to what the Minister says about that, but I think there is no great division of opinion between us on this issue. We are really debating different mechanisms by which the NCA might get access to this material, and although it is not precisely what I suggested, I have no objection to the more direct route taken in the Bill.

I turn to Amendments 21, 24 and 26 in the name of the noble Lord, Lord West of Spithead, which would introduce a requirement for requests by the intelligence services and the NCA to be independently authorised by the Office for Communications Data Authorisations. This would be an exceptional state of affairs for communications data requests by the intelligence agencies. Existing ICR requests are internally authorised and some of those, in particular under condition B and C, will be arguably, as I said in my report, as intrusive as requests under the new condition.

However, the noble Lord has emphasised the undoubted intrusiveness of the new condition and I know from my own correspondence with the ISC that, very much to its credit, it has looked at this issue in considerable detail. Furthermore, I raised the possibility of independent authorisation for such requests in my report. While I said that the full double-lock procedure would be disproportionately burdensome, independent authorisation by OCDA, which is not a possibility on which I commented expressly, sounds as though it could be a more manageable proposition. I have some sympathy with Amendments, 21, 24 and 26. They raise an important issue on any view, and I look forward to hearing what the Minister has to say about them.

Lord Ponsonby of Shulbrede Portrait Lord Ponsonby of Shulbrede (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I thank the three previous speakers in the short debate on this group. There are no opposition amendments in it, so I shall set out some more general questions that arise out of the amendments spoken to.

Why have the Government brought forward the widening powers to obtain communications data when the original Bill did the opposite? Can the Government provide an exhaustive list of the bodies that will be able to use these communications data collection powers? Why are they not in the Bill or the Explanatory Notes? Giving bodies such powers during any criminal investigation appears out of step with the rest of the Bill, which covers investigatory powers for national security or serious crime reasons. Why is this power so broad as to cover any criminal investigation? Given that the double lock exists for most of the powers in the Bill, why have the Government given wide-ranging powers for intelligence authorities and the NCA to self-authorise accessing internet connection records while undertaking subject discovery work? How does this compare to the powers for conditions A, B and C, which cover access to ICRs, for more restrictive purposes? Finally, what will the role of the IPC and the ISC be in monitoring how the new powers are used?

I was particularly interested in what the noble Lord, Lord Anderson, said when he was commenting on the two other speakers in this short group. I, too, will listen with great interest to what the Minister has to say on this, but this is all done in the spirit of exploration, as my noble friend Lord Coaker said. I look forward to the Minister's comments.

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- View Speech - Hansard - - - Excerpts

I thank all noble Lords who have spoken in this group. I will first speak to Amendment 20, tabled by the noble Lord, Lord Fox, which would amend Clause 11. I want first to make it clear that Clause 11 does not enable any new activity under the Investigatory Powers Act but places into primary legislation the existing position set out at paragraph 15.11 of the Communications Data Code of Practice.

Paragraph 15.11 clearly sets out that it is not an offence to obtain communications data where it is made publicly or commercially available by the telecommunications operator or postal operator or otherwise, where that body freely consents to its disclosure. In such circumstances, the consent of the operator provides the lawful authority for the obtaining of the data on which public authorities can rely. Making this position explicit within primary legislation will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in Section 11. As such, there will be no doubt that acquiring communications data in this way means that an offence will not be committed in such circumstances.

The purpose of new subsection (3A)(e) is not permitting so-called surveillance, as the noble Lord’s amendment asserts. Rather, it is about clarifying the basis for lawful access to material which has already been published and should not require additional authority for its disclosure by a telecommunications operator, with the consent of that operator, to a public authority. I can assure noble Lords that telecommunications and postal operators will still need to satisfy themselves that any communications data disclosure is in accordance with the Data Protection Act, and any subsequent processing by public authorities must also be compliant.

The inclusion of this paragraph in the definition of “lawful authority” in the IPA will provide reassurance to public authorities on the basis for which they have lawful authority to acquire communications data where this authority falls outside the IPA itself. Inserting a definition of lawful authority does not remove the offence of knowing or recklessly obtaining communications data without lawful authority; it is still possible to commit this offence if the disclosure by the telecommunications operator is not lawful or if the public authority knowingly or recklessly acquires the communications data without lawful authority. The inclusion of this definition of lawful authority will encourage public authorities to ensure that they have lawful authority before they acquire communications data. I therefore respectfully ask the noble Lord to withdraw his amendment.

I turn to Clause 13 and the proposal from the noble Lord, Lord West, to remove this provision and the associated schedule from the Bill. The purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited in performing the roles expected of them by Parliament. It restores their important pre-existing statutory powers to acquire communications data in support of those functions. When the IPA was passed in 2016, it made specific provision, at Section 61(7)(f) and (j), for acquisition of communications data for the purposes of taxation and oversight of financial services, markets and financial stability.

As a result of the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, a number of changes were then made to the IPA. Crucially, not all the changes made at that time were a direct response to the judgment itself, but instead the opportunity was taken to streamline the statute book. This included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers. At that point, much of the relevant data fell outside the definition of communications data and therefore outside the provisions of the IPA. However, as businesses increasingly move their services online, so many have become, in part at least, telecommunications operators under the definition in the IPA. Therefore, more of the data they collect, and which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers, now falls within the IPA’s definition of communications data, and regulatory and supervisory bodies are, inadvertently, unable to acquire it.

The Financial Conduct Authority, His Majesty’s Revenue and Customs and Border Force are all examples of public authorities in Schedule 4 to the IPA and already have the power to acquire communications data using a Part 3 request. However, many of the matters that these bodies regulate or supervise fall short of serious crime, as defined in the Investigatory Powers Act at both Section 263(1) and Section 86(2A), which means that they are unable to acquire a Part 3 authorisation to get the data they need to perform the statutory functions expected of them.

The UK is not alone on this issue; European colleagues have identified similar issues for their equivalent bodies with regulatory and supervisory functions. The functions these bodies perform on behalf of the UK are simply too important to let this situation continue. They go to the heart of our safety in preventing terrorist funding, seeking to ensure financial stability, and the oversight of banking and financial markets, among other matters. For example, the Financial Conduct Authority has responsibility for supervising some 50,000 regulated firms to ensure they have systems and controls in place concerning the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Border Force has the responsibility of quickly identifying from the huge volumes of packages crossing our borders each day, those that may contain illegal items such as drugs, firearms and other illicit goods that present a risk to the UK. It is vitally important that these bodies are not inhibited in carrying out their core functions because of the way the world has changed since 2016.

The changes to the IPA brought about by Clause 13 strike an appropriate balance between necessity and proportionality, making clear as it does that the acquisition by these regulatory bodies should only be in support of their civil functions and not used in support of criminal prosecutions. Additional safeguards are provided for within codes of practice governing how this should work in practice. To be clear, this applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions; it is not creating a way to circumvent the safeguards of the IPA. It instead ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential.

17:30
In answer to the noble Lord, Lord West, it is not possible to say with certainty how many public authorities have some form of regulatory responsibilities for which they may require data that would now meet the definition of “communications data”, but the intention of the amendment is to ensure that departments such as HMRC, which have to meet international obligations, and public authorities such as the FCA, as I have talked about, are able to carry out their core functions. Other bodies include Trading Standards, environmental agencies and the Insolvency Service, which would need to be able to rely on their statutory powers to execute their functions where they are required to provide oversight or administration over their respective areas of interest. I hope that this explanation has provided reassurance and that noble Lords will agree that Clause 13 and the Schedule should stand part of the Bill.
I turn to the amendments concerning internet connection records. Before I speak to the amendments themselves, I note that this group is designed to fill an increasing intelligence gap which results from communications moving from traditional telephony to internet communications such as instant messaging. Amendments 23 and 25, tabled by the noble Lord, Lord Fox, concern the question of access to the new condition D. They would limit access to only the intelligence services, thus prohibiting the National Crime Agency from utilising this condition. As noble Lords will be aware, the NCA leads the UK’s fight to cut serious and organised crime, pursuing the most dangerous offenders and developing as well as delivering specialist capabilities on behalf of law enforcement.
The NCA is the national lead in many of the areas where the new capability provided for by this measure will have the greatest impact. This includes child sexual exploitation and abuse, as noted by the noble Lord, Lord Anderson, cybercrime, fraud, money laundering and illicit finance. While the intelligence agencies have a serious crime function and carry out vital work in this area, the NCA is an indispensable part of the work against serious crime in the United Kingdom. As an example of the extent of the task the NCA faces in respect of child sexual abuse and exploitation, the agency estimates that as many as 830,000 people in the UK could pose a sexual threat to children, either through online or in-person abuse. Data from the Internet Watch Foundation shows that the prevalence of the most severe forms of online child sexual abuse has more than doubled since 2020, and an estimated 27 million images have been identified through UK law enforcement investigations of child sexual abuse. It is clear that this is a horrendous crime-type, happening at an unimaginable scale, so it is essential that we do everything in our power to address it.
The NCA has clearly shown that it has the necessary subject matter and technical expertise in respect of ICRs. It is the Government’s view that we should support it in its vital work. Access to condition D will significantly enhance its ability to identify serious criminals and protect victims from abhorrent crimes committed online by ensuring that, where there is an appropriate necessity and proportionality case, it is able to require the relevant data to identify offenders. Furthermore, in all but urgent circumstances, the NCA’s use of condition D will be subject to prior independent authorisation by the Office for Communications Data Authorisations, providing further assurance on the limitations in place for the acquisition of ICRs.
Turning to Amendments 21 and 22, tabled by the noble Lord, Lord West of Spithead, on the inclusion of economic well-being in the provisions, I start by emphasising that the statutory purpose concerning the economic well-being of the UK is permitted only in so far as those interests are also relevant to the interests of national security, as is the case with the rest of the IPA. Furthermore, the use of intelligence to protect nations from economic threats that are of sufficient scale to affect, or potentially affect, national security is not new. The intelligence produced under the economic well-being provision is highly valued across government and contributes to the formation of financial and energy policy. Including economic well-being, so far as is relevant to national security, provides greater transparency, including to the public, over how the Government use investigatory powers. It also aids consideration of the necessity and proportionality case for activities.
There is also an issue of consistency here. The Intelligence Services Act and the Security Service Act specify economic well-being as a basis for intelligence operations. Article 8 of the European Convention on Human Rights also states that economic well-being is a legitimate basis for interference in individual privacy. It is already the case that data can be acquired under a communications data authorisation for the purpose of economic well-being, including the existing conditions for ICRs. The Government do not see a reason to remove it as a purpose for this provision, as we would not wish unduly to inhibit the intelligence agencies in carrying out their statutory functions.
Finally, I turn to Amendments 24 and 26, also tabled by the noble Lord, Lord West of Spithead, regarding the internal authorisation of condition D by the intelligence agencies and, where urgent, by the NCA. The proposed authorisation routes in Clause 14 for condition D mirror the existing approach to internal authorisation for communications data in the IPA. As we do not assess that the new condition creates a significantly higher level of intrusion, it is appropriate that the consistency is maintained. The process of having designated senior officers’ approval is well-established, with robust oversight from the Investigatory Powers Commissioner’s Office. DSOs must be of a certain grade or ranking, and for the intelligence agencies they must be independent of both the operation and the line management chain of the applicant. The intelligence agencies can internally authorise communications data requests where the request is not solely in relation to serious crime. Section 229(1)(b) of the IPA sets out that:
“The Investigatory Powers Commissioner must keep under review (including by way of audit, inspection and investigation) … the acquisition or retention of communications data”
by public authorities under the Act.
For both the NCA and the intelligence agencies, internal approval is permitted for urgent applications where it is reasonably assessed that to follow the independent authorisation route would cause such delay as to place lives in danger. Further details are set out in Chapter 5 of the Communications Data Code of Practice on what will amount to “urgent”. Even in such circumstances, it is expected that the authorising officer be independent of the investigation, as set out at paragraph 5.17 of this code. In all other cases for serious crime, the requests are considered by the independent Office for Communication Data Authorisations, under the oversight of the IPC.
It is also worth noting that, in its 2021 inspection reports of GCHQ and MI5, IPCO concluded at paragraphs 10.27 and 8.26 respectively that processes used by these organisations to acquire communications data
“were working to a high standard, with applicants’ justifications satisfactorily completed and supported by strong internal governance procedures.”
I believe that I have set out clearly the Government’s position in respect of these important areas. Again, I thank noble Lords for prompting this debate, but I respectfully ask that they do not press their amendments, for the reasons I have set out.
Lord Fox Portrait Lord Fox (LD)
- View Speech - Hansard - - - Excerpts

My Lords, this has been a really worthwhile part of our debate, and I thank those who have tabled amendments and the Minister for his response. I was particularly interested to hear both the substance of and response to the amendments of the noble Lord, Lord West of Spithead. I think it best that we spend some time reviewing this in Hansard in deciding what, if anything, needs to come back. With that said, I beg leave to withdraw Amendment 20.

Amendment 20 withdrawn.
Clause 11 agreed.
Clauses 12 and 13 agreed.
Schedule agreed.
Clause 14: Internet connection records
Amendments 21 to 26 not moved.
Clause 14 agreed.
Clause 15 agreed.
Clause 16: Extra-territorial enforcement of retention notices etc
Debate on whether Clause 16 should stand part of the Bill.
Lord Fox Portrait Lord Fox (LD)
- Hansard - - - Excerpts

My Lords, in opposing that Clause 16 stand part of the Bill, I shall also speak to the clause stand part notices on Clauses 17 and 20.

This is one part of the Bill that has attracted a huge amount of external interest and deserves some positioning to understand why external parties might be suspicious of what they see. We should recognise that one of the most important security features available to protect personal information, both on a device and in the cloud, is end-to-end encryption. That encryption technology ensures that only users, and not the companies which provide the cloud services, can access their personal data and communications. Computer scientists and cryptographers have argued for many years that there is no safe way to decrypt one person’s messages without compromising the whole system’s security infrastructure. As soon as a backdoor, as it is called, is created to scan private messages, a security vulnerability is created that can be exploited by bad actors as well as good actors. I assume that that was why the Online Safety Bill left things hanging, waiting for a technological breakthrough, though I was not party to the processes of that Bill.

I remind your Lordships that once the company has created a backdoor key for encrypted systems, even for a single user in a single case, and certainly for any mass scanning, it has created a vulnerability that can eventually be abused by bad actors as well as law enforcement. I also remind your Lordships that the Home Office already can and presumably, on occasion, does require companies to weaken their security apparatus in the interests of law enforcement and national security.

To a great extent, the proximity of this Bill to the debate in the Online Safety Bill, has not helped matters: sensitivities were raised during that debate, and this is a chance for the Minister to try to calm them. As I mentioned earlier, the impending arrival of the Data Protection and Digital Information Bill is also putting people’s nerves on edge. There is a deal of management required here.

End-to-end encrypted messaging service providers were vociferous in their concerns during the passage of the Online Safety Bill, yet Section 121 of the Online Safety Act remains. However, Ministers clarified that Ofcom could only require scanning once it becomes technically feasible to do so—that is, when the technology is invented and allows scanning without violating encryption. But Ofcom retains the power to order service providers to use their “best endeavours” to develop that technology.

It is not surprising that some of those same encrypted message service providers were raising flags when it came to some of the clauses in the Bill. The IPA, as it stands, already enables the Home Office to instruct service providers to remove electronic protection for communications of interest to the police or security services by issuing them with a technical capability notice—a TCN. This effectively empowers the Home Secretary to require the removal of end-to-end encryption on those services across any number of suspects and criminal offences. Currently, for the Home Secretary to issue a TCN to a service provider under the IPA, they have to satisfy a number of considerations, which your Lordships will be pleased to hear I am not going to list. Even if the answers to all those conditions is positive and leads to a TCN, a process of checks and balances sits alongside the request, including informal and formal consultation between the Home Office and a service provider before the TCN is issued, oversight by the independent judicial commissioner assessing the request’s proportionality and, of course, recourse for the service provider to request a review of the TCN, allowing it and the Home Secretary to make representations to the judicial commissioner and the technical advisory board for assessment. Crucially, the service provider is not required to start acting on the notice until the review process is concluded.

17:45
The Home Office consulted this year on watering down some of these safeguards. Most notably, the changes now in the Bill would prevent changes being made to a service subject to a TCN immediately, even if the provider seeks to review it and requires some providers to inform the Home Office of any planned changes to their products’ safety features that might have a negative impact on advisory powers
“in good time … before relevant changes are implemented”.
The Bill will expand the notification requirement to a wider range of unspecified operators, who will be notified by the Secretary of State. Currently, the Secretary of State must navigate important oversight mechanisms before blocking a new product or service. The Bill proposes new authority to block, in secret, the release of a product or service, even before a notice can be reviewed by independent oversight bodies. We should be concerned about how the proposed changes could affect legal users of encrypted message services. In a wider sense, some critics of the encryption provisions argue that the very fact of a provision in the UK law that permits the Government to force decryption is crossing a line that will signal to authoritarian regimes that they should or could follow suit. Perhaps the Minister can comment on that.
Added to this, the IPA already seeks to apply extraterritorially, allowing the Home Office to impose secret requirements on providers located in other jurisdictions, and that apply to their users globally—in other words, foreign operators and their global users. The additional powers proposed here will exacerbate that, giving expanded authority for the Home Office to regulate foreign companies and the ability to pre-screen and block innovative security technologies. As Apple remarked in its consultation submission:
“Under this proposal, it’s possible that a non-UK company could be forced to undermine the security of all its users, simply because it has a UK user base”.
In effect, the UK seeks authority that no other country has—to prohibit a company from releasing a security feature unless the UK receives advance notice. This new notice regime would create serious conflicts with foreign law. For example, Article 32 of the European Union’s general data protection regulation—the famous GDPR—imposes a positive obligation on companies to implement technical and organisational measures to protect the privacy of their users’ personal data.
In addition, a notice requiring US companies to maintain the ability to decrypt data for any of its users worldwide would violate the US CLOUD Act and the implementation of the US-UK data access agreement. The CLOUD Act forbids the use of data access agreements to mandate the decryption of user data. The result, inevitably, is that a company must choose whether to subject itself to the preferences of the Home Office or deprive users around the world of critical safety features. While the benefits of pre-clearance to the Home Office are obvious, the danger to human rights activists, journalists and at-risk populations around the globe are also clear.
The sector fears that the Home Office could use the open-ended pre-clearance requirement in combination with the proposed expansion of the extraterritorial scope, and the proposed requirement to maintain the status quo during the review process to thwart the development of end-to-end encryption technology. This affects more than simply commercial interests. This modified process would stifle attempts to innovate encryption technology and would prevent companies responding quickly to growing data security threats—I would emphasise more the latter than the former. It empowers the Secretary of State effectively to issue an unreviewable extrajudicial injunction to prohibit the release of a new technology, and it would force companies to withhold end-to-end encryption features or other new technologies from users, even in the light of evolving threats to their users’ data services. I would welcome the Minister’s response to that. I hope he will be able to calm the nerves about this part of the Bill, which are very clear and prevalent.
If there are fears and those fears have some grounding, I recommend we turn to the measures in Amendments 27 to 32, which, taken together, propose ways of ameliorating the issues that I just set out. Amendments 27 and 28 would introduce procedural safeguards to the process of referring a notice back to the Secretary of State. They would impose a limit on the length of time that the Secretary of State may take to review a national security notice or a technical capability notice. In other words, they would not stop that happening but they would limit the open-endedness of it. They would also import a serious adverse effect threshold for the imposition of a stay on changes to a telecommunications service, pending the outcome of a review by the Secretary of State.
Amendment 29 seeks to confirm whether the changes to the telecommunications operator definition is intended to include non-UK entities that do not have a connection with the person providing the services in the UK, and non-UK entities in relation to non-UK persons. In other words, it probes the extraterritoriality, which is causing some concern.
Amendments 30 to 32 would ensure that the Secretary of State can impose a technical capability notice on a telecommunications operator in respect of the actions of another telecommunications operator only if it is reasonably practicable for the telecommunications operator receiving the notice to control the actions of the other telecommunications operator. I hope that makes sense. Essentially, it would put an obligation on another telecommunications officer only if they can actually effect that on the third party. Requiring operators to comply with a notice—effectively halting product updates—before the full appeals process is completed, as under Clause 17, would remove an important procedural safeguard that cannot be easily reversed. At a minimum, the Bill should be amended to include a statutory time limit, as I set out, for appeal, to avoid requiring compliance with a notice during, as currently drafted, an indefinite appeals process. In addition, the Bill should articulate a threshold, clearly defining when an operator would have to comply with a notice during the course of review. That is what our amendments to Clause 17 are designed to do.
On our amendments to Clause 18, the Bill extends the extraterritorial reach of the IPA regime and seems to make one company liable for the actions of another, as I just described. The Bill’s disproportionate breadth and vagueness, which I hope the Minister can narrow from the Dispatch Box, would create a significant amount of legal ambiguity. It is certainly important for the Minister to explain how these measures relate to the recently signed US-UK data access agreement—an important part of the relationship between the United Kingdom and the US, where the vast majority of the companies that we are talking about reside. Some important detail probably needs to be set out in writing as to how this Bill and that agreement interrelate. The obligations imposed by these changes should and could be clearer in the Bill. This text should make it clear that, to be within the scope of the proposed liability, a company must be directly offering services to customers in the UK. That is what we hope our amendments to Clause 18 will fill out.
Finally, Amendment 34 is a further attempt to place some safeguards into Part 4. Our final amendment to this part would ensure that the decision by the Secretary of State to give notice requiring operators to notify them of system changes is approved by a judicial commissioner. As we know, judicial commissioners play a crucial role in providing the independent oversight of the decisions around notices and other authorisations in this Bill. The 2016 Act essentially ushered in that role. There does not appear to be any good reason why the same safeguards should not apply for notices issued under Clause 20. We have also suggested that such notices be time limited but can be renewed following approval, again from the judicial commissioner. This is an attempt to ensure that there are appropriate safeguards around the Secretary of State’s powers in this regard.
Lord Ponsonby of Shulbrede Portrait Lord Ponsonby of Shulbrede (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I will briefly speak to the five amendments in this group in the name of my noble friend Lord Coaker. Amendments 35 and 37 would introduce a double-lock process to notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for the three existing types of notices that can be issued to telecommunications operators. Amendment 36 would add a further factor that the Secretary of State must consider when deciding to give a notice under this section, bringing this type of notice into line with the three existing types of notices that can be issued to telecommunications operators. Amendments 38 and 39, along with the others in my noble friend’s name, would introduce a potential double-lock process to the variation of notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for variation of the three existing types of notices that can be issued to telecommunications operators.

In introducing this group, the noble Lord, Lord Fox, set out very comprehensively the concerns of the various tech companies. I have read the same briefings that he has. He was right to see this as an opportunity for the Minister to address those concerns.

I have a few questions arising out of these amendments. First, why have the Government not included a double-lock structure of approval to this new type of notice, given that the three other types of notices that telecom companies can be issued have the same structure, along with many of the provisions in this Bill and the IPA? Further, why does it not have the same review structure as the other notices? What will companies be able to do to challenge this decision? New Section 258A states that companies must respond within “a reasonable time”. What would the Government consider a reasonable time to be in this regard? What assessment has been made of what other companies are doing to ensure they are aware of changes that would potentially impact national security? Finally, can the Government be more specific about the types of changes that would be considered relevant for this new notification of the proposed changes?

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- View Speech - Hansard - - - Excerpts

My Lords, once again, I thank noble Lords for their amendments and the points they have raised in this debate. I will do my very best to answer the questions that have been asked. Again, I am afraid I am going to do so in some detail.

The noble Lord, Lord Fox, has proposed removing Clause 16 from the Bill in its entirety. Clause 16 concerns the extraterritorial enforcement of retention notices. Under subsections (9) to (11) of Section 255 of the IPA, any technical capability notice—TCN—is already enforceable by civil proceedings against a person in the UK. Only TCNs that provide for interception and targeted communications data acquisition capabilities are enforceable against a person overseas. Section 95 of the IPA also provides that a data retention notice—DRN—is enforceable by civil proceedings against a person in the UK. DRNs already have extraterritorial applicability within the IPA, meaning that they can already be given to a person outside the UK. However, unlike TCNs, the current legislation does not permit the enforcement of a DRN against a person outside the UK.

Clause 16 therefore seeks to amend Sections 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs to strengthen policy options and the legal levers available when addressing emerging technology, bringing them in line with TCNs. As technology advances, data is increasingly held overseas. The clause will ensure that, if required, there is a further legal lever to protect and maintain investigatory powers capabilities overseas. This will ensure that law enforcement and the intelligence agencies have access to the communications-related data that they need to tackle serious crime and protect national security. It will also ensure consistency across the regime.

18:00
Notices issued to overseas operators are subject to the same stringent standards within the IPA, including robust and independent oversight. Notices must be both necessary and proportionate, and subject to the “double lock”. If the operator is dissatisfied with the terms of the notice, they have a statutory right to refer the notice, or part of it, to the Secretary of State for review.
The consultation process by the Secretary of State before a notice is given is designed to ensure the notice is a collaborative process and that the operator’s concerns are addressed before the point of enforcement is ever reached. Enforcement is seen as a measure of last resort. I hope this reassures the noble Lord of the necessity of Clause 16, and that he will support its inclusion in the Bill.
Clause 17 is vital in ensuring that lawful access is maintained while a notice is being comprehensively reviewed. The review process is an important safeguard, and the right of appeal will remain available to companies. Public safety outcomes, however, must not be pre-empted in the boardrooms of big tech companies. That is not what Parliament intended and companies must respect that process.
Clause 17 ensures operators do not make changes during the review period that will negatively impact existing lawful access. It is important to note that operators will not be required to make changes to specifically comply with the notice, but they will be required to maintain the status quo. This means law enforcement and intelligence agencies do not lose access to operationally relevant data during the review period that they would have been able to access previously. It is critical to our intelligence agencies that this clause remains.
To be clear, companies can make changes to their services during a review. They could choose to roll out new technologies and services while it was ongoing, so long as lawful access was built into them as required. Furthermore, the status quo will apply only to whichever of their systems and services are covered by the notice in question. Anything outside the scope of the notice is naturally unaffected by the requirement.
The Government cannot agree with Amendments 27 and 28 tabled by the noble Lord, Lord Fox. They would constrain and caveat Clause 17 in a way that would fundamentally reduce its effectiveness in achieving its goal: to ensure that lawful access is maintained while a notice is being comprehensively and appropriately reviewed.
When giving a notice for the first time, the Secretary of State has a statutory obligation to engage in a consultation period with the relevant telecommunications operator. Following this consultation, and taking into consideration the views of the operator, the Secretary of State then considers whether to formally give the notice. Should they decide to do so, the notice must then be approved by an independent judicial commissioner and formally given to the company before its obligations become binding on them. If at this point the operator is still dissatisfied with the terms of the notice, they have a statutory right to refer the whole notice, or part of it, to the Secretary of State for review.
Clause 17 will not affect the fundamental process of the review or these current safeguards. The notice must still be approved by both the Secretary of State and a judicial commissioner before it is formally given to the company and its obligations become binding on them. They will continue to have the statutory right to refer the notice, or part of it, to the Secretary of State for review. The Secretary of State must then consult the Technical Advisory Board and an independent judicial commissioner—not the one who originally approved the notice. Both the Secretary of State and the operator are able to make representations to these two bodies to factor into their considerations before the judicial commissioner produces their report.
The review of a notice is a potentially complex process; there are four distinct parties involved, two of whom are independent and required to consider certain factors as laid out already in the IPA. Given the bespoke nature of a notice, it is only appropriate that any possible review of it is equally bespoke. We cannot therefore apply an arbitrary timeline, but we will further consider this point.
The existing formal consultation prior to the notice being given, alongside the introduction of Clause 20, will further strengthen collaborative working opportunities between operators and government. Discussions between operators and government will begin when the operator informs the Secretary of State of a relevant change. If, following this, the Secretary of State initiates a formal consultation period before issuing a notice, this is a further opportunity to work with the operator to discuss how lawful access might be maintained. This means there would have been extensive collaborative opportunities before a notice was issued and it should mitigate the requirement for a notice to be referred to the Secretary of State for a review.
These amendments further propose, in effect, removing the obligation on non-UK based companies which control telecommunication systems used to provide a service in the UK to maintain the status quo during the review period. I fear this underestimates the interconnectedness of telecommunications services. There is no neat delineation of telecommunications systems control at national borders. A person may control a system either partially or entirely from outside the UK, but that person or another may still use it to provide services in the UK. Therefore, this amendment would, in practice, render this vital clause meaningless by providing a ready-made excuse for those who wished to avoid its effect.
On Amendments 29 to 32 to Clause 18, also tabled by the noble Lord, Lord Fox, while we have seen changes in technology over the past seven years, we have also seen a change in how companies structure themselves. Clause 18 is necessary to ensure the IPA reflects these complex corporate structures. It does not seek to bring additional companies into the scope of the IPA, but clarifies that large companies are covered in their totality within the context of the IPA. It also does not override the position in the interception code of practice with regards to enterprise services. The definition is being amended out of an abundance of caution to ensure the IPA continues to apply to all those it was intended to and to ensure that any possible loopholes that might be deliberately exploited are closed. This will improve the effectiveness and efficiency of the regimes and the process of issuing notices.
Companies increasingly have multiple subsidiaries across the globe involved in the delivery of their services. We are not proposing to do anything that would affect this flexibility and the freedom that benefits both the UK economy and citizens as customers of these services. However, the IPA needs to reflect these complex corporate structures. It is ultimately a question of who controls the telecommunications system that is used to provide the service to persons in the UK.
For example, an email service could be provided using a telecommunications system controlled by a company that is headquartered in the US but that has multiple subsidiaries across the globe, and one of these subsidiaries could be the one listed in the terms and conditions of a UK user. However, that subsidiary is still not the person controlling the telecommunications system used to provide the email service that the person in the UK is using; the headquarters of the company is. It is that element of the company that this clause will ensure is also covered by the IPA, as well as the subsidiary.
However, this clarification to the definition of a telecommunication operator does not override the position in the interception code of practice with regards to enterprise services. By “enterprises”, we mean companies, academic institutions, non-profit organisations, government agencies, and similar entities that pay cloud service providers to store and or process their organisation’s electronic communications and other records.
The interception code of practice—which was amended last year following a public consultation—set out our long-standing policy position in formal guidance that must be considered by persons exercising functions relating to the code. The position is that when a cloud service provider is providing such services to an enterprise, an intercepting authority seeking targeted interception of data belonging to the enterprise can often obtain the same data from both the cloud service provider and the enterprise. However, although the Act allows the intercepting authority to serve the warrant on either the cloud service provider or the enterprise, the intercepting authority should—where it is reasonable to do so—always serve the warrant on the enterprise rather than the cloud service provider. There will be some exceptions to this; for example, if serving the warrant on the enterprise would endanger national security. These exceptions are incredibly important and the amendment from the noble Lord makes no allowances for them. Furthermore, as there is no contradiction between our existing position on enterprise and the clarification to the definition of a telecommunications operator, the amendment is unnecessary.
On Clause 20, it is critical that this clause remains in the Bill so that the intelligence agencies can keep the country safe. I will address some of the misconceptions that I have heard in this place and externally, one of which is that this is a backdoor to company services. This is an ill-defined and unhelpful analogy. Our legislation and principles should make it clear that we are not asking for a backdoor to enable unfettered access to communications, nor for an opening that hackers and other malicious actors can exploit. We are asking that technology companies strike a balance in their services between users’ privacy and our responsibility to keep citizens safe. Preserving a well-made front door with safeguards offers a better solution for tech companies, the public and Governments.
These concerns are misplaced. The Bill will not introduce significant changes to existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures by companies, contrary to what some are incorrectly speculating. The notification requirement is an obligation that can be placed on operators that provide, or may be expected to provide, lawful access of significant operational value to inform the Secretary of State of changes that they are intending to make that could affect existing lawful access capabilities. It is needed to provide the Secretary of State, and by extension operational partners, with time to understand the potential impact of the changes and ensure lawful access can be maintained to keep people safe. It does not give the Secretary of State any power to intervene in the rollout of these changes, nor is the Secretary of State’s consent required for the rollout to proceed.
Should the Secretary of State wish to intervene in any way with the change the operator intends to make, they would use the existing notices regimes in the same way that is currently available to them. However, I reassure all noble Lords that it does not automatically follow that any notified change will result in a notice. There is no correlation between the notification notice and the notice review provision in Clause 17. Clause 20 requires only a notification of an intended change, and it will not require the operator to maintain the status quo. If the Secretary of State does wish to intervene, they will initiate the formal consultation process with the operator, required before any notice is issued. If it is necessary for a notice to be issued under the IPA, this will be subject to approval by a judicial commissioner. More generally, the giving of a notification notice and the giving of a technical capability notice, or any other notice, are two distinct processes.
The question of the status quo arises only in the context of the review of a data retention, technical capability or national security notice. It is not applicable to notification notices. The obligation to maintain the status quo also arises only at the time the review of a notice is triggered by the operator. The notifications will be important in giving operational partners time to adjust their ways of working, to ensure the capabilities can be provided throughout the process of, and after, the change taking place. The primary motivation for this obligation is to create an opportunity for collaborative working, in order to protect capabilities and, as I have said many times, keep people safe.
Overall, the Government’s strong preference is to work with operators to achieve common goals. We would always seek collaboration where possible. However, we believe that the public would expect their Government to know in advance if tech companies are proposing to do something that puts public safety at risk. Currently, companies could deliberately avoid disclosing to the Government changes that negatively impact lawful access, in an effort to pre-determine an outcome that is for Ministers and judges to decide, based on necessity and proportionality considerations. An operator does not need to be subject to an IPA notice in order to receive and give effect to an IPA authorisation or warrant that is required to lawfully access data. It is this access to data—where IPA notices are not already in place—that the notification requirement intends to protect.
I reassure noble Lords, once again, that the IPA includes significant and stringent safeguards for the notices regimes, and Clause 20 seeks to replicate the relevant safeguards regarding a notification notice. This includes the notice being issued only where the Secretary of State considers it necessary and proportionate to do so. It also sets out other matters the Secretary of State must take into account, including the likely benefits of the notice, the likely number of users of a service to which a notice relates, the likely cost of complying and any other effect of the notice on the operator.
I turn now to the specific amendments to Clause 20. The Government oppose these on the basis that they do not account for the fundamental differences between the different notices regimes and would impact upon the ability of operational partners to keep the public safe. Amendment 36, tabled by the noble Lord, Lord Coaker, proposes to add the requirement of considering the technical capability of complying with a notice to this list. While this is an important factor for technical capability notices because a notification notice has no technical element to it, its inclusion here would be wholly unnecessary. All other relevant factors have already been replicated in Clause 20.
Furthermore, the Secretary of State must consult the relevant operator before issuing a notification notice. The consultation will result in an individualised and confidential specification. This will be provided as an annex to the notice and will set out applicable telecommunications services and systems, specific to the company to which the notification requirement applies. The operator will be required to provide the Secretary of State with a notification of change on these specific services and systems only where the proposed change will result in a negative impact on lawful access.
Amendment 34, tabled by the noble Lord, Lord Fox, would introduce an expiry date for notification notices, which would require the Secretary of State to renew the notice every 14 days. This proposal would mean that, once a fortnight, the Secretary of State would have to reconsider the necessity and proportionality of the notification notice as agreed with the operator 14 days earlier. Technology moves quickly, but it does not move that quickly, and we cannot foresee any circumstances in which a 14-day renewal would be necessary or proportionate. It would be impractical, burdensome and likely impossible to maintain, for the operator, operational partners and the Secretary of State. It is also a requirement that is not remotely in line with the other notices in the IPA, or even standard warrants and authorisations.
18:15
Amendments 35, 37, 38 and 39, tabled by the noble Lord, Lord Coaker, seek to place the so-called double lock on to notification notices. While the double lock is a vital safeguard to the use of intrusive powers, it is not required for notification notices as they do not intrude on user privacy. This is inherently different from the other types of notices, where there is the potential for interference with user privacy, and therefore the double lock is required to ensure that the necessity and proportionality considerations in this regard are subject to judicial oversight. Notification notices do not facilitate the acquisition of data in the way that technical capability, national security or data retention notices do. The same level of judicial approval is therefore not justified. The Secretary of State will still be required to consider the necessity and proportionality of the notification notice, as well as the other factors laid out in the Bill. As mentioned already, these replicate, as far as is applicable, the factors applied to other types of notice.
The noble Lord, Lord Fox, is mistaken on what the CLOUD Act and the UK-US data access agreement actually state with regard to end-to-end encryption. The CLOUD Act states that
“the terms of the agreement shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data”.
What this means in practice is that the UK-US data access agreement needs to be encryption neutral. It does not prevent any domestic regime that could require decryption. The Government are well aware of the importance of the UK-US data access agreement, and nothing is being proposed here that would jeopardise that.
Finally, as noble Lords will have seen, the Government have tabled Amendments 33 and 42 to clarify that the route of judicial redress to the Investigatory Powers Tribunal applies to notification notices. Amendments 40 and 41 ensure consistency across the language used throughout the IPA. I trust that noble Lords will welcome and support those amendments and I ask them, respectfully, not to press their own amendments.
Lord Fox Portrait Lord Fox (LD)
- View Speech - Hansard - - - Excerpts

My Lords, I thank the Minister for an admirably comprehensive response. That was what we were looking for—perhaps not everyone, but certainly our Front Benches. There is a lot to get our heads around, so we will take this away and look into it.

There are a number of observations I would make. First, the Minister emphasised co-operation, collaboration and discussion. Of course, the legislation does not look like that, so it would help if the Government could find some confidence-boosting measures, be they from the code or the draft annexe, or something that enables the Government to signal their continued intention to co-operate and collaborate.

The Minister talked about an interconnected data world—that is exactly the point the operators are making. Because of that interconnection, a hiatus in delivering a service in the UK could also be a hiatus in delivering that service to the rest of the world, given that everyone is using the same service. That is one of the points that was not picked up by the Minister at the time. That interconnectedness is the very issue that some operators have: if they are prevented from doing it in one place, how do they do it elsewhere?

The issue of corporate entities is interesting. What the Minister described was something I used to call “corporate veil”, and I am interested to know how robust that is in corporate law. With corporate veil, it became very difficult, even at court level in the United States, to break down the corporate entities and their interconnections. For no other reason than making an observation, I am interested to see how that works. I certainly see why the Government are putting it forward in their legislation.

There is a lot for us to digest, which we certainly will, between now and the next stage; it gives us something to get our teeth into over Christmas. That said, I beg to withdraw my proposal that Clause 16 stands part of the Bill.

Baroness Fookes Portrait The Deputy Chairman of Committees (Baroness Fookes) (Con)
- Hansard - - - Excerpts

I am afraid that the noble Lord is not in a position to do that. This is a clause; one votes for it or against it.

Clause 16 agreed.
Clause 17: Review of notices by the Secretary of State
Amendments 27 and 28 not moved.
Clause 17 agreed.
Clause 18: Meaning of “telecommunications operator” etc
Amendments 29 to 32 not moved.
Clause 18 agreed.
Clause 19 agreed.
Clause 20: Notification of proposed changes to telecommunications services etc
Amendment 33
Moved by
33: Clause 20, page 39, line 5, leave out “as follows” and insert “in accordance with subsections (2) and (3)”
Member's explanatory statement
This amendment is consequential on the amendment in the name of Lord Sharpe of Epsom at page 41, line 14.
Amendment 33 agreed.
Amendments 34 to 39 not moved.
Amendments 40 to 42
Moved by
40: Clause 20, page 41, line 2, leave out “(or description of persons)”
Member's explanatory statement
This amendment and the amendment in the name of Lord Sharpe of Epsom at page 41, line 4 correct an inconsistency in clause 20 by omitting references to a notice under section 258A of the Investigatory Powers Act 2016 being given or revoked in relation to a description of persons.
41: Clause 20, page 41, line 4, leave out “(or description of persons)”
Member's explanatory statement
See the amendment in the name of Lord Sharpe of Epsom at page 41, line 2.
42: Clause 20, page 41, line 14, at end insert—
“(4) The Regulation of Investigatory Powers Act 2000 is amended as follows.(5) In section 65 (the Tribunal)—(a) in subsection (5)(czi)—(i) for “or 253” substitute “, 253 or 258A”;(ii) for “or technical capability” substitute “, technical capability or proposed changes to telecommunications services etc”;(b) in subsection (5)(czl)(iii), for “or 253” substitute “, 253 or 258A”;(c) in subsection (8)(bc), for “or 253” substitute “, 253 or 258A”.(6) In section 67 (exercise of the Tribunal’s jurisdiction), in subsection (7)(azc), for “or 253” substitute “, 253 or 258A”.(7) In section 68 (Tribunal procedure)—(a) in subsection (5)(b), for “or 253” substitute “, 253 or 258A”;(b) in subsection (7)(f), for “or 253” substitute “, 253 or 258A”;(c) in subsection (7)(ha), for “or 253” substitute “, 253 or 258A”.”Member's explanatory statement
This amendment provides for the Investigatory Powers Tribunal to consider complaints about notices given under new section 258A of the Investigatory Powers Act 2016 (proposed changes to telecommunications services etc) in the same way as it considers complaints about other notices given under Part 9 of that Act.
Amendments 40 to 42 agreed.
Clause 20, as amended, agreed.
House resumed.
18:23
Sitting suspended.

Investigatory Powers (Amendment) Bill [HL]

Committee (2nd Day)
Scottish Legislative Consent sought
15:52
Clause 21: Interception and examination of communications: Members of Parliament etc
Amendment 43
Moved by
43: Clause 21, page 41, line 29, leave out “is unavailable to decide whether to give approval under subsection (2)” and insert with “is unable to decide whether to give approval under subsection (2), due to incapacity or inability to access secure communications”
Member’s explanatory statement
This amendment would specify that the only exceptional circumstances in which the Prime Minister would be permitted the use of a designate is when he or she is unable to make a decision due to incapacity (ill-health) or lack of access to secure communications.
Lord West of Spithead Portrait Lord West of Spithead (Lab)
- Hansard - - - Excerpts

My Lords, this is the first of three amendments I have tabled to Clause 21 relating to the so-called triple lock for targeted interception and targeted examination of communications relating to Members of the relevant legislatures. These changes are replicated in the three amendments which I have laid to Clause 22, which we will come to later, which relate to the triple lock around the targeted equipment interference warrants.

The communications of Members of the relevant legislatures, including noble Lords in this House, should not be intercepted and read unless it is absolutely essential to do so in the most serious of circumstances. That is why Parliament added a third layer of safeguards to approve of any such warrant in the IPA, ensuring that these warrants will not only be issued by a Secretary of State and reviewed by a judicial commissioner but approved by the Prime Minister personally. This is a robust and necessary oversight mechanism, and it is important that any changes as a result of this Bill do not undermine the central three layers of approval.

Nevertheless, the ISC recognises that, on occasion, the requirement that a warrant be approved by the Prime Minister personally may disproportionately affect the operation of the intelligence agencies, where they are seeking a targeted interference or equipment interference warrant that is very time sensitive. We therefore support the intention to provide some resilience, whereby in truly exceptional circumstances, an appropriately empowered Secretary of State may temporarily deputise for the Prime Minister on these matters. However, the clauses before us go too far.

My three amendments seek to ensure that decisions are delegated only in the most exceptional circumstances, that the decision may be designated only to a limited number of Secretaries of State who are already responsible for authorising relevant warrants, and that the Prime Minister retains oversight of all warrants which have been authorised in their name through a retrospective review of the decision.

The first of those relates to the circumstances in which a decision may be delegated by the Prime Minister to a Secretary of State. This should be clearly defined and limited only to situations where the Prime Minister is genuinely unable to take a decision. My amendment specifies that the Prime Minister must be “unable”, rather than simply “unavailable”—which is a rather subjective test—to decide whether to give the necessary approvals. It sets out that the only situations in which this applies are due to incapacity or inability to access secure communications—for example, if the Prime Minister is extremely ill or is abroad and unable to securely access the relevant classified documentation. This provides what the agencies require, but, when combined with the requirement that there is an urgent need for the decision, also provides the necessary assurance to Parliament that the Prime Minister’s responsibility will be deputised only in specified exceptional circumstances, and ensures that the use of a delegate does not become routine.

My second amendment to Clause 21 is to specify those Secretaries of State who can act as a designate for the Prime Minister in these circumstances. As currently drafted, the Bill includes all Secretaries of State as potential designates for the Prime Minister in relation to triple-lock warrantry. However, only a limited number of Secretaries of State have any statutory responsibility for warrantry for investigatory powers: for example, the Secretaries of State for the Home Office, the Ministry of Defence, and the Foreign, Commonwealth and Development Office. Given that the authorising of a warrant that relates to a Member of the relevant legislature must be taken seriously, it is both sensible and desirable that any Secretary of State deputising for the Prime Minister on these matters should already be familiar with the process and framework for targeted interception and targeted equipment interference warrants as part of their routine responsibilities, as those are the warrants we are talking about.

This amendment therefore limits the Prime Minister to up to two designated Secretaries of State and specifies that they should be Secretaries of State who are already required in their routine duty to issue warrants under Sections 19 or 102 of the IPA. I note that my noble friend Lord Coaker has tabled a similar amendment, which would list a number of specific Secretaries of State who could be designated as deputies to the Prime Minister. We wholeheartedly support the intention behind this amendment, and our amendment seeks to achieve a similar outcome. However, I note the possible scenario whereby the evolution of departmental names, seen relatively recently with the renaming and restructuring of the Foreign, Commonwealth and Development Office, may sow confusion as to which Secretaries of State are included under Clause 21. My amendment seeks to avoid any such confusion by linking the role to existing statutory responsibilities for warrantry in the original Investigatory Powers Act. In this way, it should achieve a very similar outcome to that which was wisely proposed by my noble friend Lord Coaker.

My third amendment to Clause 21 would ensure that the Prime Minister retains ultimate responsibility for any targeted interception and targeted examination warrants which involve communications to or from Members of the relevant legislature. As I outlined earlier, the Intelligence and Security Committee considers it essential that the three planks of the triple lock not be weakened by any changes made by the Bill. Therefore, we must ensure that the Prime Minister’s overall oversight of and involvement in these warrants is retained, even if, in designated cases, it could be retrospective. I have therefore tabled an amendment to provide that the Prime Minister review the decision taken by a designated Secretary of State on their behalf as soon as the circumstances have passed which prevented the Prime Minister approving the warrantry in the first place.

16:00
That amendment would provide reassurance that the Prime Minister has sight of and input into all warrantry concerning the communications of members of relevant legislatures, even if that warrant has been authorised by a nominated Secretary of State in the first instance. It therefore upholds the original three layers of the triple lock which was enshrined by Parliament in the original legislation.
Amendments 51 and 52 are consequential on the decisions on those two, so I shall say no more on those. I beg to move.
Lord Hope of Craighead Portrait Lord Hope of Craighead (CB)
- View Speech - Hansard - - - Excerpts

My Lords, I wish to speak to Amendments 44 and 51A, which are in the name of the noble Lord, Lord Anderson, and to which the noble Lord, Lord Fox, and I have added our names. They very neatly follow on from Amendment 43, which has just been moved by the noble Lord, Lord West of Spithead, and are based on a recommendation in the report by the noble Lord, Lord Anderson, in which he says at paragraph 8.20:

“I recommend the use of a deputy to be permitted for the purposes of the triple lock when the Prime Minister is unable”—


I stress the word “unable”—

“to approve a warrant to the required timescale (in particular through incapacity, conflict of interest or inability to communicate securely)”.

These amendments are prompted by the fact that, instead of the word “unable”, which was that chosen by the noble Lord, Lord Anderson, for the recommendation in his report, and which is also used in Amendment 43, the word that appears in Clause 21 for condition A in the new subsection (3) of Section 26 is “unavailable”. The same point arises with the wording of the triple lock in relation to equipment interference which Clause 22 seeks to introduce, under Section 111 of the 2016 Act. The word “unavailable” would be replaced with the word “unable” in both places by the amendments from the noble Lord, Lord Anderson.

This is all about the meaning of words. The aim must surely be to find the right word to use for describing the situation in which the Prime Minister’s function of giving the necessary approval must be passed to another individual, other than the Secretary of State who has applied for the warrant. This is, of course, a very sensitive matter, and that in itself indicates the importance of choosing the right word.

The question is whether the phrase

“unavailable to decide whether to give approval”

covers all possible situations. The word “unable” includes “unavailable”, but “unavailable” does not always mean the same as “unable”. The word “unavailable” sets too low a bar. The Prime Minister could be unavailable simply because he or she is doing something else—whatever it might be—that is occupying their mind or demanding their attention elsewhere.

On 11 December 2023, the Minister sent a letter to the noble Baroness, Lady Drake, in response to points raised on this Bill by the Constitution Committee, which gave examples of prime ministerial unavailability. Attached to that letter was a commentary on the proposed amendments to Sections 26 and 111, in which the point is made that the word “unavailable” should be understood to mean situations—of which two examples are given— in which the Prime Minister is “genuinely unavailable” to consider the application. The introduction of the word “genuinely” demonstrates the problem with the word “unavailable” on its own, to which the noble Lord, Lord Anderson, draws attention: it needs to be narrowed down and clarified. That is what the word “genuinely” does, but it is not in the Bill.

It is worth noting that, in each of the two examples given in the commentary, “unable” is used to describe situations Prime Ministers may find themselves in which they cannot perform the function to which the statute refers:

“5.1 The Prime Minister is overseas in a location where they are unable to receive the warrant application due to the security requirements and classification of the documents.


5.2. The Prime Minister is medically incapacitated and therefore unable to consider the warrant.”


The fact that “unable” is used here suggests that the word the noble Lord, Lord Anderson, used in his report really is the right one for the situations referred to in these two sections.

There is a further point that the noble Lord, Lord Anderson, would make: “unavailable” does not cover the situation in which there may be a conflict of interest. This surely is a reason why a Prime Minister, although available, should not exercise the power. Here especially, the greater clarity that the word “unable” brings to the situation really is needed.

I know that the Minister has discussed this issue of the wording with the noble Lord, Lord Anderson, perhaps several times and will, no doubt, refer to the position he and his Bill team have adopted so far during these discussions when he replies. But I hope he will feel able, especially in view of the points I have made about the commentary attached to his letter of 11 December, to agree to another meeting with the noble Lord, and possibly myself, before the Bill reaches Report. I hope that, when he comes to reply, he will be able to respond to that request.

Lord Coaker Portrait Lord Coaker (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I am pleased to follow my noble friend Lord West and, indeed, the noble and learned Lord, Lord Hope. They have raised some important questions for the Committee to consider and for the Minister to respond to.

It may be helpful to remind the Committee and others present that Clauses 21 and 22 amend the section of the IPA that deals with targeted interception and examination warrants regarding Members of both Houses of Parliament and the devolved legislatures. These are clearly very important pieces of legislation. The safeguard on such warrants is referred to as the triple lock. As with other warrants in the IPA, the Secretary of State and the judicial commissioner must approve the warrant. But with respect to this issue, the Prime Minister must also approve warrants for the communications of Members of UK Parliaments, hence the difficulty that my noble friend, the noble and learned Lord and others have referred to. What happens with the triple lock if the Prime Minister is not available to authorise that warrant with respect to the communications of parliamentarians, not only in Westminster but the devolved legislatures?

One can see the seriousness of this problem. The Government have rightly felt it necessary to bring this measure forward, given the unfortunate situation when the Prime Minister was dangerously ill in hospital with Covid; thankfully, he recovered. This is clearly a very important issue which we need to consider.

My noble friend Lord West outlined an issue, as did the noble and learned Lord, Lord Hope, that I will speak briefly to. I say respectfully to all noble Lords that the points the noble and learned Lord made are not dancing on the head of a pin: they are very real questions for the Minister about the difference between “unavailable” and “unable” and what that means. The Government need to clarify that for us. My noble friend Lord West’s amendment and my Amendment 47, on which Amendment 45 is consequential, question the wide scope the Government have within the legislation, whereby it almost seems as if any Secretary of State will be able to deputise for the Prime Minister. My noble friend Lord Murphy made the point at Second Reading, which my noble friend Lord West has just made again, that it would surely be better if that scope were narrowed to Secretaries of State with experience of dealing with warrants. My and my noble friend Lord West’s amendments seek to narrow that scope to Secretaries of State who have that experience.

I take the point of my noble friend Lord West. His amendment as it stands is probing. Maybe drafting improvements could be made. The thrust of what he and others said, however, is that we need to do something to deal with the issue.

I have just a couple of questions before I move on to Amendment 55A. Who decides whether the Prime Minister is available or unavailable, or if indeed we have the Bill amended? Who decides that the Prime Minister is unable to take the decision for that triple lock? What is the process by which the decision is made that this is the case?

On Amendment 45, it is unclear to me who the senior officials are that could also make the decision. We have other Secretaries of State who could take the decision if the Prime Minister is “unavailable” or “unable”—if an amendment is passed—to take the decision. Then we have senior officials who might be allowed to take this decision. It is not dancing on the head of pin to ask “What does a “senior official” mean?” and “Who are the officials?”, hence my probing Amendment 45 on who they are and in what circumstances they could take these permissions.

In preparing for Committee, I asked about what sorts of situations might arise. Of course we can think of different situations, and the Government, in the code of practice that they publish, outline a couple of scenarios that may require urgent warrants and the Prime Minister to be involved and so on. In 2011, the noble Lord, Lord Hennessy, apparently did a helpful piece of work on Prime Ministerial powers. He talked of what happens if the Prime Minister is unable to take a decision with respect to shooting down a hijacked aircraft or an unidentified civil aircraft. What happens in those circumstances? Is that the sort of circumstance that the Bill seeks to deal with as well? What we are discussing is obviously also really important because this may involve the authorisation of the use of nuclear weapons. The Minister will be limited in what he can say about that.

I do not want to create a TV drama-type situation, but these are really important questions and the Government are right to address the situation of a Prime Minister being unavailable or unable to take these decisions in some of these circumstances. Again, this gives us the opportunity to think about what areas of national security the Bill would cover.

As is said in the explanatory statement, Amendment 55A

“is designed to probe the extent to which powers in the Investigatory Powers Act 2016 have been used in relation to Members of Parliament”.

As I have mentioned, I was particularly disturbed that, under Section 230 of the Investigatory Powers Act, the Prime Minister can deal directly with the Investigatory Powers Commissioner to keep under review the discharge of the functions of the Armed Forces with regard to intelligence activities. Can the Minister say what the role of Defence Intelligence is in all this? The reason that I raise the matter in this debate on parliamentary communications is due to the report in the Mail on Sunday on 25 November, which spoke of Defence Intelligence being involved in in the Government’s response to Covid. It was involved in looking at communications—and, according to the report in the Mail on Sunday, some of the communications involved parliamentarians.

16:15
I found that quite surprising—that is one word for it. The Mail on Sunday quotes the government spokes- person as saying:
“Online disinformation is a serious threat to the UK, which is why during the pandemic we brought together expertise from across government to monitor disinformation about Covid. These units used publicly available data, including material shared on social media platforms, to assess UK disinformation trends and narratives”.
The Bill would get over that because it would say that these individuals have a low or no expectation of privacy, but how on earth is Defence Intelligence involved in this? As far as I am aware, Defence Intelligence is not referred to in the Bill, although MI5, GCHQ et cetera are. Can the Minister explain the report in the Mail on Sunday of Defence Intelligence being used to look at activities around Covid and disinformation? According to the report, it appears that certain information submitted by parliamentarians was looked at by Defence Intelligence, hence my probing Amendment 55A.
I repeat: we support the Bill. As the noble and learned Lord, Lord Hope, the noble Lord, Lord West, and I have said—I am sure that the noble Lord, Lord Fox, and others will say the same—we are seeking some clarification and certainty on some of its provisions so that it is fit for purpose and delivers what we all want it to.
Lord Fox Portrait Lord Fox (LD)
- View Speech - Hansard - - - Excerpts

My Lords, I rise to speak to the amendments in my name in this group. First, I shall make some brief and broadly supportive comments regarding the amendments proposed by the noble and learned Lord, Lord Hope, and the noble Lords, Lord West and Lord Coaker.

As we have heard, all these amendments are designed to tighten up or clarify the triple lock and the changes introduced in the Bill. As your Lordships know, the triple lock relates to circumstances where UKIC and law enforcement may obtain and read the communications of MPs, et cetera; we will talk about the “et cetera” in a minute. Currently, the usual double lock is supplemented by an unqualified requirement that the Secretary of State may not issue the warrant without the Prime Minister’s approval.

As we heard from the noble and learned Lord, Lord Hope, the report from the noble Lord, Lord Anderson, explores the circumstances in 2020 when the Prime Minister was hospitalised and the triple lock was therefore rendered unavailable. The noble Lord recommends the use of a deputy for the purposes of the triple lock when the Prime Minister in unable to approve a warrant in the required timescale, particularly through incapacity, conflict of interest or an inability to communicate securely. As we heard from the noble and learned Lord, “unable” has been substituted with “unavailable” in the Bill. I really am not sure why—perhaps the Minister can explain why—but that is a different context. In his normal, forensic way, the noble and learned Lord explained the difference between those words; that is why I was happy to sign Amendment 51A, which reverts back to the originally recommended “unable”.

The amendments in the name of the noble Lord, Lord West, are more probing but interesting. We will be interested to hear how the Minister responds to them; I look forward to that.

Amendment 47 in the name of the noble Lord, Lord Coaker, seeks to limit the number of Secretaries of State who can be designated in that deputy role. This seems a reasonable suggestion. Others may want to change the list, but a senior group of Ministers should be listed; surely having three or four of them on that list should be sufficient to deal with the issue.

The noble Lord, Lord Coaker, spoke to Amendment 55A. There are elements of reporting there that are reflected in my Amendment 55, which I will come to shortly.

I will now speak to Amendments 50, 54 and 55 in my name. Amendments 50 and 54

“would require that members of a relevant legislation who are targets of interception are notified after the fact, as long as it does not compromise any ongoing investigation”.

Amendment 55 seeks to ensure that the Investigatory Powers Commissioner reports annually on the operation of surveillance warrants and safeguards in relation to parliamentarians. This should include records in the annual report of the number of warrants authorised each year to permit surveillance of the Members of relevant domestic legislatures. This would ensure transparency, at least over the rate at which the power is being used.

Before talking a little more about this, it is worth recapping the history of political wiretap legislation. I am sure there are others who know it better than I, but it was helpful for me to understand the context. As we have heard, the IPA permits the interception or hacking of parliamentarians or the Members of other domestic legislative bodies via this triple-lock system, whereby the Secretary of State can issue a warrant with the approval of the Prime Minister, as per Sections 26(2) and 111(3). Until October 2015, it was widely understood that the communications of MPs were protected from interception by the so-called Wilson doctrine. This protection extended to Members of the House of Lords in 1966, and was repeated in unequivocal terms by successive Prime Ministers. Tony Blair clarified in 1997 that the policy

“applies in relation to telephone interception and to the use of electronic surveillance by any of the three security and intelligence agencies”.—[Official Report, Commons, 4/12/1997; col. 321W.]

Despite this clear and unambiguous statement that MPs and Peers would not be placed under electronic surveillance, an October 2015 decision by the Investigatory Powers Tribunal held that the doctrine had been unilaterally rescinded by the Executive. We pick up from there, so it is an interesting evolving power and we are part of that evolution in this Bill.

This evolution has also coincided with the meteoric rise in electronic communication that now offers the possibility of vastly more information being unearthed than was the case with a simple wiretap back in the Wilson days. First, there are clearly times when this sort of interception is necessary, and that is why the triple lock is such an important safeguard. But I have a couple of modest suggestions contained in these amendments. I must say now that I am in a state of deep trepidation, as not only has the noble Baroness, Lady Manningham-Buller, given me notice that she is on my case but she has actually moved five Benches closer than she was on Monday, so my boots are shaking.

These amendments would introduce a post-notification procedure to inform parliamentarians where they have been affected by targeted surveillance powers, but only if it does not compromise any ongoing investigation. Clearly, they would have to be deemed innocent or beyond suspicion for that notification to happen. I agree that it would be unfortunate, to say the least, if, for example, the announcement of any investigation revealed confidential sources that led to the initial investigation. I had hoped that my wording implied that, but I will be very happy to work with the noble Baroness on improving the wording on Report if she deems it necessary.

We got to the fourth group of amendments to the Bill without my raising the European Convention on Human Rights. Now is the time. Happily, I am sure that the Minister has been reading up on this for other reasons, and he will no doubt be familiar with this important bastion of freedom. I refer in particular, in this case, to Article 8: the right to respect for private and family life, home and correspondence. I feel sure that most surveillance interventions would meet the terms of Article 8, which are summarised as:

“There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.


As I say, it is unlikely that the activities we have been describing will break that.

In the unlikely event that they do and there is a misstep, in order to bring a case under the Article 8 right it is necessary for a person to know that their privacy was breached in the first place, hence Amendments 50 and 54. I refer the Minister to two Article 8 rights cases heard by the European Court of Human Rights: Klass v Germany in 1978, which was reiterated in Weber and Saravia v Germany in 2006.

Amendment 55 is a bit simpler. It would ensure that the Investigatory Powers Commissioner’s annual report provides information about the operation of safeguards in relation to surveillance of Members of Parliament et cetera, as is already required for journalists. It would mandate that

“information in particular about warrants … considered or approved”

that are targeted at MPs et cetera is included, further to the requirement to provide information on general targeted interception and hacking warrants. I believe that is not a controversial ask, and I hope the Minister agrees.

I would like to use these amendments to do some probing as well as changing words, by confirming the “et cetera” part of MPs et cetera. My understanding, which I am sure is correct, is that as things stand that includes Lords and elected Members of the devolved authorities. But our democratic system is changing and evolving as we go. We now have very powerful elected mayors with very large electorates—much larger than any MP’s. I wonder whether there is an argument that they too should be included within the triple-lock umbrella going forward. I have one additional question in this vein. Once out of office, do all these individuals no longer attract triple-lock protection? Are ex-First Ministers, ex-MPs and ex-Prime Ministers all no longer subject to the triple-lock safeguards?

This sort of legislation breeds suspicion. The two measures I propose here are sincere attempts to help tackle some of these suspicions and create sufficient transparency to allay the fears that there is widespread and extensive activity of this type—assuming, of course, that this activity is indeed a rare occurrence.

Baroness Manningham-Buller Portrait Baroness Manningham-Buller (CB)
- View Speech - Hansard - - - Excerpts

My Lords, the noble Lord, Lord Fox, is quite safe; I am not going to come and hit him, but I am going to try to demolish a few of his arguments.

I will start with the word “transparency”, which appears again in some of the amendments in the name of the noble Lord, Lord Coaker. The work of the security and intelligence agencies can never be transparent. It is in the interests of those agencies that as much as can safely be known of what is done in their name is known, which is why my organisation sought law in the 1980s. But there will always be things that cannot be made public because, if they are, we might as well pack up and go home.

Appealing as the amendments in the name of the noble Lord, Lord Fox, might be on the surface, for a start, telling people that they have been subject to interception would require us to alter earlier parts of the IPA because it would be illegal. To do so would also risk sources and methods. Of course, they would not be itemised, but let us consider a speculative case of a Member of the other House who has a relationship with a young Chinese lady. Let me emphasise strongly that this is not based on any knowledge of anything. Indeed, when I was director-general of MI5, we still operated the Wilson doctrine. Somebody in that MP’s office approaches my former colleagues and raises concerns with them. A warrant is obtained, signed by the Prime Minister, and subsequently it becomes clear that the concerns of the individual in the office—the source of the information—were absolutely justified. Now, we cannot tell that individual at any stage whether he or she is acquitted of any wrongdoing or ends up care of His Majesty’s jails. We cannot at any stage tell him because it risks sources and methods.

16:30
Lord Fox Portrait Lord Fox (LD)
- Hansard - - - Excerpts

I do not think I was saying that.

Baroness Manningham-Buller Portrait Baroness Manningham-Buller (CB)
- Hansard - - - Excerpts

No, this is what I want to establish. Just saying that he has been intercepted will lead that person to wonder how, so we cannot act covertly if there is any danger of sources being revealed or future operations being compromised.

Additionally, it raises the question of why Members of legislatures should have the privilege of being told that they have been subject to interception when members of the public never are. It is wrong, as it was, to treat parliamentarians as a particularly special case. Of course, such cases are highly sensitive, hence the triple lock; hence, I suggest, the rarity of this, but I think Amendments 50 and 54 are potentially damaging. I will shut up now.

Lord Hogan-Howe Portrait Lord Hogan-Howe (CB)
- View Speech - Hansard - - - Excerpts

My Lords, I apologise that I did not speak at Second Reading, but I was here. Perhaps for the same reasons, I strongly support what the noble Baroness, Lady Manningham-Buller, has just said. It is secret that telephone interception is in place. If someone is aware, directly or indirectly, that the only way the Security Service or the police will discover a certain piece of information is by a telephone call, then it could be revealed, so it would require the law to be changed.

I have four worries about this amendment. First, at the point at which an interception is stopped, it is very difficult to predict whether the investigation will continue and/or be resumed. If the suspect is advised of the existence of the investigation, it gives them the potential to destroy evidence, which may frustrate the investigation in the long run, so I do not think it is wise to advise any suspect that they have been under investigation.

Secondly, there are two types of investigation: overt ones, where the person knows they are under investigation, and covert ones, where they do not. There is a general convention whereby if an investigation concludes without a charge, we have never told the person that they were under investigation. I am not sure why we would breach that principle merely because intrusive surveillance was in place.

Thirdly, as the noble Baroness mentioned, why would we do that only for Members of the legislature? It could be put in place, but there have to be some strong reasons. I do not think Members of a legislature can just say, “We deserve extra protection”. There has to be a stronger reason, because, otherwise, the rest of the public could rightly say, “Well, why can’t we have that protection?” For that reason alone, you would have to think very seriously about it.

Finally, sometimes Members of the legislature might be under investigation for things in their private capacity and sometimes for a mixture of the two; it might overlap into their legislative acts. Before anything like this was considered, I would take an awful lot of persuasion and I do not think the argument was made for why this needed to happen only for Members of the legislature.

Lord Murphy of Torfaen Portrait Lord Murphy of Torfaen (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I support the points the noble Baroness, Lady Manningham-Buller, made about Amendment 50 regarding the revelation of whether someone who is in a legislature has been tapped. I do not think that is possible. I think it has all sorts of practical difficulties which she rightly outlined, and that situation is something that I could not in any way support.

I want to come back to the issue of “unable” or “unavailable” with regard to the Prime Minister. I think that it is right that it should be “unable”, because of the gravity of the business of tapping the phone of a Member of Parliament or a devolved legislature. I suspect that such a possibility is hugely remote; it might not happen for years and years. However, when it does happen, it is exceptionally serious, because you are not only depriving that Member of Parliament of liberty—you are in many ways saying that the person who has been elected by his or her constituents as a Member of Parliament or of the Senedd, or whatever it may be, is now in some doubt as a public representative. That is hugely serious, so the triple lock is important, but the word “unable” is more serious a word than “unavailable”, and I support changing the word in the Bill.

I also very much agree with the noble Lords, Lord West and Lord Coaker, about the nature of the Secretaries of State who should be the substitute for the Prime Minister if the Prime Minister was unable to perform his or her duty with regard to tapping the phone of a parliamentarian. I tapped phones for three or four years almost every day, except at weekends—occasionally at the weekend, but mainly on weekdays—and I took it very seriously. I knew that I was depriving someone of their liberty and privacy; generally speaking, they deserved to be deprived of their liberty because of the horrible things that they might do. Sometimes, although very rarely, I would not sign them, because I was not convinced of the argument put to me.

Someone who has the experience over the years of dealing with warrants has an idea of the nature of the act of signing the warrant and how important it is. It is not simply about reading it and putting your name at the bottom—you have to think about it very seriously. Your experience develops as time goes by. In fact, when I was unable or, more likely, unavailable to sign warrants as Northern Ireland Secretary—if I was on the beach somewhere in the Vendée, as I occasionally was—somebody else would sign the warrants that I would normally have signed. It was generally the noble Lord, Lord Blunkett, who was then the Home Secretary—and when he went on holiday somewhere, I signed his. The point about that was that, technically, almost every member of the Cabinet—because by then nearly every member was a Secretary of State—could have signed. But I knew, when the noble Lord, Lord Blunkett, signed mine, that he knew what he was doing—and vice versa, I hope. Therefore, there should be some way in which we designate Secretaries of State who are used to signing warrants to be a substitute for the Prime Minister.

The other issue, on which I shall conclude, is that the debate so far is evidence of why it is so important that the Intelligence and Security Committee puts its views to this House, through the noble Lord, Lord West, and that the committee should look carefully at these matters.

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- View Speech - Hansard - - - Excerpts

My Lords, I thank all noble Lords who have spoken in this debate, which was fascinating. I shall start by addressing the amendments and points raised on the circumstances in which the alternative approvals process would be used—that is, for urgent warrants when the Prime Minister is not available. First, it is worth reminding noble Lords that we have set out a non-exhaustive list of such circumstances in the draft excerpt of the relevant code of practice published last week. I shall come back to that in a moment.

I start with Amendments 44 and 51A, tabled by the noble Lord, Lord Anderson of Ipswich, and spoken to by the noble and learned Lord, Lord Hope of Craighead, which seek to widen the situations in which the alternative approvals process could be used to include situations where the Prime Minister is “unable” to consider a warrant—not only when they are “unavailable”. As the noble and learned Lord indicated, the amendments would extend the circumstances where the alternative approvals process could be utilised to expressly include instances where the Prime Minister has a conflict of interest in considering a warrant application.

I remind noble Lords that the Prime Minister, like all Ministers, is expected to maintain conduct in line with the Nolan principles in public life: selflessness, integrity, objectivity, accountability, openness, honesty, and leadership. When a Prime Minister has a conflict of interest in approving a warrant, due to any personal or professional connection to the subject of the warrant, they are expected to continue to act in the public interest. Therefore, in these situations, the Government consider that the alternative approvals process is not required.

When drafting the Bill, the Government considered at some length whether to make further provision for conflict of interest, along the lines of the noble Lord’s amendment, and concluded that they should not. The primary reason is that, in order for a conflict of interest provision to function, a Secretary of State or unelected official involved in the warrantry process would have to be granted the ability, in certain situations, to take from the Prime Minister a personal power given to them alone by Parliament. Unlike the provisions in Clause 21, which permit the Prime Minister to delegate their power to approve these warrants if they are unavailable, this would require a subjective decision to be made on whether the Prime Minister could, in theory, be judged able to approve the warrant. A conflict of interest provision would also have significant implications for Cabinet hierarchy and the constitution. This is because a Secretary of State or an unelected official would have to determine that the Prime Minister had a conflict in approving the warrant and was therefore “unable” to be made aware of the warrant request. It is for these reasons that the Government decided that a conflict of interest provision should not be included in the Bill.

I have referred to the draft code of practice, and the noble and learned Lord, Lord Hope of Craighead, referred to my letter. I can confirm that many of the words in that letter appear to have reappeared in the code. Paragraphs 5, 5.1 and 5.2 state that:

“Prime Ministerial unavailability should be understood to mean situations in which the Prime Minister is genuinely unavailable to consider the application. For example (non-exhaustive) … The Prime Minister is overseas in a location where they are unable to receive the warrant application due to the security requirements and classification of the documents … The Prime Minister is medically incapacitated and therefore unable to consider the warrant”.


I am very happy to share the code of practice further with all noble Lords, if they would like to see a copy.

I have noted that this conflict of interest provision is specifically not included in the similar Amendments 43 and 51, tabled by the noble Lord, Lord West, which seek to limit the circumstances in which the alternative approvals process can be used due to

“incapacity (ill-health) or lack of access to secure communications”.

As the code of practice sets out, these are two of the key scenarios for which the measure is required, but an amendment of this nature would not cater for unforeseeable events and would leave an unacceptable level of vulnerability in the system. Given that the aim is to increase the resilience of the process, these amendments feel opposite in intent. The moment that a circumstance arises in which the Prime Minister is unable, for a reason other than the two given, to authorise an urgent warrant application, the system would provide a blocker to the intelligence agencies being able to conduct their vital work, which is of course keeping parliamentarians and the public at large safe and secure. I therefore ask noble Lords not to press their amendments. However, I note the views expressed today and am very happy to continue discussions and to meet the noble and learned Lord, Lord Hope, and the noble Lord, Lord Anderson, again to discuss this further.

I turn to Amendments 48 and 53, also tabled by the noble Lord, Lord West. These would introduce a review by the Prime Minister of warrants authorised via the alternative approvals process for interception and equipment interference. Clauses 21 and 22 are set up in such a way that the Prime Minister’s power is afforded to the Secretary of State for the purposes of triple-locked warrantry in specific circumstances; in effect, they are acting as the Prime Minister for the purposes of the Act, not as a deputy. As such, including a requirement for the Prime Minister to review the decision after the fact would not provide additional meaningful oversight beyond that which is provided by the alternative approver on their behalf. The decisions made by the initial Secretary of State and the alternative approver would still be subject to review by the judicial commissioner, so would have already been subject to significant scrutiny. The Government therefore cannot support these amendments.

I turn to the issue of to whom the Prime Minister can delegate this process. Amendments 47 and 49, tabled by the noble Lord, Lord Coaker, and Amendments 46 and 52, tabled by the noble Lord, Lord West, all seek to limit the Secretaries of State whom the Prime Minister can designate as alternative approvers. Directing the actions of the current and any future Prime Minister by limiting the Secretaries of State to only those mentioned in statute is short-sighted, in that it does not consider potential changes to the machinery of government, as the noble Lord, Lord West, noted.

Furthermore, I invite noble Lords to consider the scenario where, for example, the Home Secretary has provided the initial approval for the application before it is considered as part of the alternative approvals process. The Home Secretary should not then consider the application on behalf of the Prime Minister; this is because it would remove a stage of scrutiny in the triple lock process. Additionally, given the potential for there to be concurrent overseas travel of the Prime Minister and at least one other relevant Secretary of State, limiting the process in this way could fail to provide the necessary resilience. While there should not be an unlimited number of designates, it is important that there are enough alternative approvers to be prepared for these scenarios.

16:45
There may also be a compelling reason for another Secretary of State to be considered as an appropriate designate outside of those proposed by the amendment of the noble Lord, Lord Coaker. For example, they may have previously acted, as the noble Lord, Lord Murphy, did, as the Secretary of State for Northern Ireland but been moved to another Secretary of State post as a result of a reshuffle. They would therefore have a good understanding of the warrantry process but might not currently be a Secretary of State for a warrant-granting department.
The code of practice is also quite clear on designation, and I will read paragraph 6.1:
“When designating Secretaries of State, the Prime Minister should have due regard to whether a designee would have the necessary operational awareness of the warrantry process in order to carry out the role. There should also be consideration given to the number of Secretaries of State designated to ensure that there would be enough individuals to allow for a Secretary of State unavailability. This is because the Secretary of State who provided the initial authorisation could not also act on behalf of the Prime Minister as the alternative approver”.
The code of practice is statutory guidance to which the Prime Minister would need to have due regard. I hope that my explanation and the information set out in the draft code provide reassurance on these various issues.
Amendment 45, tabled by the noble Lord, Lord Coaker, seeks to restrict the senior officials in the determination of the urgency of an application. We do not believe that this would be appropriate or effective. Due to unavailability of the relevant Secretary of State, a separate Secretary of State to the one associated with the warrantry team in the warrant-granting government department may occasionally need to authorise an application. For example, a warrant which would ordinarily be handled by the Home Secretary may be handled by the Secretary of State for Defence in the absence of the Home Secretary. However, it would still be Home Office officials who would brief the Defence Secretary and provide the information necessary for them to consider the application. The same is true of applications going through the triple lock process.
Furthermore, senior officials in more than one department are likely to be involved in administering the process of the warrant, including within the warrant-requesting agency, the warrant-granting department and the Cabinet Office, which is responsible for obtaining Prime Ministerial approval for triple-locked warrants. It is therefore impractical to specify that the senior official must be serving in the same department as the authorising Secretary of State. The wording at Section 30(4) of the Investigatory Powers Act 2016 provides for the signing of a warrant by a senior official and is not specific as to which department the senior official must be serving in, only that they must be designated by the Secretary of State for that purpose. The same applies to these clauses, because there is no reason to adopt a different position here.
Turning to Amendments 50 and 54, tabled by the noble Lord, Lord Fox, I must join the noble Baroness, Lady Manningham-Buller—I thank her for a very eloquent speech on this—and the noble Lord, Lord Hogan-Howe, in setting out the serious challenges that these amendments would pose to the effective work of the intelligence agencies, which is of course to keep us all safe. On the specific cases the noble Lord mentioned under Article 8, I am not familiar with them, so I will look them up and endeavour to write. I would of course note that Article 8 is a qualified article, as the noble Lord has acknowledged.
These amendments would mean that the intelligence agencies could not operate secretly, impacting on their ability to carry out their statutory functions in this area. I understand that the noble Lord has suggested that the notification would take place once the investigation has been concluded, or once a judicial commissioner concludes that it is acceptable to do so, but these suggestions in and of themselves are inherently problematic.
The Investigatory Powers Act 2016 sets out the extent to which certain investigatory powers may be used to interfere with privacy. These powers are exercised covertly, and it is for this reason that warrants for interception and equipment interference can be issued only by a Secretary of State, with the approval of a judicial commissioner. The triple lock provides an extra level of political accountability by ensuring that the Prime Minister, or, subject to the successful passage of this Bill, their designated deputies, have additionally approved the warrant. There is a duty not to make unauthorised disclosures at Section 57 of the IPA, and Section 58 sets out the limited circumstances in which an excepted disclosure can be made.
Informing an individual that their communications have been intercepted would up-end this principle and cause potential risks to live and future operations, even if the initial investigation had concluded. The noble Lord has suggested that, to avoid potential risks to ongoing operations, the judicial commissioner could decide to postpone the notification until they judge that the risks of revealing the existence of the warrant have been mitigated against. This would inappropriately afford the judicial commissioners an operational decision-making power.
There are existing accountability routes that allow any individual, whether or not they are a Member of a relevant legislature, to challenge the activities of the intelligence services. Foremost among these is the Investigatory Powers Tribunal, which provides a cost-free right of redress to anyone who believes that they have been the victim of unlawful action by a public authority using covert investigative techniques. I therefore hope that the noble Lord will not pursue these amendments.
I turn to Amendment 55, proposed by the noble Lord, Lord Fox, which would require information on surveillance of parliamentarians to be included in the Investigatory Powers Commissioner’s annual report. Including information about the use of the triple lock in the IPC’s annual report would risk exposing some of the most sensitive operations and damage the work of the intelligence agencies in protecting democracy and those who engage with the UK’s democratic institutions. Given the limited number of Members of relevant legislatures—which is defined in Section 26 of the current Act, and covers Members of both Houses of Parliament and Members of the devolved legislatures, including the Scottish Parliament—providing statistics on the use of the triple lock may lead to uninformed accusations against Members, and also allow inferences to be drawn on the identity of those who have been subject to such measures. This could impact on ongoing or future investigations, and it would simply not be appropriate to include this type of highly sensitive information in the annual report.
The noble Lord, Lord Coaker, has also proposed Amendment 55A, which seeks a dedicated report on the use of interception and equipment interference powers in respect of communications of Members of Parliament since the passage of the original Act. As we have discussed, to provide further detail which reveals how the powers have been used would risk revealing sensitive information about investigations and could jeopardise important national security or serious crime operations. The law applies equally to everybody, and this includes Members of Parliament. However, in light of the Wilson doctrine, to which the noble Lord, Lord Fox, referred, the triple lock provides the necessary additional safeguards for when these powers are used in relation to Members of Parliament. Furthermore, the already produces an annual report on the use of investigatory powers, which he sends to the Prime Minister. The Government therefore cannot accept this amendment, because it is unnecessary and potentially detrimental to national security and serious crime operations.
Before I conclude, the noble Lord, Lord Coaker, asked me a specific question about a Mail on Sunday story about the Defence Intelligence situation. The Ministry of Defence did provide some analytical capability to augment capacity in government departments during the pandemic. This was done through established government processes: military aid to the civilian authorities—MACA—which allows for military support to government departments in exceptional circumstances, such as the pandemic. My noble friends in both DSIT and the MoD would be happy to follow up on any further questions on that.
Lord Fox Portrait Lord Fox (LD)
- Hansard - - - Excerpts

I am anticipating the Minister sitting down shortly. I remind the Minister that I asked a specific question on directly elected regional mayors, their rise, and the role that they play in democracy, which is so different to when the IPA was originally conceived. The Minister may not have an answer now, but a written answer would be very helpful.

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- View Speech - Hansard - - - Excerpts

I am happy to acknowledge that the noble Lord is right: their powers have expanded, as have their influence and celebrity over the years. I do not have an answer now, but I will come back to the noble Lord on that.

The objective of these clauses is to provide greater resilience in the process. It is critical that we do not undermine this from the off. I therefore hope noble Lords feel reassured by the explanations given, and the information set out in the draft code of practice, which is the appropriate place to set out the detail of this alternative process.

Lord Coaker Portrait Lord Coaker (Lab)
- View Speech - Hansard - - - Excerpts

May I say to the noble Lord that the answer he gave to me with respect to the Mail on Sunday story was a really good answer? I am seeking transparency, which we will come on to in the next set of amendments, where Ministers can provide it without compromising operational security, as the noble Baroness, Lady Manningham-Buller, rightly pointed out. The Minister went as far as he could to say that the story needs to be looked at, it raises particular issues and I can pursue those outside of the Chamber. That was an extremely helpful comment and shows what I am trying to get at with respect to transparency—rather than just dismissing it and saying we cannot talk about it. I am very grateful for the response and thought it was very helpful.

Lord West of Spithead Portrait Lord West of Spithead (Lab)
- Hansard - - - Excerpts

My Lords, I absolutely support what my noble friend has said. I was about to leap up and say that this should not be discussed in this forum because some of it is so sensitive. The Minister handled it extremely well, but we are getting quite close to the margins.

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- Hansard - - - Excerpts

I thank both noble Lords for their thanks. I have forgotten where I was, but I had pretty much finished.

Lord West of Spithead Portrait Lord West of Spithead (Lab)
- Hansard - - - Excerpts

I beg leave to withdraw my amendment.

Amendment 43 withdrawn.
Amendments 44 to 49 not moved.
Clause 21 agreed.
Amendment 50 not moved.
Clause 22: Equipment interference: Members of Parliament etc
Amendments 51 to 53 not moved.
Clause 22 agreed.
Amendments 54 to 55A not moved.
Clauses 23 to 25 agreed.
Clause 26: Exclusion of matters from legal proceedings etc: exceptions
Amendment 56
Moved by
56: Clause 26, page 44, line 22, at end insert—
“(3) After paragraph 24 insert—“25 “(1) Nothing in section 56(1) prohibits—(a) a disclosure to a relevant coroner conducting an NI investigation or inquest, or(b) a disclosure to a qualified person—(i) appointed as legal adviser to an inquest conducted by the coroner, or(ii) employed under section 11(3) of the Coroners Act (Northern Ireland) 1959 (c. 15) (“the 1959 Act”) by a relevant coroner to assist the coroner in an investigation conducted by the coroner,where, in the course of the investigation or inquest, the relevant coroner (“C”) has ordered the disclosure to be made to C alone or (as the case may be) to C and any qualified person appointed or employed by C as mentioned in paragraph (b).(2) A relevant coroner may order a disclosure under sub-paragraph (1) only if the coroner considers that the exceptional circumstances of the case make the disclosure essential in the interests of justice.(3) In a case where a coroner (“C”) conducting, or who has been conducting, an NI investigation or inquest is not a relevant coroner, nothing in section 56(1) prohibits—(a) a disclosure to C that there is intercepted material in existence which is, or may be, relevant to the investigation or inquest; (b) a disclosure to a qualified person appointed by C as legal adviser to the inquest or employed by C under section 11(3) of the 1959 Act to assist C in the investigation, which is made for the purposes of determining—(i) whether any intercepted material is, or may be, relevant to the investigation, and(ii) if so, whether it is necessary for the material to be disclosed to the person conducting the investigation.(4) In sub-paragraph (3) “intercepted material” means—(a) any content of an intercepted communication (within the meaning of section 56), or(b) any secondary data obtained from a communication.(5) In this paragraph—“the 1959 Act” has the meaning given by sub-paragraph (1);“coroner” means a coroner appointed under section 2 of the 1959 Act;“NI investigation or inquest” means an investigation under section 11(1) of the 1959 Act or an inquest under section 13 or 14 of that Act;“qualified person” means a member of the Bar of Northern Ireland, or a solicitor of the Court of Judicature of Northern Ireland);“relevant coroner” means a coroner who is a judge of the High Court or of a county court in Northern Ireland.26 (1) Nothing in section 56(1) prohibits—(a) a disclosure to a relevant person conducting an inquiry under the Inquiries into Fatal Accidents and Sudden Deaths etc. (Scotland) Act 2016 (2016 asp 2) (“IFASDA 2016”), or(b) a disclosure to a qualified person appointed under section 24 of that Act to assist a relevant person in the inquiry,where, in the course of the inquiry, the person conducting the inquiry has ordered the disclosure to be made to that person alone or (as the case may be) to that person and any qualified person appointed to assist a relevant person in the inquiry.(2) A relevant person may order a disclosure under sub-paragraph (1) only if the person considers that the exceptional circumstances of the case make the disclosure essential in the interests of justice.(3) Nothing in section 56(1) prohibits—(a) a disclosure to a relevant person conducting an inquiry under IFASDA 2016, or(b) a disclosure to a qualified person appointed under section 24 of that Act to assist a relevant person in the inquiry,that there is intercepted material in existence which is, or may be, relevant to the inquiry.(4) In sub-paragraph (3) “intercepted material” means—(a) any content of an intercepted communication (within the meaning of section 56), or(b) any secondary data obtained from a communication.(5) In this paragraph “relevant person” means—(a) a sheriff principal,(b) a temporary sheriff principal, or(c) a sheriff or part-time sheriff (but not a summary sheriff or part-time summary sheriff) designated as a specialist under section 37(1) or (3) of IFASDA 2016.(6) In this paragraph “qualified person” means an advocate or solicitor; and “advocate” and “solicitor” have the same meaning as in IFASDA 2016 (see section 40 of that Act).”” Member's explanatory statement
This amendment inserts into Schedule 3 to the Investigatory Powers Act 2016 (exceptions to exclusion of matters from legal proceedings etc) exceptions about disclosures to inquiries or inquests in Northern Ireland or Scotland into a person’s death. The exceptions are similar to existing provision in relation to England and Wales.
Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- Hansard - - - Excerpts

My Lords, I will speak to government Amendments 56, 59 and 60. As I set out in my letter to all noble Lords on 4 December, these small amendments will ensure that the legislation works effectively.

Government Amendment 56 amends Schedule 3 to the Investigatory Powers Act 2016 to provide exceptions for disclosures of intercepted materials to inquiries or inquests in Northern Ireland and Scotland into a person’s death. This will create parity with existing provisions for coroners in England and Wales by putting relevant coroners in Northern Ireland and sheriffs investigating deaths in Scotland on the same footing as their counterparts in England and Wales. Where necessary in the interests of justice, intercepted materials can be considered in connection with their inquiry or inquest.

Government Amendments 59 and 60 will maintain the extent of the IPA 2016, as set out in Section 272 of that Act. They amend this existing power to ensure that the measures in the 2016 Act, as amended by this Bill, can be extended to the Isle of Man or the British Overseas Territories, thus ensuring consistency across the legislation. If the Government sought to extend any provision to the Isle of Man or any of the British Overseas Territories, this would require an Order in Council and the Government would, of course, consult the relevant Administrations well in advance. I ask noble Lords to support these amendments.

Lord Coaker Portrait Lord Coaker (Lab)
- Hansard - - - Excerpts

My Lords, I will speak to my Amendments 57 and 58. They are obviously probing amendments but may generate a little discussion because they are none the less important.

Let me begin by saying that I accept absolutely what the noble Baroness, Lady Manningham-Buller, said about the important of ensuring the secrecy of much of what our security services and others do. That is an important statement of principle, and it was reinforced by my noble friend Lord Murphy when he recounted, as far as he could, some of the responsibility he had in his posts, particularly as Secretary of State for Northern Ireland. It is important to establish that I accept that principle.

17:00
With respect to my amendments, we are not talking about anything that would seek to compromise that fundamental principle. I was moved to table these amendments because of what the noble Lord, Lord Anderson, said in his excellent review, which we have all accepted. He spoke about the need to think about how we generate public understanding and support around what the intelligence services do. I thought it was important to explore that a little. Those of you have read the report will know that the noble Lord goes into quite significant detail about the importance of trying to generate that understanding. As I have said before about the noble Baroness, Lady Manningham- Buller, and her contribution, and that of the noble Lord, Lord Evans, and others, including the current Director General of MI5, they have tried to move into the modern world and to put out what they can, as far as is reasonably possible. All I am trying to say is that, in a democracy, there is a responsibility on government to try to explain some of the things that happen—even to explain why some things cannot be put out into the public domain. People will understand that, but they deserve the effort on our part.
As the noble Lord, Lord Anderson, says:
“It helps if there is some general understanding in political and media circles about the sorts of activities digital spies undertake, and why. These words are a standing reminder that in areas of legitimate public debate, particularly where fundamental rights are at stake, silence on the part of those with privileged knowledge is a comfort zone that needs to be continuously challenged”.
I think that is right. By challenging that, it forces the system to think about and understand what could be put out there to advance our understanding. It is not only about transparency; it is about understanding why that work takes place. The police and others often say that, where the public understand that, it creates a better atmosphere within which activities can take place, and better support for them. That is all I am seeking to do with the amendment: to understand the Government’s view of the points made by the noble Lord, Lord Anderson, in his review.
I cannot resist quoting “the Ronan Keating doctrine” —I am not going to sing it—where the noble Lord, Lord Anderson, refers to
“the false comfort taken by some security professionals in the traditional notion that ‘you say it best when you say nothing at all’”.
You can see why I did not sing it, but it makes a very serious point in a humorous way.
It is important for us all to consider that sometimes in a democracy its strength is where you draw the line between what the security services can quite rightly keep secret so as to operate in a way which protects their work and, as far as possible, trying to explain to the public what is happening and why it is happening. For example, until a few years ago, I do not remember it ever being put in the public domain how many incidents had been prevented by the work of the security services. It is helpful that they tell us that X number of attacks have been prevented as a result of what they have done. That was always kept secret in the past, and is now put in the public domain.
I will not detain your Lordships much with respect to Amendment 58. Again, it is based on what the noble Lord, Lord Anderson, included within his report. All it seeks to do is ask where we go to next and what the Government’s thinking is with respect to this. The noble Lord, Lord Anderson, points out the pace of technological change and the interaction between all of us—look at our own mobile phones compared to a few years ago. I do not know quite how legislation will keep pace with all of that and give our security services, counterterrorism police and others the tools that they need to operate and be effective as technology is changing. The noble Lord, Lord Anderson, almost points to the fact that a whole new block of legislation is needed. That is probably true. Whatever happens at the next election, there is a need for the Government of the day, whoever they are, to look at what is happening and at whether changes are needed, and at whether the legislation is as effective as it might be. As I say, the mobile phone is the obvious example, but it is very difficult to know where we are going with respect to artificial intelligence and what that means for the legislation, the work of the security services and how we ensure that they have the tools necessary to conduct their operations and keep us safe.
The last point I will make is that it always seems to me that the interconnectivity of the world must be really difficult when it comes to the legislative process. The movement of data and telecommunications across continents, let alone between countries and jurisdictions, must be incredibly difficult. As I say, Amendment 58 is simply another probing amendment to ask the Government what their view is and what their thoughts are about where the legislation goes to next.
Baroness Manningham-Buller Portrait Baroness Manningham-Buller (CB)
- View Speech - Hansard - - - Excerpts

My Lords, I want to make a couple of comments in response to what the noble Lord, Lord Coaker, has just said. I can speak only for MI5, but, for many years, it certainly has been a desire of the organisation that, as far as safely possible, the British public—it needs their support every day of the week to do operations—have an understanding of what is done in their name to protect democracy.

I want to counter slightly the comment—I cannot now remember who made it—that there was much suspicion of this sort of activity. I may have misheard, because I am rather deaf. In my experience, when members of the public are approached by MI5 for help—such as, “Can I sit in your bedroom with a camera?”; something I would have deep suspicion of—they nearly always say yes and agree to co-operate. In my experience, when we are talking about transparency in this area, the public who I have encountered completely understand the role of secrecy. They do not want their role exposed, and, in particular, the identities of those brave men and women who we now clunkily call covert human intelligence sources need to be protected for ever. I want to counter the idea about public opinion. Of course there are concerns, but a lot of people are extremely supportive and deserve our thanks on a day-to-day basis.

Lord Murphy of Torfaen Portrait Lord Murphy of Torfaen (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, when I started life in politics a long time ago—50 years or so ago—when the general public, or people who had political ideas, thought about the security services they were generally criticised because they were spying on people who should not be spied on, such as political activists and all the rest of it. By the time the noble Baroness, Lady Manningham-Buller, and myself worked together with the intelligence and security agencies, the criticism that would come was whether the intelligence services had not done enough to protect us. That is the way in which things have changed over the last 40 or 50 years, so we have to be very careful how we balance this idea of accountability on the one hand and inevitable secrecy on the other. How do we do it?

There are reports by the Investigatory Powers Commissioner and the intercept commissioners. When I had to intercept, I was overseen by a commissioner every year. I had a meeting with him—a former judge—on whether I did this or that right, and on whether this or that was important. I come back to the point I have made in the last two days of Committee about the Intelligence and Security Committee itself. That is the vehicle by which Parliament holds the security services accountable. My noble friend Lord Coaker has been making that distinction all the time: the services being accountable to Government for what they do is very different from being available to Parliament.

Of course, details of who has been tapped and details of intelligence operations cannot come here, to this House or the other House—of course not. However, they can go through the committee which both Houses have set up, which meets in private, is non-partisan, and which has Members of both Houses who have great experience on it, to deal with these issues. That is why I appeal to the Minister—we had the debate on the issue on Tuesday—to think again about using the ISC to answer some of the issues that my noble friend Lord Coaker quite rightly raised.

Lord Fox Portrait Lord Fox (LD)
- View Speech - Hansard - - - Excerpts

My Lords, I shall be brief. Just on the subject of suspicion, which I think I raised it, I was thinking—perhaps I did not articulate it well—that it was at the political-class level. It is not hard to construct a suspicious scenario where a Westminster-based Executive are hacking an Edinburgh-based politician—I am sure that suspicion would apply there. However, the noble Baroness is right about the public.

The amendment in the name of the noble Lord, Lord Coaker, is important, not because this sort of thing needs to go into primary legislation, but because his point around emphasising public understanding and support which has come out is really important. He picked out the fact that a number of officeholders have worked hard at generating a positive profile for the services, and for that they should be thanked and congratulated. I would add GCHQ, the public profile of which probably did not even exist a decade or so ago. I have several very sad friends who can hardly wait with excitement for the annual GCHQ quiz to arrive. Things like that essentially draw attention to the nature of the work that such organisations do. I laugh at those friends but then I cannot solve it and they can, so perhaps they are the winners there. Those sorts of things do not shed light and throw open the doors on the things the noble Baroness and others fear should not be public, but they create an ambience around those services which is important.

Nobody has mentioned the amendments in the name of the noble Lord, Lord Sharpe, which I guess is exactly what he wanted, and I have nothing to add to them either.

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- View Speech - Hansard - - - Excerpts

My Lords, I thank the Committee very much indeed for the points raised in this short debate, which eloquently explained the fine balance that needs to be struck in this area. As this is the last group, I take this opportunity to thank all the men and women in all the security services, who do so much to keep us safe.

None Portrait Noble Lords
- Hansard -

Hear, hear.

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- Hansard - - - Excerpts

It is nice to hear that the Committee reflects that sentiment.

I appreciate the sentiment behind the amendments in the name of the noble Lord, Lord Coaker, but the Government cannot accept them. He is right that public trust and confidence in public authorities’ use of investigatory powers is of course essential. The Investigatory Powers Commissioner, along with his judicial commissioners, fulfils that very important function, as does the Investigatory Powers Tribunal. The IPC provides independent, robust and transparent oversight of public authorities’ use of investigatory powers. The safeguards in the Act are world-leading in that regard. The IPT, meanwhile, provides for a redress mechanism for anyone who wishes to complain about the use of investigatory powers, even if they have no evidence of potential wrongdoing.

As the noble Lord is aware, the Investigatory Powers Commissioner is already required to produce an annual report, which is published and laid in Parliament. One of the purposes of this public report is to provide transparency around how the powers are used, any errors that have been reported on public authorities’ compliance with the legislation, and where he considers that improvements need to be made. Amendment 57 would not really provide meaningful or additional oversight over and above what is already in place, and would in many areas be duplicative.

On Amendment 58, the noble Lord, Lord Coaker, is seeking to introduce a similar requirement to that in the original Act, in that case requiring a report on the operation of the Act to be produced five years after it entered into force. That report was published by the Home Secretary in February this year and formed the basis for the Bill, along with the report from the noble Lord, Lord Anderson. As set out in the Home Secretary’s report—and noted by the noble Lord, Lord Anderson—it is the Government’s view that future legislative reform is likely to need to keep pace with advancements in technology and changes in global threats.

It is not necessarily helpful to put a time limit on when these updates should be made. The Bill makes urgent and targeted amendments to the IPA, and it is important that there is adequate time to implement those changes and assess over an appropriate period whether they are sufficient. As I said, the Government are well aware that future legislative reform is likely and, if I may channel my inner Ronan Keating, “Life is a rollercoaster”. I hope that my explanations have reassured the noble Lord, Lord Coaker, on the existing process in place and invite him to not press his amendment.

Amendment 56 agreed.
Clause 26, as amended, agreed.
Clause 27 agreed.
Amendments 57 and 58 not moved.
Clause 28 agreed.
Clause 29: Extent
Amendments 59 and 60
Moved by
59: Clause 29, page 45, line 12, leave out “to subsection (2)” and insert “as follows”
Member's explanatory statement
This amendment is consequential on the amendment in the name of Lord Sharpe of Epsom at page 45, line 14.
60: Clause 29, page 45, line 14, at end insert—
“(3) The power under section 272(6) of the Investigatory Powers Act 2016 may be exercised so as to extend to the Isle of Man or any of the British overseas territories any amendment or repeal made by or under this Act of any part of that Act (with or without modifications).”Member's explanatory statement
This amendment provides for the power in section 272(6) of the Investigatory Powers Act 2016 (extent) to be capable of being exercised so as to extend to the Isle of Man or any of the British overseas territories any amendments of that Act made by this Bill.
Amendments 59 and 60 agreed.
Clause 29, as amended, agreed.
Clauses 30 and 31 agreed.
House resumed.
Bill reported with amendments.

Investigatory Powers (Amendment) Bill [HL]

Report
Scottish Legislative Consent sought.
15:39
Clause 2: Low or no reasonable expectation of privacy
Amendment 1
Moved by
1: Clause 2, page 6, line 7, after “must” insert “, as soon as possible and in any event within 24 hours,”
Member’s explanatory statement
This amendment requires a person granting an authorisation in urgent cases to notify a Judicial Commissioner within, at most, 24 hours that they have done so.
Lord Fox Portrait Lord Fox (LD)
- Hansard - - - Excerpts

My Lords, I will speak also to Amendment 7, which is in my name. These amendments require a person granting an authorisation in urgent cases to notify a judicial commissioner within, at most, 24 hours. This amendment would make it mandatory that, when the intelligence services use type 7A and 7B data for urgent operational purposes, they must report this to a judicial commissioner within 24 hours.

As your Lordships know, the current proposal in the Bill is three days. As it stands, the intelligence services can use those three days to interrogate a dataset that is ultimately ruled offside by the judicial council—three days to deploy AI models that work very quickly, in moments. The Minister responded, highlighting extra cost as a possible reason not to pursue this. Plainly, with all due respect, that is not true, because the data has to be reported anyway, and bringing it forward by a couple of days is not a relevant concern.

The spectre of weekends has also been raised. I assume that, given that this process is to facilitate urgent investigations, the intelligence services themselves will be working on Saturday and Sunday, and it is up to them to report their activity. Amendments 1 and 7 do not change the time duty for the judiciary to respond, so this would not affect the operation of the urgent inquiry. Should they not respond until Monday or otherwise, it is not the concern of the services. Clearly, it puts pressure on the judicial commission to some extent, but the intelligence services will have met their side of the obligation and can carry on with their important and urgent work until such time as the judicial commissioner makes a ruling. In any case, I am sure that there will be duty rosters and such things going on for this, so, again, I am not sure that the weekend is a concern.

Another argument that has been advanced and may yet return is that other legislation uses three days, so this should, too. The whole point of the Bill is to take advantage of new and innovative technology. It seeks to recognise the differences and change regulations accordingly. If the technology changes, as it does as a result of the Bill, so should reporting criteria. If there are other times that are different, perhaps we should be looking at those rather than at this amendment. In this case we are dealing with new technology, where artificial intelligence, once trained, can be deployed on data—which may or may not be allowed until such time as the judicial commissioner has ruled—and AI can produce its answers in minutes, perhaps hours.

In Committee I proposed that the use of this data for urgent operations should be reported immediately. I recognise that that was a very unreasonable suggestion, which is why these amendments specify within 24 hours, which is a fairer proposal.

In Committee, the Minister’s words on what happens to information retrospectively ruled unusable were helpful:

“The relevant information must be removed from the low/no dataset and either deleted or a Part 7 warrant sought”.—[Official Report, 11/12/23; col. 1743.]


However, additionally in Committee, various ex-services Peers confirmed what I knew, which is that once a fact is known by service personnel, it is not forgotten—it cannot be unknown. The noble Baroness, Lady Manningham- Buller, and other noble Lords were very clear on that.

This amendment is designed to limit the amount of unforgettable information that can be derived from inappropriate datasets. I will listen hard to the Minister’s words, but, unless he has found a different and more compelling argument than those already deployed, I will press Amendment 1.

I am pleased that the Government have agreed that, in the event of Amendment 1 being agreed, Amendment 7 will be treated as consequential. I beg to move.

15:45
Lord West of Spithead Portrait Lord West of Spithead (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I rise to speak to Amendments 2, 3 and 6. As I made clear in Committee, the Intelligence and Security Committee broadly welcomes the introduction of this legislation as a means of addressing significant changes to the threat and technological landscapes that have the potential to undermine the ability of our intelligence agencies to detect threats and protect our country. There are, however, several areas in which the Bill must be improved and, in particular, safeguards strengthened.

The draft codes of practice published by the Government contain indicative safeguards. This is not a substitute, however, for putting such provisions on the face of the Bill, which is essential if we are to ensure that those safeguards cannot be changed or diluted by subsequent Administrations. This is particularly important when we are discussing necessary scrutiny and oversight. The ISC is still, therefore, seeking amendments to several sections of the Bill.

It is important to remember that the Bill seeks an expansion of the investigatory powers available to the intelligence services. We consider that this expansion is warranted. Any increase in those powers, however, must be accompanied by a proportional increase in oversight. Sadly, the Government have previously been reluctant to ensure that democratic oversight keeps track of intelligence powers—particularly where it is related to the remit and resources of the ISC. This House has made its views on this long-standing failure known during debates on several recent Bills, and yet again in Committee on this Bill. The Government have so far refused to update the remit of the ISC or provide the necessary resources for its effective functioning, such that it has

“oversight of substantively all of central Government’s intelligence and security activities to be realised now and in the future”—

as was the commitment given by the then Security Minister during the passage of what became the Justice and Security Act.

The House of Lords made its views on this long-standing failure known in debates over several recent national security Bills, including what became the National Security and Investment Act, the Telecommunications (Security) Act and the National Security Act. Despite these repeated attempts by this House to ensure effective oversight, this has been ignored by the Government. The Government cannot continually expand and reinforce the powers and responsibilities of national security teams across departments, and not expand and reinforce parliamentary oversight of those teams as well. The committee expects the Government to take this opportunity to bolster the effective oversight it purports to value. It is therefore imperative that Parliament ensures that, in relation to this Bill, the role of the ISC and other external oversight bodies, such as IPCO, is well defined and immovable from the outset. Fine words in a code of practice are, I am afraid, hardly worth the paper they are written on. They must be written into statute.

On the detail of Amendment 2, as I have noted in my previous speeches, Section 226DA of the current Bill requires that each intelligence service provide an annual report to the Secretary of State detailing the individual bulk personal datasets it retained and examined under either a category authorisation or an individual authorisation during the period in question. My amendment would ensure that there was independent oversight of this information, rather than just political oversight, as at present. It would achieve this by providing that the annual report be sent also to the Intelligence and Security Committee of Parliament and the Investigatory Powers Commissioner.

IPCO does have a degree of oversight included in the Bill already, alongside its existing powers of inspection, but it is not full oversight. Further, there is currently no parliamentary oversight of category authorisations at all. This is not appropriate. My amendment will, therefore, enshrine within legislation that IPCO and the ISC will have oversight of the overall operation of this regime.

At this point, I acknowledge the amendment tabled by the Government. I thank the Minister for his engagement with the ISC; we have had some useful dialogue and I thank him very much for that. It is reassuring that there may finally be some recognition of the strength of feeling in this House that was apparent through noble Lords’ interventions at Second Reading and in Committee that the ISC must have a role in scrutinising this new regime.

However, what is not clear is why the Government chose to table their own amendment rather than accept the ISC’s amendment. Both amendments would seemingly provide the ISC with information on category authorisations that are granted or renewed in the given period. Without wishing to sound suspicious, I think the House requires an explanation as to what the Government see as the difference.

The first difference appears to be that the government amendment is less specific on the information to be provided and does not include individual authorisations within its scope. It therefore does not give the same level of assurance to Parliament and the public that the ISC is fully sighted on the operation of the regime.

The second difference is that the government amendment would seem to create more work for the intelligence community, as rather than simply sending the existing annual report to the ISC, a separate report would have to be produced instead. The Minister has been very keen to emphasise the need to minimise the burden on the agencies—we agree entirely with him; they are very busy—when it comes to other elements of the Bill, so it is most peculiar that the Government are deliberately choosing to increase the burden.

The third point I would note is that if the intention of this proposal is to carefully curate the information provided to the ISC regarding the Part 7A regime, it is rather undermined by the fact that the committee would still be able and willing to request a full report be provided to the Secretary of State, under the existing powers in the Justice and Security Act.

My fourth and final point is that the government amendment excludes the Investigatory Powers Commissioner. It is not clear why. IPCO and the ISC are both essential to oversight.

I trust noble Lords can recognise that, despite what I am sure are the Government’s best intentions, the ISC amendment provides the most robust assurance to Parliament and the public regarding oversight of the new regime, and the most streamlined mechanism for delivering this. I therefore urge the Minister and noble Lords to support this amendment to ensure that the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation are not watered down by changes under this Bill. If investigatory powers are to be enhanced, so must oversight. This is what the ISC seeks to achieve by this amendment and those others that I have tabled.

I will touch very briefly on my noble friend Lord Coaker’s Amendment 5. I support it fully and I have raised those issues to do with the ISC.

On Amendment 6, this Intelligence and Security Committee amendment is required in order to close a 12-month gap in oversight. This relates to the new Part 7A, to be introduced by this Bill, which provides for a lighter-touch regulatory regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of the data is deemed to have low or no reasonable expectation of privacy. Approval to use such a dataset may be sought either under a category authorisation, which encompasses a number of individual datasets that may be used for similar purpose, or by an individual authorisation, where the authorisation covers a single dataset that does not fall neatly within a category authorisation or is subject to other complicating factors.

In the case of the category authorisation, a judicial commissioner will approve the overall description of any category authorisation before it can be used. A judicial commissioner will also approve any renewal of category authorisation after 12 months, and the relevant Secretary of State will receive a retrospective annual report on the use of all category and individual authorisations.

However, as I highlighted in Committee, this oversight is all retrospective. What is currently missing from the regime is any form of real-time oversight. Under the current regime, once a category authorisation has been approved, the intelligence services then have the ability to add any individual datasets to that authorisation through internal processes alone, without any political or judicial oversight. They will be able to use those datasets for potentially up to a year without anyone being the wiser. This would mean relying on the good intentions of a particular intelligence service to spot and rectify any mission creep up until the 12-month marker for renewal. Although we have every faith in the good intentions of the intelligence services, no legislation should be dependent on the good will of its subjects to prevent misuse of the powers granted therein, particularly where those powers concern national security.

It is important that we fill that 12-month gap in oversight, and my amendment does so very simply by providing a new Section 226DAA in Clause 2, which would ensure that IPCO is notified whenever a new, individual bulk personal dataset is added by the agencies to an existing category authorisation. The Government’s primary argument against this proposal appears to be that it would be too onerous for the intelligence community and would impair its operational agility. I do not believe this is the case.

Notification would entail the agency sending a one-line email to the Investigatory Powers Commissioner containing the name and description of the specific bulk personal dataset as soon as reasonably practicable after the dataset was approved internally for retention and examination by that intelligence service. The amendment would not require that the use of the dataset be approved by the Investigatory Powers Commissioner, merely that the commissioner be notified that it had been included under the authorisation. It does not, therefore, create extra bureaucracy or process—certainly not in comparison with an entire new annual report, as the Government were proposing in relation to my previous amendment.

Crucially, this will provide for IPCO to have real-time information to enable it to identify any concerning activity or trends in advance of the 12-month renewal point. Any such activity could then be investigated by the commissioners as part of their usual inspections. Aside from the supposedly onerous burdens that these one-line emails will place on the agencies, the Government are also seeking to argue that the safeguards of the Bill are currently calibrated to the lowest level of intrusion associated with low or no expectation of privacy datasets and that it would therefore be inconsistent for the agencies to provide notification regarding category authorisations, given that they do not provide notification for datasets under the current Part 7 class warrant regime.

This argument is similarly unpersuasive. In the first instance, the light-touch nature of our amendment, requiring simple notification rather than approval, is already calibrated to the lower level of intrusion. However, the key point is that the agencies do not have the same powers under Part 7 and Part 7A. This new regime gives the agencies greater powers specifically to internally add individual datasets to those categories without external approval. This is not a power given under the current Part 7 regime. The ISC agrees that the agencies should have this power in relation to low or no reasonable expectation of privacy datasets. However, to rehearse this argument yet again, we should not be creating greater intrusive powers without data oversight. This is a new power that should not be available without some form of real-time external oversight, which is what my amendment provides.

This combination of real-time oversight through the notification stipulated in this amendment and retrospective oversight through the involvement of judicial and political oversight bodies, as set out in my previous amendment, is necessary to provide Parliament and the public the reassurance that data is being stored and examined in an appropriate manner by the intelligence services. The ISC believes that this amendment strikes the right balance between protecting the operational agility of the intelligence services, which remains very important to us, and safeguarding personal data. I therefore urge noble Lords to support my amendment.

Baroness Manningham-Buller Portrait Baroness Manningham-Buller (CB)
- View Speech - Hansard - - - Excerpts

My Lords, first, I apologise. Like the noble Lord, Lord West, who during Committee had a bionic knee, I may not last, because I had a new one installed a couple of weeks ago. My eyes turned to the noble Lord, Lord Fox, as he possibly expected, but I am out of reach today and I cannot hit him with my crutch.

It might help the House if I described the circumstances in which an emergency warrant is sought. There is a very long-standing system for this. In the days before we had judicial commissioners, it was if a Minister was unavailable, and now it is if the Minister and, of course, the judicial overseers decide that a warrant sought is wrong or inappropriate, all the material is destroyed.

At the earlier stage, I said that you cannot legislate to forget, but the noble Lord, Lord Fox, has slightly twisted what I was trying to say then. Of course, if the material is destroyed because the warrant was not approved, some people will remember what they read, but it cannot be used in any way.

These occasions occur nearly always at times when people are unavailable—in the middle of the night or at weekends—when there is a brief window of opportunity where it is a matter of life and death. I can see that, on the surface, it is appealing to bring the notification time down to 24 hours, but this is not rational or consistent with the rest of the legislation that we have. For far more intrusive techniques such as planting a microphone or intercepting a communication, it is three days. That said, I know that my former colleagues will endeavour to do it as soon as possible, but over the weekend the Investigatory Powers Commissioner’s Office is not open. People are not available. They will try to do it as soon as possible, but it does not make sense to reduce the time needed in these cases of low intrusion, with datasets of no or low expectation of privacy, to require a stricter regime than for very much more intrusive techniques such as the planting of a microphone in your house.

16:00
Lord Murphy of Torfaen Portrait Lord Murphy of Torfaen (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I rise very briefly to support my noble friend Lord West in his excellent speech regarding the Intelligence and Security Committee, which I had the honour of chairing for two years some years ago. I hope that the Government take great heed of my noble friend’s words. The ISC is probably the most important oversight committee in the world, and it is certainly held in great respect by countries throughout the western world. I have never known the committee to be in any way partisan, and it consists of Members of both Houses of Parliament of great distinction. Therefore, I support what my noble friend said.

However, I also support the amendment tabled by my noble friend Lord Coaker regarding the Prime Minister. Something has gone wrong in the last few years in relations between the Government and the Intelligence and Security Committee. It would seem that the Prime Minister, whoever it might be, has not met with the ISC—as he should do—for years. Perhaps the Minister will tell us when the ISC last had a formal meeting in the Cabinet Room of No. 10 Downing Street with an incumbent Prime Minister. It is hugely important because, inevitably, the work of the ISC is secret but may need to be discussed with the Prime Minister of the day. My noble friend’s amendment puts that obligation for the Prime Minister to meet with the committee in statute. I have no doubt that the Minister will dismiss this as impractical. However, it shows the strength of feeling of Members of this House and, I am sure, of the other place, regarding the importance of the ISC, the importance of the agencies reporting to it—especially since, as a result of this Bill, the agencies will have more power—and for there being a direct link between the Prime Minister and the committee on a regular basis.

Lord Coaker Portrait Lord Coaker (Lab)
- Hansard - - - Excerpts

My Lords, I thank the Minister for his continued engagement with us on all aspects of this important Bill. I would be grateful if he could pass that on to his officials as well. I wish the noble Baroness, Lady Manningham-Buller, well with her knee, and I hope she will soon be able to make do without the crutch.

I very much support what my noble friends Lord West and Lord Murphy said about the amendments moved by my noble friend Lord West regarding the ISC. I look forward to the Minister’s response. I will come to my amendments in a moment, but it goes to the heart of what many of us have been saying—that the Intelligence and Security Committee is extremely important. Part of the problem is that, when the Minister responds to us on these points, he often says, “Don’t worry: there’s ministerial oversight”. However, what my noble friends have talked about is that this is not the same as parliamentary oversight. There is an important distinction to be made. I hope that the Minister can respond to that.

I turn to the noble Lord, Lord Fox, and his amendments. Again, we thank the Government for the communication we have had regarding Amendments 1 and 7. As I have intimated before, we support the noble Lord, Lord Fox, on his Amendments 1 and 7. With the addition of the low/no datasets authorisation and third-party data warrants to the bulk personal datasets warrants regime, and the extension of powers that this represents, it seems appropriate that additional safeguards are put in place to ensure the judicial commissioner is informed as quickly as possible of the use of these urgent warrants. Importantly, that does not change how long the judicial commissioner has to consider the warrant, and to revoke access if necessary; it is just on the importance of notification as quickly as possible. If urgent powers, as the noble Baroness, Lady Manningham-Buller, has pointed to, need to be used, nobody is suggesting that they are not used; the suggestion is that the notification to the judicial commissioner should be made as soon as possible and, with respect to the amendment of the noble Lord, Lord Fox, within 24 hours.

I turn to my Amendment 47. This amendment aims to try to get the Minister to put some of this on the record, rather than to seek to divide the House on it. Amendment 47 seeks to ensure that the Government report on the potential impact of the Bill on the requirement to maintain data adequacy decisions from the EU. The adequacy agreement is dependent on the overall landscape of UK data protections. Although the UK protections are currently considered adequate, deviations from this under this legislation could put our current status at risk. Losing this designation would have serious consequences for digitally intensive sectors, such as telecommunications and financial services as well as tech services. In his response, could the Minister provide some reassurances on this particular aspect of the legislation and say whether any specific analysis has been done on the impacts of the Bill on the data adequacy agreement?

I turn to my Amendment 5, which, just for clarity, is a probing amendment but is extremely important. The Minister will know that I have raised this point again and again on various pieces of legislation over the last year or two. To be fair, the Minister has said that he will raise it with the appropriate people, and I am sure that he has done that—I am not questioning that at all. As the noble Lord, Lord Murphy, said, and the Intelligence and Security Committee said in its report of 5 December 2023—hence my Amendment 5 to probe this—no meeting between the Prime Minister of our country and the Intelligence and Security Committee has taken place since December 2014. I am pleased that we have the noble Lord, Lord Cameron, here—not present in the Chamber now, but here within your Lordships’ House—because he was the last Prime Minister that met with the committee. I find it absolutely astonishing that that is the case.

We are informed by the committee that many invitations have been made to various Prime Ministers to attend the Intelligence and Security Committee. I do not want to go on about this—well, I will to an extent—but it is incredibly important. I cannot believe—people say that it cannot be right, and I show them the report—that it has been 10 years since a Prime Minister has gone to the body, which has been set up by Parliament to ensure there is liaison between Parliament and the intelligence and security services. Obviously, matters can be discussed in that committee. Some of those cannot be discussed in the open, but that is one way in which it is held to account.

Can the Minister explain what on earth is going on? Why is it so difficult for the Prime Minister to meet the committee? I am not intending to push this amendment to a vote, as I say, and I am sure the Minister will try to explain again, but it is simply unacceptable that the Prime Minister of this country has not met the ISC for 10 years. For the first 20 years of its existence, and my noble friend Lord West will correct me if I am wrong, I think it was an annual occurrence that the Prime Minister met the ISC—my noble friend Lord Murphy is nodding—yet that has not happened since 2014. That is unacceptable, and my Amendment 5 seeks to ask the Minister what on earth we are going to do to try to get the Prime Minister to attend. I would not have thought that was too much to ask.

Lord Sharpe of Epsom Portrait The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)
- View Speech - Hansard - - - Excerpts

My Lords, I have listened with interest to the points made in this debate. As noble Lords will be aware, we have considered carefully the amendments that have been debated. I place on record my thanks to the noble Lords, Lord West, Lord Coaker and Lord Fox, for their constructive engagement in the run-up to today’s debate on these issues and various others that will be debated later today.

I turn first to the topic of oversight of the new Part 7A regime containing bulk personal datasets, BPDs, where there is low or no expectation of privacy. Alongside the proportionate set of safeguards set out in Part 7A, the Bill currently provides for executive political oversight and accountability by requiring the heads of the intelligence services to provide an annual report to the Secretary of State about Part 7A datasets. The intention of the report is to ensure that there is a statutory mechanism for political oversight, given that the Secretary of State will not have a role in Part 7A authorisations. That is set out in new Section 226DA in Clause 2 of the Bill.

The Investigatory Powers Commissioner will continue to provide full, independent and robust oversight of the investigatory powers regime, including this new part. Nevertheless, the Government have listened to the points made by noble Lords and colleagues in the other place, and we understand their concerns about increasing parliamentary oversight. Government Amendment 4 therefore recognises the important role of the ISC in providing parliamentary oversight of the intelligence services. It places a statutory obligation on the Secretary of State to provide the ISC with an annual report containing information about category authorisations granted under the Act during the year. The amendment will ensure that the ISC is proactively provided with information about the operation of Part 7A on an annual basis. That will support the ISC in continuing to fulfil its scrutiny role and will enhance the valuable parliamentary oversight the committee provides.

It is appropriate for the ISC to be privy to certain information relating to Part 7A in the exercise of its functions, and that a statutory obligation be placed on the Secretary of State to provide it. This obligation is intended to be consistent with the provisions set out in the Justice and Security Act, and due regard will be had to the memorandum of understanding between the Prime Minister and the ISC when meeting it. It is likely that Amendments 2 and 3, tabled by the noble Lord, Lord West of Spithead, which would require that the report provided to the Secretary of State be also shared with the ISC, would not be in step with that. The information required by the Secretary of State to fulfil their responsibilities in respect of the intelligence services will not necessarily be the same as that which would assist the ISC in performing its functions. The report will almost certainly contain information about live operations, which is outside the scope of the ISC’s remit, as well as other information that it may not be appropriate to share with the ISC and which the Secretary of State could properly withhold from the ISC were the ISC to request it.

For that reason, we think it more appropriate that a report be written to meet the ISC’s functions that the Secretary of State will send to the ISC. This will provide the additional parliamentary oversight the committee is seeking and would be akin to the existing arrangements in place for operational purposes.

16:15
The noble Lord’s amendments would require the intelligence services to provide the same report to the Investigatory Powers Commissioner. There is no need for a requirement to share a report with the IPC. The IPC and anyone acting on his behalf already have access to all locations, documents and information necessary to carry out a thorough inspection regime.
The intelligence services are legally obliged to provide all necessary assistance to the IPC, who is required to report publicly on the findings of his inspections. It is my firm belief that the Government’s amendment offers the ISC an appropriate mechanism through which the committee will be able to understand how the regime is working, and that the insights garnered by this reporting will support the ISC in continuing to carry out its oversight functions. I hope this provides the assurance that the noble Lord, Lord West, and his fellow committee members are seeking and that they will feel able to support the Government’s alternative to his amendment.
Amendment 6, tabled by the noble Lord, Lord West, would require that the intelligence services notify the IPC that an individual dataset has been authorised in reliance on an existing category authorisation under Part 7A. This obligation would be more onerous than the requirements under the existing BPD provisions. Not only is this unnecessary, but it would also impose additional burdens on the intelligence services and IPCO, while achieving only a negligible and unnecessary increase in oversight.
The IPC already has extensive oversight of Part 7A. His judicial commissioners have a role in the authorisation process and his inspectors will carry out regular inspections of the intelligence services’ use of it. Judicial commissioners will approve every category authorisation and the authorisation of every dataset that does not fall within an existing category authorisation. Category authorisations will expire at 12 months and will then need to be renewed. That decision will also require the approval of a judicial commissioner.
On inspection, IPCO will be entitled to see all authorisations granted under Part 7A and can review the datasets retained in reliance on a category authorisation. Any irregularities or errors may be reported by the IPC in his annual report. This is the approach taken in inspections of the existing Part 7, whereby datasets authorised under class warrants are reviewed by IPCO inspectors. We consider that the overall package of safeguards in Part 7A is appropriate and proportionate to the nature of the datasets with which it is concerned. We do not see the case for adding a new, more onerous, dataset by dataset requirement here, which would not meaningfully improve oversight. I therefore respectfully ask that the noble Lord does not move his amendment today.
Amendment 5, tabled by the noble Lord, Lord Coaker, would require the Secretary of State to publish a report on the Prime Minister’s engagement with the ISC relating to investigatory powers. As I said earlier, the ISC plays an important role and the Government value the independent and robust oversight of the intelligence services and the wider intelligence community that the committee provides. The amendment we have tabled today demonstrates that. The Government keep the formal working agreement with the ISC under review. Section 93 of the National Security Act 2023, which came into force on 20 December 2023, places a requirement on the Government to consider whether the ISC’s memorandum of understanding with the Prime Minister should be altered to reflect any changes arising out of that Act.
The Government welcome the ISC’s views on how the memorandum of understanding may be updated to reflect any changes arising from the National Security Act and will formally reach out in the coming weeks. The Government are clear that the MoU review is the correct forum to discuss relevant potential changes to the agreement between the Prime Minister and the ISC.
Lord Coaker Portrait Lord Coaker (Lab)
- Hansard - - - Excerpts

I thank the Minister for giving way, because this is an extremely important point. He mentioned with respect to my Amendment 5 that somebody will formally reach out. Does that mean that the Prime Minister will formally reach out to the ISC and meet with it, so that we get a resolution to this non-meeting?

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- Hansard - - - Excerpts

I cannot say whether or not that someone will be the Prime Minister at the moment.

As I said, the Government are clear that the MoU review is the correct forum to discuss relevant potential changes to the agreement between the Prime Minister and the ISC. But the Government do not believe a report of this kind is appropriate or necessary and do not support the amendment. The noble Lord, Lord Coaker, has already answered the question from the noble Lord, Lord Murphy, and all I can say from the Dispatch Box is that I will try again.

I turn to the second of the amendments from the noble Lord, Lord Coaker, Amendment 47, which would require the Government to publish a report assessing the potential impact of this legislation on the EU’s data adequacy decision. The Government are committed to maintaining their data adequacy decisions from the EU, which play a pivotal role in enabling trade and fighting crime. The Home Office worked closely with the Department for Science, Innovation and Technology when developing the proposals within this Bill to ensure that they would not adversely impact on the UK’s EU data adequacy decisions. As the European Commission has made clear, a third country is not required to have the same rules as the EU to be considered adequate. We maintain regular engagement with the European Commission on the Bill to ensure that our reforms are understood. Ultimately, the EU adequacy assessment of the UK is for the EU to decide, so the Government cannot support this amendment.

I turn to the amendments retabled by the noble Lord, Lord Fox, on urgency provisions for individual authorisations under Part 7A and third party dataset warrants under Part 7B. The Government remain opposed to these iterations of the amendments for the following reasons. Urgency provisions are found throughout the IPA and the Government’s approach is to mirror those provisions in the regimes in new Part 7A and new Part 7B. Making the proposed amendment solely for these parts would reduce consistency—as the noble Lord, Lord Fox, predicted—and ultimately risk operational confusion where there is no good reason to do so.

It will always be in the interests of the relevant intelligence service—as the noble Baroness, Lady Manningham- Buller, said; I add my comments to those of the noble Lord, Lord Coaker, about a speedy recovery—to notify a judicial commissioner of the granting of an urgent authorisation or the issuing of an urgent warrant as soon as is reasonably practicable. These urgent instruments are valid only for five working days. A judicial commissioner must review and decide whether to approve the decision to issue or grant the instrument within three working days. If the judicial commissioner refuses to approve the decision within that time, then the instrument will cease to have effect. It would be counter- intuitive for an intelligence service to make untimely notifications, as this increases the risk of the urgent authorisation or warrant timing out because the judicial commissioner is left without sufficient time to make a decision.

In an operational scenario where the urgency provisions are required, such as a threat to life or risk of serious harm, or an urgent intelligence-gathering opportunity, it may not be practical or possible for the intelligence services to ensure completion of paperwork within a 24-hour period, as the noble Baroness, Lady Manningham- Buller, explained rather more eloquently than I have done.

The intelligence services work closely with the Investigatory Powers Commissioner’s Office to ensure that the processes for reviewing decisions are timely and work for judicial commissioners. For those reasons, I ask that the noble Lord, Lord Fox, does not press his amendments.

This group also includes the two modest but worthwhile government amendments, Amendments 8 and 9. These make it clear beyond doubt that the new third party BPD regime will fall under the oversight of the Investigatory Powers Commissioner. The robust oversight that IPCO brings will ensure compliance, ensuring that robust safeguards are in place when information is examined by the intelligence services on third parties’ systems. I hope that noble Lords will welcome these amendments and support them.

Lord Butler of Brockwell Portrait Lord Butler of Brockwell (CB)
- Hansard - - - Excerpts

My Lords, as a former member of the Intelligence and Security Committee, perhaps I may say how much I endorse what has been said by the noble Lords, Lord West and Lord Murphy, and welcome many elements in the—

Lord Fox Portrait Lord Fox (LD)
- View Speech - Hansard - - - Excerpts

We have had the speeches on this group and are moving to a vote. I am sorry to interrupt the noble Lord.

I thank the Minister for his comments and, indeed, the noble Baroness, Lady Manningham-Buller. My interpretation—perhaps I am wrong—of the nature of this Bill was that it was to introduce a new class of data and to deal with it. It was not to reach back into existing law and change it. The noble Baroness raised some important points about why I should have been concerned about the other data, which I did not reach back into. I am happy to advise my colleagues in the Commons and perhaps they can do that, too. However, taking on face value the nature of what we were seeking to achieve today, we looked at this data and came up with this conclusion. We have heard the arguments, but I am afraid that I am not persuaded by them and I would like to test the will of the House.

16:24

Division 1

Ayes: 201


Labour: 119
Liberal Democrat: 61
Crossbench: 15
Non-affiliated: 3
Green Party: 2
Plaid Cymru: 1

Noes: 227


Conservative: 185
Crossbench: 32
Democratic Unionist Party: 4
Non-affiliated: 3
Ulster Unionist Party: 2
Labour: 1

16:36
Amendments 2 and 3 not moved.
Amendment 4
Moved by
4: Clause 2, page 11, line 16, at end insert—
“226DAA Report to Intelligence and Security Committee(1) The Secretary of State must for each relevant period provide to the Intelligence and Security Committee of Parliament a report setting out information about category authorisations and renewals of category authorisations granted in that period.(2) In subsection (1) “relevant period” means—(a) a period of at least one year and no more than two years beginning with the date on which this Part comes fully into force, and(b) subsequent periods of no more than one year, beginning with the end of the period to which the previous report related.(3) Each report must be provided to the Committee as soon as reasonably practicable after the end of the period to which the report relates.”Member’s explanatory statement
This amendment requires the Secretary of State to provide to the Intelligence and Security Committee of Parliament reports about category authorisations and renewals of such authorisations under new Part 7A of the Investigatory Powers Act 2016.
Amendment 4 agreed.
Amendments 5 and 6 not moved.
Clause 5: Third party bulk personal datasets
Amendment 7 not moved.
Clause 6: Minor and consequential amendments
Amendments 8 and 9
Moved by
8: Clause 6, page 25, line 15, leave out “and (3)” and insert “to (3A)”
Member’s explanatory statement
This amendment is consequential on the amendment in the name of Lord Sharpe of Epsom at page 25, line 30.
9: Clause 6, page 25, line 30, at end insert—
“(3A) In section 229 (main oversight functions), in subsection (9), in the definition of “bulk personal dataset”, after “199” insert “(and includes a third party bulk personal dataset (see section 226E))”.”Member’s explanatory statement
This amendment clarifies that the Investigatory Powers Commissioner’s oversight functions include, amongst other things, keeping under review the use of third party bulk personal datasets by an intelligence service.
Amendments 8 and 9 agreed.
Clause 8: Delegation of functions
Amendment 10
Moved by
10: Clause 8, page 27, line 14, at end insert—
“(aa) deciding under section 90(11) or 257(10) whether to approve a decision of the Secretary of State,”Member’s explanatory statement
This amendment provides that the function of the Investigatory Powers Commissioner (“IPC”) of deciding, under section 90(11) or 257(10) of the Investigatory Powers Act 2016 (review of notices), whether to approve decisions may be delegated to a Deputy IPC only where the IPC is unable or unavailable to exercise the function.
Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- Hansard - - - Excerpts

My Lords, I will speak to the government amendments in this group, Amendments 10 to 14.

The Investigatory Powers Act contains world-leading oversight arrangements and safeguards that apply to the use of investigatory powers. The Bill strengthens these to ensure that the oversight regime is resilient and that the Investigatory Powers Commissioner is able to carry out his functions effectively. These government amendments are designed to maintain this approach, and to tighten the drafting in certain areas to ensure that the scope of the measures in Part 3, in respect of communications data, cannot be interpreted more broadly than is intended.

I will start with government Amendment 12, which will ensure that there is clarity for telecommunications operators regarding their obligations to report personal data breaches relating to warrants issued under the IPA. The proposed new clause will also make provision for such breaches to be reported to the Information Commissioner and the Investigatory Powers Commissioner. This amendment will also ensure that the Investigatory Powers Commissioner has the ability to notify an individual affected by the personal data breach, if it is deemed to be in the public interest to do so and if the Information Commissioner considers the breach to be serious. Such a notification will inform an individual of any rights that they may have to apply to a court or tribunal in relation to the breach. This important amendment will bring much-needed clarity in respect of how personal data breaches committed by tele- communications operators are regulated, and ensure that there is a clear statutory basis for the Information Commissioner and the Investigatory Powers Commissioner to be notified of certain personal data breaches.

I move on to government Amendments 10 and 11. Amendment 11 adds Scottish Ministers to the list of parties, at Clause 9(5), who are to be notified by the Investigatory Powers Commissioner of the appointment of a temporary judicial commissioner. This must be as soon as practicable after any temporary judicial commissioner has been appointed. This will ensure that Scottish Ministers are kept abreast of crucial developments in the investigatory powers oversight regime. A similar requirement already exists in the Bill, which requires the IPC to notify certain persons, including the Secretary of State and the Lord President of the Court of Session, of an appointment of a temporary judicial commissioner.

Government Amendment 10 to Clause 8 allows the Investigatory Powers Commissioner to delegate to deputy Investigatory Powers Commissioners the power to approve decisions following the review of a notice. This brings this function in line with the commissioner’s other functions in the Act with regards to delegation and, as with those powers, allows for delegation in only when the commissioner is unavailable or unable.

I turn now to government Amendments 13 and 14, both of which concern communications data, which I will refer to as CD. Government Amendment 13 clarifies the extent of Clause 11 to ensure that its scope is not wider than intended. Section 11 of the IPA creates the offence of acquiring CD from a telecommunications operator without lawful authority. Clause 11 seeks to carve out from the scope of Section 11 the sharing of CD between public authorities, where one of those authorities was a telecommunications operator.

This amendment to Clause 11 ensures that the public authority carve-out from the Section 11 IPA offence of acquiring CD without lawful authority does not go wider than intended. The new definition is based on the definition of public authority in the Procurement Act 2023. The previous definition was based on the definition of public authority in the Human Rights Act 1998. This latter definition could, in some circumstances, have created doubt over whether it included certain private sector telecommunications operators.

This amendment removes that doubt and clarifies that the public authority carve-out will apply only to telecommunications operators wholly or mainly funded by public funds—in other words, they are public authorities themselves. The IPA was designed to ensure that the acquisition of CD from private sector tele- communications operators for the statutory purposes set out in the Act was subject to independent oversight to safeguard against abuse. This amendment maintains this important safeguard in relation to private sector telecommunications operators.

I turn to government Amendment 14. It is critical that the legislation is absolutely clear on what constitutes CD and the lawful basis for its acquisition. Without this clarity, we risk placing CD that is crucial to investigators out of their reach. Government Amendment 14 therefore seeks to clarify that subscriber data used to identify an entity will be classed as CD.

This amendment is necessary as the existing Act creates a carve-out in the definition of CD to ensure that the content of a communication cannot be acquired under a Part 3 acquisition request. This reflects Parliament’s view during the initial passage of the IPA 2016 that the content of a communication is inherently more sensitive than the underpinning metadata: the “who”, “where”, “when”, “how” and “with whom” of a communication. Clause 12 amends the definition of CD in Section 261 of the Act to exclude certain types of data from the carve-out of content from the definition of CD. The effect of this is to include those data types within the definition of CD.

Government Amendment 14 restricts the effect of Clause 12 to ensure that it is not overly broad and cannot be applied to bring unintended, inappropriate types of data within the definition of CD. For example, the amendment will put beyond doubt that the content of recorded calls to contact centres or voicemails is not in scope of the amended CD definition and will not be accessible with an authorisation under Part 3 of the Act. The amendment to Section 261 does not affect the oversight function of the Investigatory Powers Commissioner’s Office, which continues to inspect and highlight any errors and provide prior independent authorisation for the acquisition of CD in most cases.

I hope I have convinced noble Lords of the necessity of these government amendments; I ask that they support them. I also hope that these amendments provide reassurance to noble Lords, ahead of the debate on this group, of the Government’s commitment to ensuring that the clauses in Part 3 are drafted as tightly as possible and with a proportionately narrow scope.

16:45
Lord Anderson of Ipswich Portrait Lord Anderson of Ipswich (CB)
- View Speech - Hansard - - - Excerpts

My Lords, I know that the noble Lord, Lord West, will want to speak to his own amendments, but, perhaps for the sake of good order, I could comment relatively briefly on government Amendment 14 before he does so.

I entirely accept what is said in the explanatory statement, that the amendment is intended to ensure that “unwanted cases” are not brought

“within the definition of ‘communications data’ in section 261 of the Investigatory Powers Act 2016”.

That is a good objective, and I applaud the sentiment behind it. I also accept that the amendment may well be an improvement on the original Clause 12. My concern is that the wording used at the end of the amendment may inadvertently leave that definition broader than it should be, putting within the definition of “communications data” material that should plainly be classed as content.

Proposed new subsection 5B(b) is intended to limit the categories of content defined in new paragraph (a) which are classed as “relevant subscriber data” and thus as communications data. Instead of defining subscriber data tightly, by reference to information identifying an entity or the location of an entity, which would be reasonable, the limiting words in new paragraph (b) provide, more loosely, that it should be

“about an entity to which that telecommunications service is … provided”.

That is a wide formulation indeed if you apply it to something such as Facebook or an online dating site. The information that customers may be required to provide to initiate or maintain their access to such services is likely to be very much broader than simply who and where they are. For example, I have it on the best authority that, in the case of a dating site, this information may, for example, include a full online dating profile, which sounds very like content to me. It would be most unfortunate if the wording of new paragraph (b) were to result in an interpretation of this clause—for example, by police reading it in good faith—than was far broader than was intended.

I offer more than the conventional gratitude to the Bill team, who have engaged with me intensively on this issue in an extremely short timescale. It is too late to seek an amendment to Amendment 14, but the Minister would help us and law enforcement out if he could confirm, perhaps in response to this intervention or in his own time, that the aim of Clause 12 in its amended form is to class as communications data only information which is truly needed to obtain or maintain access to a telecommunications service—traditional subscriber data such as name, location and bank details—and that there is no intention to cover information provided as part of using the service, such as the online dating profile that you might be asked to fill out to operate or fully activate an account.

Lord West of Spithead Portrait Lord West of Spithead (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I rise to speak to Amendments 15 to 20. In Committee, I moved amendments seeking to remove Clause 13 and its associated schedule. This was to retain the current arrangements, which wisely restrict a number of public authorities from being able to compel the disclosure of communications data from telecommunications operations. Parliament restricted this power in the original legislation because it considered it to be potentially very intrusive.

What this means is that, at present, authorities such as the Environment Agency or the Health and Safety Executive are required to take further procedural steps to compel disclosure of communications data. They must obtain an authorisation under the current IPA, a court order or other judicial authorisation, or under regulatory powers in relation to telecommunications or postal operators, or they must obtain the communications data as the secondary data as part of a valid interception or equipment interference warrant.

The Bill seeks to remove that requirement for further procedural steps in relation to a wide range of public regulatory authorities. The Government’s argument for removing these restrictions is that a broader array of communications now fall into the category of communications data and a wider number of organisations now constitute telecommunications operators. As a result, the current restrictions prevent some regulatory authorities from acquiring the information necessary to exercise their statutory functions in a way that was not anticipated at the time of the original legislation.

These organisations have argued that this is particularly relevant to bodies with a recognised regulatory or supervisory function which would collect communications data as part of their lawful function but are restricted under the current Act if their collection is not in service of a criminal investigation; in particular, the changes focused on improving the position of certain public authorities responsible for tax and financial regulation, the powers of which were removed in 2018 as a result of rulings by the European Court of Justice. The ISC recognises that such bodies much be able to perform their statutory function effectively; however, we have been told that the Bill delivers only the urgent, targeted changes needed, and we have not thus far been presented with the case for that.

This was a highly scrutinised issue during the passage of the original Act. Parliament rightly ensured that the power to gather communications data was tied to national security and serious crime purposes only, to avoid impinging on the right to privacy without very good reason. We should not lightly brush that aside.

There have been a number of reported incidents of the intrusive use of investigatory powers by local councils and other public authorities for purposes that are subsequently deemed neither necessary nor proportionate; for example, things such as dog mess. The Minister said in Committee that the clause

“applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions”.

Yet in response to my question on which bodies would see their powers restored, he said that

“it is not possible to say with certainty how many public authorities have some form of regulatory responsibilities for which they may require data that would now meet the definition of ‘communications data’”.—[Official Report, 11/12/23; col. 1759.]

How can it be right to expect Parliament to reintroduce sweeping powers for a wide range of public bodies when a previous Parliament deemed that that was too intrusive—and when we cannot even be told which bodies they will be? Noble Lords will need to be sufficiently satisfied that these powers are to be given to bodies that cannot function without them; this cannot be a case of just giving powers back by default. I urge the Minister to consider this further. As it stands, we have not been given the information, or a convincing case, to persuade Parliament of the need for such a complete about-turn. The ISC will continue to pursue this amendment unless robust assurance can be provided that these powers will be restored in a sufficiently limited and targeted way.

Amendment 17 and its two consequential amendments seek to remove the ability of the agencies to internally authorise the use of this new, broader power to obtain internet connection records for target discovery. My amendment would require the agencies to seek approval from IPCO, thereby ensuring proper oversight. As I noted in Committee, Clause 14 creates a new, broader power for the agencies and the NCA to obtain ICRs for the purpose of target discovery. It represents a significant change from the current position because it removes the current requirement that the exact service used, and the precise time of use, be known. Under these new provisions, the agencies will be able to obtain ICRs to identify which person or apparatus used internet services in a period of time—a far broader formulation that will capture a far broader number of individuals.

As I also noted previously, the ISC agrees with broadening the power; what it does not agree with is that there is no oversight of it. The principle remains that increased powers must mean increased oversight. This new, expanded power is potentially very intrusive: it allows the agencies to obtain ICRs from a range of internet services over a potentially long period of time, and they could therefore potentially intrude on a large number of innocent people who would not have been captured previously.

It is essential in a democracy that there are appropriate safeguards on such powers, but in all cases relating to national security and economic well-being, the agencies are able to authorise use of this newly expanded, broader power internally. They make the assessment as to whether it is necessary and proportionate; there is no independent oversight of the agencies’ assessment. The Minister argued in Committee that the ISC amendment inserts a disproportionate limitation on the agencies’ ability to use condition D, as the Government

“do not assess that the new condition creates a significantly higher level of intrusion”.—[Official Report, 11/12/23; col. 1761.]

With respect, the ISC not only disagrees with this assessment but finds it incomprehensible. This is about depth and breadth. The new condition D may not represent a new depth of intrusion as ICR requests under the new regime will still return the same type of information, but it certainly represents a much wider breadth of intrusion as a far greater number of innocent internet users’ details will be scooped up by these ICR requests.

The Government may argue that, because those individuals’ details will not be retained once they have been checked and found not to be of intelligence interest, this is therefore not an intrusive power. Again, with respect, this is not an answer that Parliament or indeed the public can or should be satisfied with. I doubt any individual would feel that their privacy had not been intruded on if they had been scooped up just because they had not been retained, particularly when the retention of details is currently contingent entirely on the judgment of the agencies themselves, with no external input on whether the judgment is proportionate. The ISC very firmly believes that the new condition is more intrusive, and therefore greater oversight is required to ensure the power is always used appropriately.

Oversight will act as a counterbalance to the intelligence community’s intrusive powers and provide vital assurance to Parliament and the public. This amendment and my two linked amendments therefore remove the ability of the agencies to authorise use of this power internally. The agencies would instead be required to seek the approval of an independent judicial commissioner from IPCO to authorise the obtaining of ICRs under this new, broader power. This strikes the right balance between security and privacy and minimises any burden on the agencies.

I move on to Amendment 18 in relation to the new same broader target discovery power in Clause 14. This amendment is to limit the purposes for which this new power would be used. As I outlined previously, target discovery has the potential to be a great deal more intrusive than target development as it will inevitably scoop up information of many who are of no intelligence interest. This is why we must tread very cautiously in this area and be quite satisfied of the need for the power, that the power is tightly drawn and limited, and is properly overseen.

The ISC agrees with the noble Lord, Lord Anderson, who, in his excellent report reviewing the Government’s proposal for this Bill, supported the need for this change. The ISC has considered the classified evidence and recognises that due to technological changes the current power is less useful than envisaged due to the absolute precision it requires. However, as this House also recognised, Parliament deliberately imposed a high bar for authorising obtaining internet connection records, given their potential intrusiveness.

The noble Lord, Lord Anderson, also recommended, therefore, that the purposes for which this new broader target discovery power could be used be limited to national security and serious crime only, and that use of it should be limited to the intelligence community. However, the Bill as drafted departs from his recommendations in both respects. Not only does it include the National Crime Agency as well as the intelligence community, but it allows the intelligence community to use the new, broader target discovery power for a third, far less-defined purpose of:

“the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security”.

In Committee, the Government argued that this decision had been taken because it is consistent with the statutory functions of the agencies and Article 8 of the European Convention on Human Rights. That is, of course, true. It is consistent, but that is not an argument in favour of simply transporting it here. Not every intrusive power should be available for every purpose that the security services have. Given the potential intrusiveness of this new power, it must be constrained appropriately and the purposes for which it can be used must be crystal clear.

However, what is not yet at all clear is exactly what critical work must be enabled under the umbrella of “economic well-being” as it relates to “national security” which is not already captured under the straightforward national security category. It must be clear exactly what harm would occur if this purpose were not included in the Bill. At the moment, the addition of “economic well-being” serves only to blur the lines between what an ICR can or cannot be used for, something which Parliament should not accept. Therefore, in addition to requiring independent judicial oversight, which is the subject of a separate amendment, this amendment seeks to prevent the agencies from using this newly expanded power for the purposes of economic well-being relating to national security. This will ensure that the rather vague concept of economic well-being is not being used as a catch-all justification for the exercise of these powers.

The agencies will of course still be able to use this power in relation to national security more broadly, and in urgent cases of serious crime. This is proportionate and indeed more in line with the recommendations of the noble Lord, Lord Anderson. Unless the Minister can provide the House with information as to exactly why it is critical to retain economic well-being for the use of these specific powers, not the agency’s powers more broadly, I urge noble Lords to support my amendment and strike this from the Bill.

17:00
Lord Fox Portrait Lord Fox (LD)
- View Speech - Hansard - - - Excerpts

I shall be brief. Not for the first time, your Lordships are in debt to the noble Lord, Lord Anderson, for intervening on an issue that I think all of us failed to note. His request of the Minister is helpful, and I hope the Minister will be able to respond. There is an alternative process which I could suggest to the Minister—I have not had a chance to talk to the noble Lord, Lord Coaker, about this. If the Minister wanted to withdraw this amendment and bring it back at Third Reading, which is applicable in certain circumstances. I am sure we would be very flexible in permitting that as well.

Lord Ponsonby of Shulbrede Portrait Lord Ponsonby of Shulbrede (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, we support the introduction of the Government’s amendments. I echo what the noble Lord, Lord Fox, said about the amendment in the name of the noble Lord, Lord Anderson, and I look forward to the Government’s response on that point.

I would also be interested to hear what the Government have to say about my noble friend Lord West’s amendments. He has taken a keen interest in this part of the Bill, and I hope the Government will be able to answer the questions, in particular on data disclosure powers, as I think they can give a more detailed response to the expansion of disclosure powers to regulatory bodies than was given in the original legislation. It is also very likely to be further analysed and looked at as the Bill moves down to the other end of the Corridor. Nevertheless, we support the amendments as they are currently.

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- View Speech - Hansard - - - Excerpts

My Lords, I thank noble Lords for this short debate and the scrutiny on these important issues. First, I will address Amendments 15 and 16 tabled by the noble Lord, Lord West of Spithead, which seek to remove Clause 13 and the Schedule from the Bill. We have covered some of the same ground as we did in Committee, and I am afraid that much of my response will make similar points to those I made then. However, I can appreciate why he has raised the points he made about these provisions, and I hope that I can still provide him with assurance on why these measures are needed and proportionate.

As the Government have been clear, the purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited from performing the roles expected of them by Parliament. It restores their pre-existing statutory powers to acquire CD in support of those functions. When the IPA was passed in 2016—under the expert stewardship of the noble Lord’s fellow ISC member in the other place, the right honourable Member for South Holland and The Deepings—it made specific provision, at Section 61(7)(f) and (j) respectively, for the acquisition of CD for the purposes of taxation and oversight of financial services, markets and financial stability. The noble Lord and his fellow committee members have queried whether we are “unmaking” these measures in the 2016 Act through Clause 13 of the Bill. I would therefore like to put beyond doubt what has happened since then to lead us to this point of needing to refine rather than unmake these provisions.

Following the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, the Government took the opportunity to streamline the statute book, including but not limited to some changes in response to that judgment. This streamlining included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers, and Section 12 of the IPA had not yet been commenced, removing many of those powers. The relevant data was outside of the provisions of the IPA at this time and therefore not considered to come within the definition of CD.

Since then, businesses have operated their services more and more online. This has meant that many have become, in part at least, telecommunications operators as defined by the IPA. As a consequence, growing amounts of the data that they collect—which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers—now fall within the IPA’s definition of CD. The effect of this is that public authorities are increasingly unable to acquire the CD that they need to perform their statutory civil or regulatory functions.

In summary, the IPA has been changed since it was commenced in 2016 to remove tax-related and financial stability-related powers to acquire CD and to introduce the serious crime threshold. Technology and society have moved on, with the result that more relevant data amounts to CD. Section 12 of the IPA has been commenced to remove general information powers. The combination of these changes has meant that public authorities are experiencing increased difficulty in carrying out their statutory functions. For example, the Financial Conduct Authority, His Majesty’s Revenue & Customs and the Treasury are all examples of public authorities that already have the power to acquire CD using a Part 3 request but that may be unable to do so in the exercise of some of their functions as a result of the issue I have just set out.

These bodies perform a range of vital statutory functions using CD, including tackling breaches of sanctions regimes, enforcing the minimum wage and providing oversight of banking and financial markets. Schedule 4 to the IPA provides a list of public authorities that can acquire CD under Part 3 of the Act. The new definition of public authorities inserted by this clause will apply in the context of the sharing of CD between public authorities. This will include government departments and their arm’s-length bodies, and executive agencies administering public services. While data sharing between government entities is covered under other legislation including the Data Protection Act and GDPR, or under separate data-sharing agreements, its sharing for legitimate purposes should not be discouraged or prevented by the IPA.

Clause 13 is needed to ensure that such bodies can continue to fulfil these existing statutory duties in the context of a world that takes place increasingly online. It strikes an appropriate balance between necessity and proportionality. In particular, I re-emphasise that it makes clear that the acquisition by these regulatory bodies should be only in support of their civil and regulatory functions, and not used in support of criminal prosecutions. Furthermore, the Government have retained the serious crime threshold that applies when acquiring CD for the purposes of a criminal prosecution.

The codes of practice will also provide additional safeguards and clarity on how this should work in practice. The Government published these in draft ahead of Committee to illustrate this. Any changes to the existing codes will be subject to statutory consultation before being made and will require approval from Parliament under the affirmative procedure. I am therefore confident that the changes will be subject to a high level of scrutiny. To be clear, this applies to a limited cadre of public authorities with the necessary statutory powers conferred on them by Parliament and only specifically when in support of regulatory and supervisory functions—it is not creating a way to circumvent the safeguards in the IPA. It ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential and has the most serious potential consequences in terms of criminal prosecutions.

I am happy to provide the reassurance—or I hope I am—that the noble Lord, Lord Anderson, sought. I am grateful to him for his comments regarding government Amendment 14, for engaging with officials to work through the concerns they raised and for his generous comments about the officials.

Our view is that the amended Clause 12 will be narrower in scope than the original drafting, which carried a risk of permitting access beyond the “who” and “where” of an entity. I assure noble Lords that the codes of practice will set out the further safeguards and details on the practical effect of Clause 12 so that operational partners are clear on the lawful basis of CD acquisition. It is appropriate that the technical detail is set out in this way rather than in primary legislation. The codes of practice will be subject to a full public consultation and will be laid in Parliament under cover of an SI, via the affirmative procedure. I reassure the noble Lord that we will consult with partners and the regulators of the IPA to ensure that the high standards of the CD acquisition regime remain world leading. I am happy to continue this conversation, and for my officials to continue with the extensive engagement already undertaken with the users of the CD powers, to see whether any further refinement is needed.

Finally, I confirm that the intention behind the amendment is to include the type of subscriber data that is necessary to register for, or maintain access to, an online account or telecommunication service. Examples of such data would include name, address and email address. It is not intended to include all types of data that an individual might give a telecommunication service that is not necessary for the purpose of maintaining or initiating access to that service.

I turn to Amendments 17, 19 and 20 on internet connection records, also tabled by the noble Lord, Lord West. Much of the argument I have heard relies on a perception that the new condition D is inherently more intrusive than the existing conditions B and C. I will set out why this is not the case.

The safeguards for the new condition D replicate the well-established and extensive safeguards already in place for CD authorisations. The authorisation process for CD varies according to the purpose for which the data is being sought and the type of CD to be acquired. This regime works effectively and has been considered by the Court of Appeal and found to be lawful.

The purpose of new condition D is to enable ICRs to be used for target detection, which is currently not possible under existing Part 3 authorisations. The level of appropriate oversight and safeguards is linked to the sensitivity of the data to be disclosed and the impact that disclosure may have on the subject of interest.

As I have said, the Government do not believe that condition D is inherently more intrusive than conditions B or C. Conditions B and C authorise “target development” work, and as such enable the applicant to request data on a known individual’s internet connections. As an example, this means that the NCA could request records of the connections a known subject of interest has made in a given time period, provided that request was judged to be both necessary and proportionate by the Office for Communications Data Authorisations. In comparison, condition A enables the requesting agency to request who or what device has made a specific connection to an internet service.

Similarly, condition D would enable an agency to request details about who has used one or more specified internet services in a specified timeframe, provided it was necessary and proportionate—for example, accessing a website that solely provides child sexual abuse imagery. The actual data returned with condition D will most likely constitute a list of IP addresses or customer names and addresses. No information concerning any wider browsing that those individuals may have conducted will be provided. Information about that wider activity would be available only under a further condition B or C authorisation. Condition D is therefore no more intrusive than conditions B and C in terms of what data is actually disclosed. As such, we see no benefit or logic to imposing a different authorisation route for condition D when the existing safeguards have proven sufficient in terms of ICRs applications under conditions A, B and C.

I use this opportunity to remind all noble Lords of the importance of this new condition D and how it will support investigations into some of the most serious crimes, as well as supporting the critical work against both state and cyber threats. ICRs could be used to detect foreign state cyber activity. For examples, ICRs could be used to illuminate connections between overseas state actors and likely compromised UK infra- structure. We understand that these actors have an intent to target UK-based individuals and organisations, including government and critical national infrastructure, from within UK infrastructure, which we typically would not see. The ICR data returned from TOs would be highly indicative of the extent of malicious infrastructure and could assist with victim exposure. Furthermore, improved access to ICR data would enable the National Cyber Security Centre to detect such activity more effectively and in turn inform incident management and victims of compromises. Using data to flag suspicious behaviour in this way can lead to action to protect potential UK victims of foreign espionage and attacks.

I now turn specifically to the ability of the intelligence agencies and the NCA to internally authorise condition D applications. The intelligence agencies and the NCA must obtain approval from the Investigatory Powers Commissioner for ICR applications for the purpose of preventing or detecting serious crime, other than in urgent circumstances. In urgent circumstances, such as threat to life or serious harm to an individual, the intelligence agencies and the NCA are able to obtain CD authorisations from internal designated senior officers in the same way that police forces are. In practice, the volumes of non-urgent requests are such that the IPC delegates responsibility for the authorisation of ICR and other CD requests to the OCDA.

In terms of oversight, the IPC could, if he wished to, consider specific types of CD authorisations himself. The IPC also has the power to directly inspect any part of the CD regime. If he wishes to focus attention on condition D applications, he has the necessary powers to do so. The approach we have adopted for condition D authorisations is therefore consistent with the wider CD regime and gives the IPC flexibility in how he exercises his powers and resources.

As is also consistent with the wider CD regime, condition D applications relating to national security will be authorised by a designated senior officer within the intelligence agencies. The CD codes of practice state that the designated senior officer must be independent of the operation and not in the line management chain of the applicant. This independence is declared within each application, and each designated senior officer completes training prior to taking up this role. Furthermore, each agency has one or more single point of contact officer, accredited by the Home Office and the College of Policing, who facilitates lawful acquisition of CD.

17:15
Introducing a different approvals process solely for condition D applications that require judicial commissioner approval is unnecessary, unhelpful and unwarranted. A consistent approach to the authorisation of these applications has real value, encouraging efficiency and compliance. The amendment would simply increase the complexity of the regime and increase the risk of errors occurring because of the different approval approaches for otherwise very similar techniques. In this context, I again remind noble Lords that in IPCO’s most recent annual report published in 2023, it found that both GCHQ and MI5’s CD acquisition processes were
“working to a high standard … and were supported by strong internal governance procedures”.
The regime and its oversight are working. The amendment would make the regime more complicated and less flexible.
In addition to this assurance, it may be helpful if I detail the legal history for this arrangement. In 2022, the High Court held that applications from the intelligence services which related solely to serious crime had to receive independent authorisation, other than in urgent circumstances, on the same basis as those from law enforcement, which is why such applications now go to the Office for Communications Data Authorisations. The situation is different for national security cases, including economic well-being cases which must be relevant to national security, both because of the more sensitive context of national security and because of the different treatment provided to national security by retained EU law.
Noble Lords may also wish to note that Amendment 19, which would remove condition D2, would prevent any urgent requests for an internal authorisation being made by the NCA or the intelligence agencies for condition D ICRs. There again, not even EU law prevented internal authorisation for urgent CD requests.
To summarise, it is essential that the intelligence agencies and the NCA can self- authorise condition D ICR applications in urgent circumstances. Requiring the intelligence agencies to seek authorisation from the Investigatory Powers Commissioner for condition D is inconsistent with all other national security CD authorisations. It would add administrative burdens to those agencies and increase the risk of errors because of the inconsistency with other CD requirements, despite the very similar techniques and levels of intrusion involved in condition D when compared to conditions A to C. Finally, it would achieve nothing significant that is not already available in terms of oversight, because the IPC can already inspect the agencies’ use of CD. I therefore respectfully suggest that Amendments 17, 19 and 20 should not be moved.
I promise that I am getting to the end and I apologise for the length of my speech, but this is important and requires significant detail. I now address Amendment 18, also tabled by the noble Lord, Lord West of Spithead, which seeks to remove
“the economic well-being of the United Kingdom”
as a lawful purpose under condition D. The use of the economic well-being of the UK as a justification is permitted only in so far as those interests are also relevant to the interests of national security.
My understanding of the reasoning of the noble Lord, Lord West, for amendment 18 is that the economic well-being of the UK when relevant to national security is already included within the purpose of national security, and it is therefore unnecessary to specify it separately in relation to condition D. If that were the case, there would have been no reason for Parliament to specify economic well-being separately in the IPA or in the intelligence agencies’ foundational Acts or other Acts which relate to those agencies.
If this amendment removes “economic well-being” as a statutory purpose for condition D on the belief that it is already included within national security, the ICR conditions A to C will all refer to economic well-being, while condition D will not. The obvious implication from this is that Parliament deliberately left out “economic well-being” from condition D, so it is not available as a statutory purpose. It would be unwise to rely on Pepper v Hart to provide the clarity missing from the legislation that would be caused by Amendment 18.
At these times of heightened state threats, it is entirely sensible and prudent to include economic well- being as a statutory purpose of the use of condition D. Its inclusion is necessary, given that there are countries in the world which strive to harm the UK’s economic well-being in their desire to achieve increased geopolitical influence or dominance. The Government therefore believe that it is not in the wider public interest to remove this provision.
For example, noble Lords may be aware of the National Security and Investment Act 2021, which was made necessary to protect critical industries and enterprises from being controlled by those who would do our country and our democracy harm. The use of ICRs could help to support the necessary investigatory work that supports actions and decisions taken under that Act to safeguard the United Kingdom’s open business system. Amendment 18 would be an act of national self-harm because it would prevent a potentially useful capability in condition D being used to protect the economic well-being of the United Kingdom from attack by our adversaries.
Finally, because economic well-being is a permissible ground only in so far as it is also relevant to the interests of national security, drawing clear lines between cases which fall under the core national security ground and those which fall under the economic well-being ground can be difficult. This amendment would therefore add to legal uncertainty.
I hope that this rather lengthy explanation provides noble Lords with reassurance on why this provision and others have been included and the amendments are unnecessary.
Amendment 10 agreed.
Clause 9: Temporary Judicial Commissioners
Amendment 11 agreed.
Amendment 12 agreed.
Clause 11: Offence of unlawfully obtaining communications data
Amendment 13 agreed.
Clause 12: Meaning of “communications data”: subscriber details
Amendment 14 agreed.
Clause 13: Powers to obtain communications data
Amendment 15 not moved.
The Schedule
Amendment 16 not moved.
Clause 14: Internet connection records
Amendments 17 to 20 not moved.
Clause 16: Extra-territorial enforcement of retention notices etc
Amendment 21
Moved by
21: Clause 16, page 34, line 29, leave out from “insert” to end of line 30 and insert ““(where the requirement or restriction applies to a person within the United Kingdom)”.”
Member's explanatory statement
This amendment specifies that enforcement of retention notices applies only to UK recipients of such notices.
Lord Fox Portrait Lord Fox (LD)
- Hansard - - - Excerpts

My Lords, I will move Amendment 21 and speak to the other amendments in this group in my name.

Amendment 21 specifies that the enforcement of retention notices applies only to UK recipients of such notices. It is one of a suite of amendments in this group that return to the issue of extra-territoriality— I see the Minister blow out his cheeks at the prospect. Amendments 22, 25, 28 and 31 are similarly directed and each largely seeks to limit extra-territoriality by ensuring that operators can make changes to their services for users outside UK jurisdiction.

The reason for tabling the amendments, the others of which I will not move, is that there remains a huge gulf of understanding between the tech companies and the Government when it comes to the interpretation of the Bill with respect to its territorial reach. I am again presenting the Minister with a golden opportunity to set out in clear language the territorial ambitions that the Government have for this Bill. I believe there is some element of miscommunication going on here, though I am not sure in which direction. I hope that the Minister can dispel that.

Clearly, we have international tech companies that are incorporated in another country with subsidiaries all around the world and data residing in many different domains—companies that offer services to customers all over the world. In essence, we need to understand what would happen as a result of this Bill if such a business proposed to change a global service that is used by consumers all over the world, including in the UK. How do the Government use this Bill to deal with such situations? I am looking forward to the response.

Amendments 23, 24, 29 and 30 would raise the threshold for calling in a change from “negative effect” to “substantially limit”. Again, this increases the bar before the Government can start the process. Negative effect is a very low bar which will catch almost everything. It is not in the interests of the authorities to have everything coming through. There needs to be some sense of funnel. This is an opportunity for the Minister to define what negative effect is and what it is not, because it is a very low bar. He would be wise to take our advice and look at the language there, certainly when it comes to the code coming later.

Moving on, my Amendment 27 is a retread of an amendment I tabled in Committee, and it was there as a placeholder. I am pleased to see that it is unnecessary, as government Amendments 26 and 32 very much embrace the spirit of what I was seeking to achieve in that amendment. I thank the Minister for responding, and therefore will not be speaking to or indeed moving Amendment 27.

I now turn to Amendment 35. Currently, while there is a requirement for the Secretary of State to consult the operator before giving notice, there is no requirement on the Secretary of State to consult ahead of making regulations that will specify what “relevant change” includes, and therefore what needs to be notified. My Amendment 35 therefore introduces a requirement for pre-legislative consultation on the definition of “relevant change”. The amendment specifies that the Secretary of State must consult the Technical Advisory Board. There is a precedent for consultation with this board in Section 253(6) of the 2016 Act. As your Lordships know, the Technical Advisory Board is comprised of independent and industry representatives; the amendment also specifies a wider range of consultees.

The amendment then requires the Secretary of State to have regard to the impact on users, including on their privacy and on operators’ ability to innovate. Again, there is precedent for this in the 2016 Act. Such considerations must be taken into account when a public authority is deciding whether to issue a TCN or NSN, or where a judicial commissioner approves a DRN. As such, we feel it is worth while also to consider these factors when legislating for a “relevant change”, because delaying a critical security update could negatively impact users and operators. In a sense, all we are asking for is consultation. We are not asking to change the law, and this gives the Government a power to abide by that consultation or not. But we feel that this is an important definition, and it needs to be more widely consulted on.

I hope the Minister will agree, but in the event that he declines, I will be moving Amendment 35. I beg to move Amendment 21.

Lord Ponsonby of Shulbrede Portrait Lord Ponsonby of Shulbrede (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, we have had much welcome interaction from stakeholders on the issues summarised in this group, as well as some useful briefings from the Home Office and the noble Lord’s team, for which we are grateful.

As the noble Lord, Lord Fox, has just said, there appears to be a gulf in both position and understanding between the Government and the tech companies, both on the principle of the notice and its details, which is, in a sense, frustrating scrutiny of the Bill. I understand that there is a disagreement about the introduction of notification notices in general. It is right that we look at the details to ensure that the process takes place in a way that reflects the realities of international law, and the need of the intelligence services to maintain levels of data access and the necessary safeguards.

Concerns raised by stakeholders keep striking at the same places: how this notice would work with access agreements with other countries; why there is no double lock on the notification notice, despite the clear impact it would have on tech companies’ activities; and why the definition of telecoms operator is perhaps in reality wider than the Government intend.

We will not be supporting Amendment 35, in the name of the noble Lord, Lord Fox, although we understand the intent behind it. We encourage the Government to keep talking to stakeholders, and we believe that this part of the Bill will benefit from further discussion in the other place.

17:30
Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- View Speech - Hansard - - - Excerpts

My Lords, I thank the noble Lords, Lord Ponsonby and Lord Fox, for their remarks in this debate. I reassure the noble Lord, Lord Fox, that any cheek-blowing he witnessed was more a reflection of the previous marathon speech than a reflection on his amendments.

Amendment 21, moved by the noble Lord, Lord Fox, would require that the enforcement of data retention notices—DRNs—would apply only to UK recipients of those notices. DRNs and technical capability notices—TCNs—can be given to a person overseas, but only TCNs are currently enforceable overseas. Clause 16 seeks to amend Sections 95 and 97 of the IPA to allow the extraterritorial enforcement of DRNs in order to strengthen operational agility when addressing emerging technology, bringing them in line with TCNs. It is vital to have this further legal lever, if needed, to maintain the capabilities that the intelligence agencies need to access the communications data they need to, in the interests of national security and to tackle serious crime.

The Government therefore oppose Amendment 21 as it goes fundamentally against what the Government are seeking to achieve through Clause 16 and would not provide any additional clarity to telecommunications operators. As DRNs are already enforceable against UK recipients, there is no need to re-emphasise that in the Bill.

I turn to the amendments to Clause 17 concerning the notice review period. This clause is vital to ensure that operators do not make changes that would negatively impact existing lawful access while a notice is being comprehensively reviewed. Maintaining lawful access is critical to safeguard public safety, enabling law enforcement and the intelligence community to continue protecting citizens during the review period.

Let me be clear: operators will not be required to make changes during the review period to specifically comply with the notice. Rather, under Clause 17 they will be required to maintain the status quo so that law enforcement and intelligence agencies do not lose access to any data that they would have been able to access previously. The review process is an important safeguard, and that right of appeal will remain available to companies.

On Amendment 27, tabled by the noble Lord, Lord Fox, the Government have noted the strength of feeling from parliamentarians and industry regarding the current uncertainty over the timeframe for conducting a review of a notice. We have therefore tabled Amendments 26, 32 and 33 to Clause 17 to address that uncertainty and provide further clarity and assurances regarding the notice review process.

The existing powers within Sections 90 and 257 of the IPA do not give the Secretary of State the power to specify in regulations the time period within which a review of a notice must be completed. The Government are therefore introducing a new regulation-making power to enable the Secretary of State to specify in regulations the length of time the Secretary of State can take to reach a decision on the review of a notice upon receipt of the report by the judicial commissioner and the Technical Advisory Board, and the overall length of time that a review can take.

The amendments will also make provision for a judicial commissioner to issue directions to the Secretary of State and the person seeking the review, as they see fit, to ensure the effective management of the review process. That will give the judicial commissioner the power to issue directions to both parties, specifying the time period for providing their evidence or making representations, and the power to disregard any submissions outside those timelines. These amendments will provide operators the certainty they require regarding how long a review of a notice can last, and therefore how long the status quo must be maintained under Clause 17. They will also provide further clarity on the process and management of that review.

Specifying timelines will require an amendment to the existing regulations concerning the review of notices. The Government commit to holding a full public consultation before the amendment of those regulations and the laying of new regulations relating to Clause 20, which provides for the introduction of the notification notices. Representations received in response will be considered and used to inform both sets of regulations, which we have clarified in the Bill are subject to the affirmative procedure.

Amendment 35, tabled by the noble Lord, Lord Fox, seeks to specify in statute who the Secretary of State must consult before laying regulations relating to Clause 20 and the introduction of notification notices, and the factors that the Secretary of State must have regard to when making those regulations. I hope the commitment that I have just made to hold a full public consultation provides the necessary reassurance to the noble Lord that all relevant persons will be consulted before making the regulations, and that he will agree that is it unnecessarily prescriptive, and potentially restrictive, to put such details in the Bill.

Amendments 22, 25, 28 and 31, also tabled by the noble Lord, Lord Fox, seek to limit the extraterritoriality of Clause 17 and ensure that operators can make changes to their services and systems for users in other jurisdictions during a review. To be clear, the Bill as currently drafted means that companies can make changes to their services during a review. They could choose to roll out new technologies and services while the review is ongoing, including in other jurisdictions, so long as lawful access is built into them as required to maintain the status quo. Furthermore, the status quo will apply only to whichever of their systems and services are covered by the notice in question. Naturally, anything outside the scope of the notice is unaffected by the requirement. I also emphasise that the control of telecommunications systems used to provide telecommunications services in the UK does not stop at borders, and it is highly likely that any such arbitrary geographical limitations would in fact be unworkable in practice.

Amendments 23, 24 and 29 seek to raise the threshold with regard to relevant changes that an operator must not make during a review period to a change that would “substantially limit” their ability to maintain lawful access. This would not make the position any clearer as “substantially” is a subjective test. Moreover, it would constrain Clause 17 in a way that would fundamentally prevent it from achieving its objectives: to ensure that the same level of lawful access available before the notice was issued is maintained during a review period.

Lawful access provides critical data to law enforcement and intelligence agencies. Constraining access to data that was previously available, in a limited capacity or substantially, may seriously undermine investigations and the ability to protect our citizens. It is therefore vital that the status quo is maintained during the review period. It would also be difficult to define “substantially limit” without referring to a “negative effect on” a capability.

Amendments 36 to 38 to Clause 20, also spoken to by the noble Lord, Lord Fox, seek to raise the threshold and provide more proportionality. As I have emphasised on every occasion we have debated the Bill, necessity and proportionality constitute a critical safeguard that underpins the IPA. Authorisations are approved by an independent body and all warrants and notices must be approved by a judicial commissioner. There is considerable oversight of authorisations, meaning that the threshold is already high. Necessity and proportionality justifications are considered for every request for a notice, warrant or authorisation and, by extension, whether it is reasonable to issue that request to the operator. Once operators are in receipt of such a request, they are required to provide assistance. The proposed amendments are therefore not required.

Finally, government Amendment 34 is a consequential amendment necessitated by the introduction of Clause 19, which amends the functions of a judicial commissioner to include whether to approve the renewal of certain notices.

I am grateful to all noble Lords who have spoken in this debate—

Lord Fox Portrait Lord Fox (LD)
- Hansard - - - Excerpts

Before the Minister sits down, winding back to the point about territoriality, he spoke of national boundaries as being arbitrary. It would help me to understand what kind of activity the Government envisage reaching across those boundaries, which he refers to as arbitrary; in other words, what would the Government be seeking to do extraterritorially?

Lord Sharpe of Epsom Portrait Lord Sharpe of Epsom (Con)
- Hansard - - - Excerpts

If it would help, I am happy to write to the noble Lord with some sensible and practical scenarios because I do not think it is appropriate to make them up at the Dispatch Box, if that is acceptable.

I was just about to thank the noble Lord for the time he has taken to talk me through his concerns ahead of Report and at various other stages of the Bill on various other issues. However, I hope that I have provided reassurances through my comments at the Dispatch Box and the government amendments that we have tabled. I therefore invite the House to support these amendments and invite the noble Lord to withdraw Amendment 21 and not move the others he has tabled.

Lord Fox Portrait Lord Fox (LD)
- Hansard - - - Excerpts

I beg leave to withdraw the amendment.

Amendment 21 withdrawn.
Amendments 22 to 25 not moved.
Amendment 26
Moved by
26: Clause 17, page 35, line 18, at end insert—
“(b) in subsection (5)—(i) after “must” insert “, before the end of the review period,”;(ii) after “(1)” insert “(and accordingly decide what action to take under subsection (10))”;(c) after subsection (5) insert—“(5A) In subsection (5) “the review period” means—(a) such period as may be provided for by regulations made by the Secretary of State, or(b) if that period is extended by the Secretary of State in accordance with the regulations (see subsection (14)), such extended period.”(d) after subsection (9) insert—“(9A) The Commissioner may give a direction to the operator concerned or the Secretary of State specifying the period within which the operator or the Secretary of State (as the case may be) may provide evidence, or make representations, in accordance with subsection (9)(a).(9B) If the Commissioner gives such a direction to the operator or the Secretary of State, the Board and the Commissioner are not required to take into account any evidence provided, or representations made, by the operator or the Secretary of State (as the case may be) after the end of that period.”;(e) in subsection (10)—(i) for “may” substitute “must”;(ii) after “Commissioner” insert “but before the end of the relevant period, decide whether to”;(f) after subsection (11) insert—“(11A) In subsection (10) “the relevant period” means—(a) such period as may be provided for by regulations made by the Secretary of State, or (b) if that period is extended by the Secretary of State in accordance with the regulations (see subsection (15)), such extended period.”(g) after subsection (13) insert—“(14) Regulations under subsection (5A)(a) may include provision enabling any period provided for by the regulations to be extended by the Secretary of State where the extension is agreed by the Secretary of State, the telecommunications operator concerned and a Judicial Commissioner.(15) Regulations under subsection (11A)(a) may include provision enabling any period provided for by the regulations to be extended by the Secretary of State—(a) where the Secretary of State considers that there are exceptional circumstances that justify the extension, or(b) in any other circumstances specified in the regulations.(16) Where regulations under subsection (11A)(a) include provision mentioned in subsection (15), the regulations must also include provision requiring the Secretary of State to notify a Judicial Commissioner and the telecommunications operator concerned of the duration of any extended period.””Member's explanatory statement
This amendment enables the Secretary of State to make regulations, and a Judicial Commissioner to give a direction, setting time limits in connection with reviews carried out under section 90 of the Investigatory Powers Act 2016 (review of retention notices).
Amendment 26 agreed.
Amendments 27 to 31 not moved.
Amendments 32 and 33
Moved by
32: Clause 17, page 35, line 41, at end insert—
“(b) in subsection (4)—(i) after “must” insert “, before the end of the review period,”;(ii) after “(1)” insert “(and accordingly decide what action to take under subsection (9))”;(c) after subsection (4) insert—“(4A) In subsection (4) “the review period” means—(a) such period as may be provided for by regulations made by the Secretary of State, or(b) if that period is extended by the Secretary of State in accordance with the regulations (see subsection (13)), such extended period.”(d) after subsection (8) insert—“(8A) The Commissioner may give a direction to the person concerned or the Secretary of State specifying the period within which the person or the Secretary of State (as the case may be) may provide evidence, or make representations, in accordance with subsection (8)(a).(8B) If the Commissioner gives such a direction to the person or the Secretary of State, the Board and the Commissioner are not required to take into account any evidence provided, or representations made, by the person or the Secretary of State (as the case may be) after the end of that period.”;(e) in subsection (9)—(i) for “may” substitute “must”;(ii) after “Commissioner” insert “but before the end of the relevant period, decide whether to”; (f) after subsection (10) insert—“(10A) In subsection (9) “the relevant period” means—(a) such period as may be provided for by regulations made by the Secretary of State, or(b) if that period is extended by the Secretary of State in accordance with the regulations (see subsection (14)), such extended period.”(g) after subsection (12) insert—“(13) Regulations under subsection (4A)(a) may include provision enabling any period provided for by the regulations to be extended by the Secretary of State where the extension is agreed by the Secretary of State, the person concerned and a Judicial Commissioner.(14) Regulations under subsection (10A)(a) may include provision enabling any period provided for by the regulations to be extended by the Secretary of State—(a) where the Secretary of State considers that there are exceptional circumstances that justify the extension, or(b) in any other circumstances specified in the regulations.(15) Where regulations under subsection (10A)(a) include provision mentioned in subsection (14), the regulations must also include provision requiring the Secretary of State to notify a Judicial Commissioner and the person concerned of the duration of any extended period.””Member's explanatory statement
This amendment enables the Secretary of State to make regulations, and a Judicial Commissioner to give a direction, setting time limits in connection with reviews carried out under section 257 of the Investigatory Powers Act 2016 (review of national security and technical capability notices).
33: Clause 17, page 35, line 41, at end insert—
“(6) In section 267(3) (regulations: affirmative procedure)—(a) in paragraph (e), after “90(1)” insert “, (5A)(a) or (11A)(a)”;(b) in paragraph (j), after “257(1)” insert “, (4A)(a) or (10A)(a)”.”Member's explanatory statement
This amendment applies the affirmative procedure to regulations made under section 90(5A)(a) or (11A)(a) or 257(4A)(a) or (10A)(a) of the Investigatory Powers Act 2016 (time limits in connection with reviews of notices).
Amendments 32 and 33 agreed.
Clause 19: Renewal of notices
Amendment 34
Moved by
34: Clause 19, page 37, line 25, at end insert—
“(4A) In section 229 (main oversight functions), in subsection (8)(e)(i), for “or varying” substitute “, varying or renewal”.”Member's explanatory statement
This amendment is consequential on clause 19(4) and (6) (renewal of notices). It inserts into section 229 of the Investigatory Powers Act 2016 (main oversight functions) a reference to the Investigatory Powers Commissioner deciding whether to approve the renewal of certain notices.
Amendment 34 agreed.
Clause 20: Notification of proposed changes to telecommunications services etc
Amendment 35
Tabled by
35: Clause 20, page 39, line 23, at end insert—
“(3A) Before making regulations under this section the Secretary of State must consult the following persons—(a) the Technical Advisory Board;(b) persons appearing to the Secretary of State to be likely to be subject to any obligations specified in the regulations;(c) persons representing persons falling within paragraph (b); and(d) persons with statutory functions in relation to persons falling under that paragraph.(3B) When making regulations under this section the Secretary of State must have regard to—(a) the public interest in the integrity and security of telecommunications systems and postal services;(b) the impact on users arising from any delay to implementing relevant changes;(c) the desirability of encouraging innovation by relevant operators; and(d) any other aspects of the public interest in the protection of privacy.”Member's explanatory statement
This amendment, together with others in the name of Lord Fox, place a duty on the Secretary of State to consult with relevant persons before making regulations that will specify what a “relevant change” will include.