Investigatory Powers (Codes of Practice) Regulations 2018
(Limited Text - Ministerial Extracts only)
Read Full debate
Baroness Williams of Trafford
That the draft Regulations laid before the House on 18 December 2017 be approved.
Relevant document: 16th Report from the Secondary Legislation Scrutiny Committee
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, I am pleased to be given the opportunity today to debate these important regulations, which are all being made under the Investigatory Powers Act 2016.
That legislation brings together powers available to our law enforcement and security and intelligence agencies to obtain communications and data about communications. I make it quite clear that these powers are vital to the protection of our citizens. They ensure that our agencies are able to bring to justice serious criminals, including terrorists and paedophiles; they enable plots that threaten our national security to be investigated effectively; and they make sure that our agencies can locate and safeguard vulnerable and missing people.
The Act also ensures that these important powers are subject to rigorous safeguards and oversight. It has introduced a double lock, such that any decision to use the most intrusive powers in the Act must be approved by a judge, and it has created a powerful new Investigatory Powers Commissioner to oversee the use of these powers. That post is held by Lord Justice Fulford, who, as noble Lords will be aware, brings a wealth of experience in the judiciary and expertise in matters of law that will be crucial in carrying out this vital role.
The Act received Royal Assent in November 2016 following comprehensive scrutiny in this House as well as in the other place. The detail of that scrutiny has ensured that the Act provides a world-leading legal framework regulating the exercise of these crucial powers. The regulations that we are debating today form an important part of that legal framework and are all intrinsically linked to the Act’s implementation.
I make it clear that the regulations do not, of course, create any new powers. However, they ensure that a number of important powers in the Act can be exercised and they set out how a number of those provisions will be used. Collectively, they also create additional safeguards on top of the already rigorous controls that are contained in the Act itself.
We debate four sets of regulations today. First is the Investigatory Powers (Technical Capability) Regulations 2018. These regulations set out the obligations that may be imposed on a telecommunications or postal operator in a “technical capability notice”. Such a notice will require the relevant operator to maintain the necessary capabilities and infrastructure to ensure that when a warrant or authorisation is served on or given to them, they are able to provide assistance in giving effect to it quickly and in a secure manner.
The Act itself makes it clear that a telecommunications operator may be required, as part of maintaining a technical capability, to retain the ability to remove electronic protection from communications that they have themselves applied. The regulations do not change this position. They simply set out that such an obligation could be included in a technical capability notice, as well as making it clear that the obligation itself may only require any steps to be taken to remove encryption that are reasonably practicable.
The use of technical capability notices is subject to very strong controls and safeguards set out in the primary legislation. The Secretary of State may decide to give a notice only where it is necessary and proportionate and that decision must be approved by a judicial commissioner. In addition, before giving a technical capability notice the Secretary of State must consult the operator to whom it is to be given and must also take into account a number of factors, including the technical feasibility and likely cost of the operator complying with it. Further, before the notice is given, the Secretary of State must also consider the public interest in the security and integrity of telecommunications systems.
The Act also ensures that telecommunications operators have an effective right of redress where they have been given a technical capability notice or, indeed, a national security notice or data retention notice. Specifically, the Act makes it clear that the relevant operator may seek a review of that notice by the Secretary of State. When conducting such a review, the Secretary of State must consult the Technical Advisory Board—a non-departmental public body—as to the technical feasibility and cost of the notice, as well as a judicial commissioner in relation to its necessity and proportionality.
The second set of regulations that we debate today, the Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018, set out the circumstances in which such a review may take place and how the Technical Advisory Board must be constituted.
The third set of regulations is the Investigatory Powers (Codes of Practice) Regulations 2018. This instrument brings into force five codes of practice under the Act. The codes relate to the interception of communications; equipment interference; the bulk acquisition of communications data; national security notices; and the intelligence services’ retention and use of bulk personal datasets.
Each of the five codes sets out processes and safeguards governing the use of these vital powers. They give detail on how the relevant powers should be used, including examples of best practice. They provide additional clarity and will ensure the highest standards of professionalism and compliance with the Act’s provisions.
The codes are primarily intended to guide those public authorities that are able to exercise powers under the Act, as well as telecommunications operators that might be required to provide assistance in giving effect to its provisions. They provide detailed information on the processes for applying to use each of the powers, as well as in relation to the renewal, modification and cancellation of warrants and authorisations. They set out detailed safeguards in relation to the obtaining, retention, handling and destruction of information obtained in the exercise of the Act’s provisions, and they include detailed requirements on public authorities in relation to record-keeping and error reporting to aid the Investigatory Powers Commissioner in carrying out his oversight functions. The codes are detailed and comprehensive, and together include more than 400 pages of guidance and best practice, ensuring that the use of these important powers is subject to the most stringent safeguards.
The final set of regulations that we are debating today is the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-Keeping Purposes) Regulations 2018. As under pre-existing law, the Act makes it a criminal offence to intercept communications in the absence of lawful authority. It also makes it clear that lawful authority includes interception by businesses or other bodies where it is a legitimate practice. These regulations set out what conduct that includes. Such activities might be, for example, call centres recording telephone calls for training purposes, companies scanning their computer networks to detect cyberattacks or businesses ensuring that their systems are not being used for unauthorised purposes. These regulations simply ensure that companies can undertake these important routine activities without falling foul of the offence of unlawful interception.
In summary, the regulations we are debating today relate to provisions already set out in primary legislation and ensure that the provisions can be implemented effectively. They make it clear how a number of powers in the Act will operate and establish additional safeguards to the already rigorous controls set out in the primary legislation itself. I commend the regulations to the House.
Baroness Williams of Trafford
My Lords, I thank all noble Lords who have spoken, particularly the noble and learned Lord, Lord Judge, the noble Lords, Lord Butler and Lord Murphy of Torfaen, and of course the noble Lord, Lord West of Spithead, for in a nutshell outlining what these regulations do, which is to complement the primary legislation. This legislation was thoroughly scrutinised by the committee and all the recommendations that it made were accepted by the Government.
It is absolutely right that the most rigorous safeguards are in place. In introducing the Act, the Government struck a very clear balance between liberty and safeguarding the people of this country. It is not about undermining the work of journalists: it never was about undermining the work of journalists. As I said in my opening speech, these powers are absolutely necessary to prevent terrorism and intercept paedophiles and serious organised criminals. The aim of the legislation was never towards journalists.
The noble Lord, Lord Kennedy, asked about oversight. The oversight function is by the commissioner, as I think he suspected. Yes, the codes of practice are lengthy, but they are user-friendly. It is such a complex area, but that was the intention behind the codes of practice.
Before I turn to the numerous questions that the noble Lord, Lord Paddick, asked, I absolutely echo his words about my noble friend Lord Bates yesterday. He is a wonderful man, a wonderful Minister, and we are very glad that in a few days he will be back. My noble friend Lord Taylor picked up the Question. I do not know how well he answered it, but I am sure in his inimitable way he answered it pretty well, he is such a professional. Yes, I commend the words of the noble Baroness, Lady Smith. This was obviously a spontaneous event and those who responded spontaneously in your Lordships’ House were very generous and kind. I thank everyone who was there at the time.
The first question of the noble Lord, Lord Paddick, was about the Explanatory Memorandum to the codes. The committee made clear:
“At our request the Home Office has now replaced this”—
the Explanatory Memorandum—
“with one that sets out more clearly what the Codes do and why, which should aid the House in its scrutiny of the way the system is to operate”.
The noble Lord also asked about bulk communications involving those who are not suspects—innocent people. I reiterate what I said in my opening speech: there are extremely stringent safeguards in the IP Act regulating the use of bulk powers. A bulk warrant may be issued by the Secretary of State only where it is necessary and proportionate—they are the two key words here—and where the decision to issue it has been approved by a judicial commissioner. The bulk powers are available only to the intelligence services, and a bulk warrant may be issued only where it is necessary in the interests of national security.
Every bulk warrant must specify each of the operational purposes for which the data obtained may be subsequently examined. Examination may not take place for any purpose other than those specified in the warrant, and the Secretary of State and judicial commissioner must be satisfied when they issue the warrant that those purposes are necessary. Examination of bulk data itself may take place, again, only where it is necessary and proportionate. In practice, the safeguards mean that only a tiny fraction of the data obtained will ever be accessed.
Lord West of Spithead
Does not the Minister agree that the collection of bulk data does not assume that everyone in our population is a suspect, as the noble Lord, Lord Paddick, said, any more than the camera systems on our public transport assume that everyone on that bus is a suspect? Rather, it highlights and spots the person who sticks a knife in someone.
Baroness Williams of Trafford
Sometimes the problem with interventions is that you do not get around to saying what you were going to say. Perhaps noble Lords will be patient. The noble Lord, Lord West, put it very succinctly and illustrated what we mean by bulk data.
Where the content of a communication is to be examined when it is of a person known to be in the British Isles, a separate targeted examination warrant must be obtained, which is in itself subject to approval by the Secretary of State and a judicial commissioner. The codes of practice that I have been outlining today provide additional safeguards on the use of bulk powers relating to filtering data, the training that must be obtained by those examining it and how bulk data should be handled, retained and destroyed.
The noble Lord, Lord Paddick, also asked if warrants allowed interference with devices of innocent people and asked how that was compliant with the ECJ ruling—the question on everyone’s lips. Equipment interference is subject to stringent safeguards and any warrant must be necessary and proportionate and must be approved by a judicial commissioner. This House has, of course, approved those strong safeguards.
I see the noble Baroness, Lady Chakrabarti, looking quite interested, because the noble Lords, Lord Paddick and Lord Butler, asked about the Liberty challenge to the IP Act and the Government’s response to it. The judgment handed down by the Court of Appeal on Tuesday this week—I presume that that is the one that they are referring to—relates to the challenge brought against the DRIP Act. It has now been replaced by provisions in the Investigatory Powers Act, and therefore the judgment relates to legislation that is actually no longer in effect. The provisions in the Act challenged by Liberty, which will be heard at the end of February in the High Court, relate to targeted communications data and, therefore, are not relevant to the debate today.
I move on to the technical capability regulations. I was asked whether they would stifle innovation. To be clear here, none of the regulations that we are discussing today in and of themselves place any burden on industry. To suggest that the Investigatory Powers (Technical Capability) Regulations 2018 would damage companies operating in this country is to misunderstand what the provisions in those regulations actually do. Those regulations do not themselves impose any requirements on telecommunications or postal operators. Rather, they set out what obligations could be imposed on an operator through a technical capability notice. The power for the Secretary of State to give such notice is set out in the Investigatory Powers Act itself, and has therefore already been approved by Parliament. There are stringent safeguards in the Act regulating the use of technical capability notices to minimise the impact on businesses, including that the notice must be necessary, proportionate and approved by a judicial commissioner. As I have already said, before giving a technical capability notice to a relevant operator, the Secretary of State must consult that operator. In addition, the Secretary of State must consider a number of factors before deciding to give a notice. Those factors include the technical feasibility and likely cost to the operator complying with the notice, which goes to the heart of ensuring that a notice does not damage a company’s interests.
The Act also makes it clear that the Secretary of State must ensure that arrangements are in force for securing that relevant operators receive an appropriate contribution in respect of their costs incurred in complying with the Act, as the Secretary of State deems appropriate. Such costs include those incurred in relation to complying with a technical capability notice. The Government’s policy is that the appropriate contribution is calculated on a case-by-case basis to ensure that the operator makes neither a loss nor a gain from complying with the Act. A number of the draft codes of practice that we have debated today include an entire chapter on technical capability notices, giving further information about their use, including details of the cost recovery process and the sorts of activities it is anticipated that the Government would fund as part of an operator maintaining a capability.
I may be repeating myself here, but the noble Lord, Lord Butler, asked about making sure that the codes of practice on retention records are made consistent with this week’s ruling. The judgment related to the retention of communications data by telecommunications operators is not being debated today. The CJEU ruling was not about safeguards for equipment interference or for access to bulk communications data. The IP tribunal considered the specific issue of whether the CJEU judgment applied to bulk communications data and has made a further reference to the CJEU on this very point and on whether the bulk communications data regime is within the scope of the judgment’s safeguarding requirements.
Lord Paddick
My Lords, I realise that I am intervening a bit late, but I did not want to interrupt prematurely, as I did before. Will the Minister comment on techUK’s specific suggestion that the regulations impose an additional aspect to the technical capability notice, in that the Home Office will be alerted to changes in innovation in systems and development? I do not think that the noble Baroness has addressed that specific issue.
Baroness Williams of Trafford
I do not think that they do, but I will write to the noble Lord, if I may, on that specific point.
The noble Lord, Lord Butler, asked about the cost of providers keeping IP addresses. The Act makes it clear that companies will be provided with an appropriate contribution to their costs of complying with the Act. The noble Lord will appreciate that I do not have the detail of that to hand, but I am happy to write to him.
The noble Lord, Lord Kennedy, asked about the processes in place for dealing with errors. There are entire sections of the codes of practice setting out the processes for reporting errors to the IP commissioner, including the timeframe for when it must be reported and what might constitute an error. The commissioner has broad and comprehensive powers to investigate such errors.
I think I have answered everything apart from the question from the noble Lord, Lord Paddick.