Investigatory Powers (Amendment) Bill [HL]
Monday 20th November 2023
(5 months, 1 week ago)
Lords ChamberInvestigatory Powers (Amendment) Act 2024 View all Investigatory Powers (Amendment) Act 2024 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Sharpe of Epsom
That the Bill be now read a second time.
The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)
My Lords, the number one priority of any Government is to keep our citizens and our country safe. The Investigatory Powers (Amendment) Bill seeks to make a set of targeted amendments to the Investigatory Powers Act 2016, which I shall refer to throughout as the IPA.
The measures in this Bill will support the security and intelligence services to keep pace with a range of evolving threats against a backdrop of accelerating technological advancements. Such advancements provide new opportunities for terrorists, hostile state actors, child abusers and criminal gangs. They also mean that data is generated in more places, in more formats and by more different entities than before. The security and intelligence services need to identify nuggets of threat in increasing quantities of data.
Importantly, the Bill will also ensure that we maintain and strengthen the world-leading safeguards that underpin the use of the powers in the IPA. The measures in the Bill are narrow and relatively modest in scope, which reflects the strength of the existing legislation, but they are none the less critical to the task of protecting national security and countering other serious threats.
It may be helpful to briefly remind the House of the parent legislation that this Bill seeks to amend. The IPA provides a clear legal framework for the security and intelligence services, law enforcement and other public authorities to obtain and utilise communications, and data about communications. These powers and the resulting capabilities are essential in supporting these public authorities in carrying out their statutory functions, including detecting and preventing terrorism, state threats and serious crime.
But since 2016 the nature of the threats we face has evolved, and we need to ensure that the UK’s investigatory powers framework remains fit for purpose. The use of these powers is underpinned by the IPA’s robust and world-leading safeguards—including the double lock for most of the powers, whereby a judicial commissioner must approve the decision by the Secretary of State to issue a warrant under the IPA. All use of the powers must be assessed as necessary and proportionate, with strong independent oversight by the Investigatory Powers Commissioner. The right to seek redress is available to anyone via the Investigatory Powers Tribunal.
I emphasise that this Bill is about delivering focused and targeted changes to the existing regime and not about creating new powers beyond those to which Parliament has previously given its agreement during passage of the IPA.
This Bill follows the publication of a statutory report on the implementation of the IPA in February this year by the previous Home Secretary, and a subsequent independent review by the noble Lord, Lord Anderson of Ipswich, which was published in June this year. These reports set out the operational case for change and have informed the contents of the Bill. I thank the noble Lord, Lord Anderson, for his considered review of the IPA; he was instrumental in its initial design as the author of A Question of Trust during his tenure as the Independent Reviewer of Terrorism Legislation.
Building on the areas of focus identified in the Home Office review, the noble Lord’s report focused on: the effectiveness of the bulk personal dataset regime; criteria for obtaining internet connection records; the suitability of certain definitions within the Act; and the resilience and agility of warrantry processes and the oversight regime. His review helpfully highlighted several areas in which the IPA could be improved, and we are pleased to say that this Bill aligns nigh on entirely with his recommendations.
Your Lordships may note that there is one area of the Bill that the review by the noble Lord, Lord Anderson, did not touch on: the changes to the notices regimes. This was subject to a separate public consultation, and the Government are grateful to those who responded for helping to shape this element of the Bill.
I will turn now to the main elements of the Bill. Part 1 deals with bulk personal datasets, more commonly known as BPDs, and makes changes to the way in which the intelligence services may use them. Building on the findings of the review by the noble Lord, Lord Anderson, the Bill provides a narrow group of provisions to: create a set of new safeguards for the retention and examination of BPDs where there is low or no reasonable expectation of privacy; allow for the extension of the duration of a BPD warrant under Part 7 of the Act from 6 to 12 months; and make clear that agency heads can delegate certain existing functions in relation to BPD warrants. Under the current regime, all BPDs—including those that are publicly or commercially available—must be subject to the double-lock warrantry process and strict examination safeguards.
While these safeguards are in many cases entirely appropriate, that is not always so, particularly where a dataset is publicly available and widely used. This has a detrimental effect on the agility of the agencies, particularly where these datasets could be used to develop new capabilities. It also inhibits their ability to work flexibly with allies and partners in academia or the private sector.
Creating a new regime for datasets that have low or no expectation of privacy will increase operational agility while ensuring that proportionate safeguards are in place, including prior judicial approval. This change will be an important step in preventing our agencies falling behind our adversaries.
The Bill also seeks to insert a new statutory oversight regime for examination by the intelligence services of third-party BPDs. Under the new measures, an intelligence service may examine a dataset on a third-party’s systems without taking control of the set itself. However, if the dataset is not publicly or commercially available to other users, the new warrantry process and requirements will apply. The regime will be subject to safeguards such as the double lock already in other parts of the IPA.
Part 2 will make changes to the role and remit of the Investigatory Powers Commissioner and their supporting functions. The Bill will enhance the world-leading oversight regime in the Act, including the role of the IPC. The changes will ensure that the regime is resilient and that the IPC can effectively carry out their functions. This will maintain and enhance the robust, transparent safeguards in the regime.
In addition to putting oversight of third-party BPDs on a statutory basis, the proposed amendments to the oversight regime aim to increase resilience and ensure that it remains fit for purpose. As highlighted in the then Home Secretary’s review, the IPA does not provide an easy mechanism to manage change. This has caused issues regarding the resilience and flexibility of the IPC and the wider IPA oversight regime, such as during the Covid-19 pandemic. The Bill therefore seeks to place the ability to appoint deputy investigatory powers commissioners and temporary judicial commissioners on to a statutory footing, to provide resilience where there is a shortage of judicial commissioners.
The Bill will also formalise some of the IPC’s non-statutory oversight functions—for example, their oversight of compliance by the Ministry of Defence of the use and conduct of surveillance and covert human intelligence sources outside the UK. The measures also provide greater legislative clarity in respect of the error-reporting obligations imposed on public authorities. The IPC has been consulted on all these measures and has endorsed the approach to ensuring that the oversight regime remains fit for purpose.
Part 3 makes changes to Part 3 of the IPA, which relates to powers for public authorities listed in Schedule 4 to the IPA to acquire communications data. CD is the data around the communication rather than the content of that communication. Section 11 of the IPA made it an offence for a relevant person within a relevant public authority to “knowingly or recklessly” obtain CD from a telecoms operator or a postal operator without lawful authority. The Bill will set out examples of the acquisition routes that amount to lawful authority. This will provide greater clarity to public authorities that they are not committing a Section 11 offence when acquiring CD from a telecommunications operator under those routes.
The Bill will additionally make targeted amendments to ensure that public sector organisations are not unintentionally prevented or discouraged from sharing data in order to meet their statutory duties and obligations when administering public services or systems. Part 3 also makes a clarificatory amendment to the definition of CD in Section 261 of the IPA, to make it clear that subscriber data or data use to identify an entity will be CD.
Part 3 also makes changes to allow bodies with regulatory functions to acquire communications data. The use of regulatory powers under the IPA is limited to organisations such as Ofcom and the Information Commissioner’s Office for their regulation of telecoms operators. The Bill seeks to amend the IPA to expand the definition of regulatory powers to include public authorities with wider, lawfully established and recognised regulatory or supervisory responsibilities. The effect of this change will be such that authorities will be able to acquire CD using their own statutory powers and not rely on IPA powers. However, where the CD is being acquired with a view to using it for a criminal prosecution, authorities must use their IPA powers to acquire that CD.
Targeted changes will also be made to support the use of internet connection records by the NCA and intelligence agencies. The Bill will add a further condition which allows the service in use and time period to be specified within the application without the requirement that they are unequivocally known. This will enhance the ability of the NCA and the intelligence services to identify serious criminals, including paedophiles and people traffickers, helping to protect victims and counter threats to the UK’s national security.
Part 4 will ensure the efficacy of the existing notices regimes in the face of technological changes and the complex commercial structures associated with the modern digital economy. These measures have been carefully calibrated to address these issues in a proportionate way. Furthermore, the notices regimes have existed since the 1980s, and these reforms are just the latest iteration of that regime. This is not about introducing any new powers. The Bill will create a notification requirement which will allow the Secretary of State to place specific companies under an obligation to inform the Secretary of State of proposed changes to their telecommunications services or systems that could have an impact on lawful access. I wish to be clear that this is not a blanket obligation on the tech sector. It will be placed on companies on a case-by-case basis and with full consideration of the necessity and proportionality justifications of doing so each time.
Furthermore, the notification requirement does not give the Secretary of State any powers to intervene in the rollout of a product or a service or to veto such a rollout. It is intended to ensure that there is time for appropriate consideration of the operational impact and potentially for discussion with the company in question about possible mitigations. This notification requirement has replicated the existing notices standards wherever possible and is itself already part of the wider notices regime, where the Government are able to require companies under notice to inform us of relevant changes which affect their ability to provide assistance under any warrant, authorisation or notice.
The Bill also amends the effect of a notice during the review period. A notice must go through the full double-lock process before it may be issued to a company. On receipt of that notice, a company may request a review of that notice. Currently, the notice has no legal effect during the review period. The Bill amends this to require the company to maintain the status quo during the review period. This will mean that the company does not have to take any steps to comply with elements of the notice, other than to maintain its existing services at the point it is given the notice. The result will be that the company cannot take any action that will negatively affect the level of lawful access for our operational partners during the review period. This is without prejudice to the final outcome of the review and ensures that this outcome cannot be pre-judged.
The Bill also makes a clarificatory amendment to the definition of a telecommunications operator. This makes clear that large companies with complex corporate structures which together provide or control telecommunications services and systems fall within the remit of the IPA. It also clarifies that a notice may be given to one entity in relation to the capability of another entity. It does not seek to bring new companies into the scope of the IPA. Furthermore, the Bill creates a new safeguard for the renewal of notices. This will require a notice to be put through the full double-lock process after two years, if it has not been varied, renewed or revoked in that time.
Finally, Part 5 includes several minor changes to the IPA to ensure sufficient clarity and resilience within the regime. This includes increasing the resiliency of the triple lock, which is the additional safeguard for targeted interception and equipment interference warrants relating to members of relevant legislatures, such as this Parliament. Clauses in Part 5 will allow for the Prime Minister—in the event that they are unavailable—to delegate their responsibility for providing the triple lock to named Secretaries of State. This change is purely about ensuring resilience in the authorisation process and does nothing to alter the existing power or introduce any new power.
I conclude by highlighting the opportunity that the Bill affords us and the impact it will have on the safety and security of the UK and its citizens. Without making changes now, the ability of our agencies to tackle evolving threats—including terrorism, state threats, and serious crime—will be increasingly constrained. In the face of greater global instability and technological advancements, now is not the time for inaction. I welcome the further scrutiny that noble Lords will provide. From looking at the list of speakers, I am in no doubt that they will start with a typically insightful debate today. I beg to move.
Lord Coaker (Lab)
My Lords, I am sure the Minister was referring to me. But, seriously, I thank him for that helpful introduction and for the briefings that he and his officials have organised, including in buildings nearby later this week.
This is an important Bill, and we all need to ensure that it delivers effectively what we all wish for as we seek to defend our country and our freedoms against outside threats. I say to noble Lords including the Minister that we fully support the passage of the Bill, for the reasons that he outlined in his conclusions, and recognise the changed security environment that necessitates the need for this piece of legislation updating and improving the Investigatory Powers Act 2016.
There have clearly been significant changes to the threat picture, with developments that had perhaps not been fully foreseen over the last few years. Of course we have to remain vigilant against any terrorist threat, but even that has been overshadowed by other factors—in particular, the pace of geopolitical change and the extent of its impact on the UK and its people. The invasion of Ukraine, the weaponisation of energy and food supplies, artificial intelligence, the actions of Iran and the more aggressive stance with China in the South China Sea and beyond are just some of many examples. Importantly, this also manifests, as the Minister will know better than anyone, as threats such as economic espionage, the buying of influence, cyberattacks, disinformation and indeed, as we saw, the Salisbury poisoning. In the face of that hostile state activity, we have to change.
I join the Minister, and no doubt many others, in saying that we are very fortunate in having had the extremely helpful—and for me, I might add, understandable—report by the noble Lord, Lord Anderson, to guide us in this. It is also good to see other Members of your Lordships’ House who have extensive experience in this area to inform our debate. In congratulating the noble Lord, Lord Anderson, I shall raise some general points from his report and then deal with specifics as appropriate for a Second Reading debate.
It is of huge significance and importance that the noble Lord, Lord Anderson, did not produce a classified annex to his report. In an area of this importance and sensitivity, you obviously need secrecy and confidentiality, but there has to be as wide a public and parliamentary debate as possible. There are real issues of principle being discussed here, not least the right to privacy and the protection of an individual’s information or personal data. As I say, there is a need for the security services, law enforcement and others to act and to have the intelligence tools that they need, but the balance between national security, tackling serious crime and an individual’s privacy should and must, quite rightly, be a matter for public debate. When fundamental rights are at stake, that needs to be cautiously challenged, and this House will need to do that in Committee, while, as I say, fully supporting the overall passage of the Bill.
Chapter 10 of the report asks what comes next. Such is the pace of change and challenge, the noble Lord, Lord Anderson, recommends that, once this amending legislation is on the statute book, we need to move on very quickly to what comes next.
I shall turn to the Bill with some general comments, with the more specific questions coming in Committee. Bulk personal datasets are clearly important, and the Bill will allow a lighter-touch regulatory regime. The threshold will be where individuals have a low or no expectation of privacy in respect of that data. The Bill seeks to set out examples of the sorts of cases where such a regime would apply for the examination of material by the UK intelligence community. I believe there will need to be a careful debate about what such a threshold means. What does “low” mean? Would all such activity be subject to the approval of a judicial commissioner? Some have already expressed particular concern about new subsection (3A)(e), inserted into Section 11 by Clause 11(3), which says that communications data can be obtained
“where the communications data had been published before the relevant person obtained it”.
Does that mean it is available simply by having been published?
On a more general point, how does all this relate to the Data Protection Act, where personal data may be protected but is potentially not so by the new Bill? Big Brother Watch gives the example of the potential concern over Clearview, which has a mass of facial images—approaching 30 billion—harvested from social media. That could be considered a low-privacy database since the photos had been made public by the individuals, but the Information Commissioner’s Office found Clearview in breach of the Data Protection Act. This argument could therefore potentially be extended to many areas, such as Facebook posts, and will therefore need careful scrutiny, along with the more general point about the relationship between this Act and the Data Protection Act.
There are to be new proposals for internet connection records; they are clearly important, but changes are again being made. In particular, on the justification for target discovery—which, in essence, is a more generalised surveillance, if I have understood it correctly—is it the case therefore that there may not necessarily be a need for suspicion to lead to a particular form of surveillance? It is also interesting to note that, according to the report by the noble Lord, Lord Anderson, as I understand it, this extension or facilitation of target discovery for internet connection records should be limited to UK intelligence. So why have the Government extended this to the National Crime Agency as well as to the UK intelligence community? In other words, why has it gone beyond the recommendations of the noble Lord’s report?
The need for the communications of legislators to be secure and confidential—say, in discussing matters with constituents or other bodies—except in the most exceptional circumstances, is of real importance. Following the IPT case in 2015, there was legislation in the 2016 Act that tried to protect this principle by allowing any interception or obtaining of any communication to be allowed only with the so-called triple lock—in other words, after Prime Ministerial authority was given. The question this Bill seeks to answer is: what happens if the PM is, in the Minister’s words, “unavailable”? This seems to me to be a reasonable question to ask. We need to probe Clause 21 carefully and ask whether the inclusion of any Secretary of State is too broad a definition, what the involvement should be of senior officials, as laid out in the clause, and whether the proposed definition is correct. For example, would it not be better to specify the Secretaries of State as the Home Secretary or the Defence Secretary, or other senior Secretaries of State, rather than the broad blanket of any Secretary of State? The senior officials are explained, to an extent, but we need to explore in Committee whether we need to be more circumspect with what we mean by that.
We have also received a briefing from Apple, and it is important for us to reflect on its concerns. As I have made clear, we support the passage of the Bill, subject to proper scrutiny, which we and others will give in Committee, but Apple’s concerns need to be addressed by the Government in a public forum, to ensure trust and confidence in the new system we seek to introduce. Why is Apple wrong to have concerns about pre-clearance requirements?
On extraterritoriality, the noble Lord, Lord Anderson, says on page 57 of his report that he makes “no recommendation” on a policy issue for DRNs or the importance of end-to-end encryption. End-to-end encryption is a key security tool for us all, but it is also one that can be used, and is used, by malicious actors. We understand that, so how do we strike a balance between the necessity for the privacy and protection of an individual’s data and the need for security services and others to have potential access to that data to uncover serious crime or terrorist activity? In Committee, we need to discuss where that balance should be made and where that line should be drawn; it is an important area of discussion.
Throughout the report by the noble Lord, Lord Anderson, and the subsequent Bill before us, we see various adaptions of warrant processes, judicial oversight and the role of the commissioner, with many proposals. While we are generally supportive, we will need to examine these in more detail in Committee, but I have a few general points to raise now. For example, does the Bill help to sort out confusion in government? Incredibly, on page 28 of the noble Lord’s report, the MoD cannot, even when co-located in a hostile environment, transfer some data to the UKIC. Does the Bill sort that out? That is an important question that I put on the table for an answer—not necessarily now, but certainly in Committee.
Domestically, on the same page, we are told that it was a revelation to UK intelligence community officers to see how easily other government departments subject only to normal data protection requirements could access, retain and process bulk personal data. This Bill should not go through without the corresponding changes to policy and practice, highlighted by the above two apparent anomalies. No doubt there are many more. It would be a wasted opportunity were we not to address some of those examples which seem to draw attention to anomalies within the existing system which many of us would expect a Bill such as this to sort out.
Co-operating should not be as difficult as it seems to be. Openness and transparency are crucial so that we can be sure that, as far as possible, the number of various warrants applied for and refused is made public. More generally, what role is there for parliamentary oversight as well as the intelligence commissioner and so on? The Intelligence and Security Committee is our important eyes and ears on this matter. What part will it play in all this? Are its terms of reference, which I have said in other debates are in need of review, sufficient to allow the necessary level of scrutiny? If it is not appropriate for the committee to be involved, where is the parliamentary scrutiny? Where is the mechanism for reporting to Parliament? It would be interesting to hear that from the Minister. Yes, there are various commissioners and there is senior ministerial involvement, but what of Parliament? Parliament cannot be seen in areas as important as this as an afterthought or an irritant. It should be a proper custodian of our values in this difficult area.
I have laid out some of the key issues, although there are many more. I conclude by saying that, as the noble Lord, Lord Anderson, pointed out in his report, we cannot allow the debate to be characterised as being between those who stand up for security, for our country, and who understand what needs to be done, versus a privacy lobby that does not live in the real world. Of course, operational security cannot be compromised and changed threats require policy to be developed. We support the Government in this through the changes which are needed in this Bill. The challenge is to do so in a way that is consistent with our principles of democracy and human rights. Sensible debate and discussion surely will help us towards something that we all want—to build a consensus as far as possible over protecting our nation and allies against those who would do us harm, and not to undermine privacy or freedoms unless it is essential to do so.
Lord Fox (LD)
My Lords, it is a great pleasure to follow the noble Lord, Lord Coaker. I look forward to a fascinating and intimidatingly expert debate. Before commenting on the Bill, I feel that it is important to contextualise what we are discussing today.
Many of us enjoy books that depict the intelligence services. In the main, the George Smileys who appear within their covers are practising in a world that is very far from the lived experience of most people in this country. However, the reality is very different. The work of the intelligence services impacts very many people’s lives in the UK. It is not just bombs and guns but drugs, people trafficking and other exploitation, financial and cybercrime, extortion and many other crimes. The perpetrators are Governments, terrorist organisations, criminal gangs and lone individuals. Crime and terror merge and are socially unjust activities that prey on the weak. The victims are most often the vulnerable and those with the least ability to resist. Within this depressing tapestry, we rely on our intelligence services to help keep us safe and we need a police force that can cope with the complexities of those crimes. Liberal Democrats wholeheartedly support the services that seek to do this and we welcome this debate.
We also believe that these vital tasks have to be balanced against the freedoms and liberties at the heart of our country’s values. Every new power must be weighed in that balance and the noble Lord, Lord Coker, just explained that from his perspective. As we have heard, this Bill proposes some specific amendments to the original Investigatory Powers Act 2016. I was not involved in the scrutiny of the Bill at that time; that fell to my noble friend Lord Paddick, and the noble Baroness, Lady Williams, was in the ministerial chair, so it is a new set of eyes looking at this legislation.
I remind your Lordships’ House of some of the key priorities that my noble friends here and my colleagues in the Commons applied to the 2016 Bill. The first of these is that there should be no weakening of encryption. The second is the vital role of judicial authorisation and the third is that, when it comes to the bulk collection of information or mass surveillance, British residents have a right to expect privacy. These principles were central to our response to the last Bill and will be to this.
Today’s Bill, as we have heard, is the product of deliberation over years. Your Lordships should particularly thank the noble Lord, Lord Anderson, for his work on it. However, given the time taken to get this far, it is very disappointing that the Government chose to introduce the Bill in such a rush that it gave just eight working days for parliamentarians and civil society to prepare for the specific scrutiny of it. If the Government were seeking to ensure that they took people with them, this is a way to antagonise them. There are already comments about haste being an effort to railroad people.
I am afraid my speech today is quite a long one because I did not have time to write a short one. I turn to the Bill. As the Minister set out, the original Bill established a set of protections under Part 7; this Bill introduces two new levels of security, Parts 7A and 7B. Part 7A is introduced in Clause 2 and concerns bulk datasets, as we have heard, with
“low or no reasonable expectation of privacy”.
These so-called low/no datasets may be in three types, each with slightly different rules.
I have enjoyed helpful discussions with the Minister’s department and for that I appreciate his facilitation and engagement. During those discussions, the basic explanation has been that these datasets are needed to train tools using machine learning, that they already exist and are being used in the commercial world, but the Part 7 process makes them at best clumsy and at worst impractical to be used by the intelligence services. I take those points. Furthermore, the introduction to Part 7A includes a requirement for approval from judicial commissioners. Had it not, this discussion would have been much harder.
If training Al tools is the stated prime mover for Part 7A, the inclusion of urgent data as one of the three types of data clearly indicates it is also needed for ongoing investigations. I can imagine why urgent data might be needed, but it is the investigators who will define the urgency. Additionally, new Section 226BC refers to a relevant period of three working days between the acquisition of the urgent data and full judicial approval. Yet, after three days, the judicial commissioner may decline to permit the use of the data that has already been employed in an investigation using rapid Al-enabled analysis.
Taken together, I have my worries. There needs to be a duty to immediately notify the judicial commission. Secondly, there should be guardrails helping define “urgent” and finally we need to discuss how information discovered using data that is subsequently ruled ineligible is, shall we say, unremembered. Without these, the use of low/no datasets in this way for operational issues is concerning.
I have gone into this in some detail because I see it as a serious operational concern but also because I wanted to illustrate the sort of scrutiny the Government should expect from these Benches throughout this debate. There are other examples as we go through the Bill, but I will refer to those only broadly now. Clause 5 introduces a second new category of approval, Part 7B, this time for datasets held in third party assets to which the intelligence services have access. As far as I can deduce, this brings into the orbit of the IPA data which was previously not included and mandates both Secretary of State and judicial commission levels of approval. Unless I learn otherwise, that is a good starting point.
That said, we will seek to initiate explicit discussion around the use of medical, genetic and genomic data and how this can be protected. Here I note that anonymised data can be relatively easily reassigned, so anonymity in health databases is no actual protection. This is important on several levels, not least for public confidence in the digitisation and legitimate use of this very important information.
Part 2 allows the deputisation and delegation of some of the powers to broaden the number of people responsible involved. I just ask whether the Minister believes that this heralds a massive increase in workload.
In Part 3, I thank the Minister for his explanations around Clause 11, which I shall read carefully, and I will be coming back for some more details about how that will work in practice. Clause 14 creates a new condition for the use of internet connection records by the intelligence services and the NCA. Broadly, this removes the need for exact times when seeking connection records, substituting time ranges. This seems acceptable, as long as the Minister can assure your Lordships’ House that this will still require Secretary of State and judicial commission approval.
Part 4 moves into the area of retention notices and away from issues covered by the report of the noble Lord, Lord Anderson. I believe that Clause 15 is focused on bringing inbound roaming on foreign SIM cards into the frame, so I would appreciate details of how this will work. For example, if I am in the UK using a SIM that I bought in Dubai from a UAE-based telecoms provider, how does the intelligence officer proceed?
Clause 20, as we have already heard from the noble Lord, Lord Coaker, is one that has already raised eyebrows in the industry. Proposed new subsection 258A requires telecoms operators to inform the Secretary of State if they propose to make changes to their products or services that would negatively impact existing lawful access capabilities. In reality, this can include changes in encryption, a topic which has recently been on a rocky journey through the passage of the Online Safety Act. This Bill proposes a number of changes, building on the current regime set out in the 2016 Act, that relate to decryption of private messages for law enforcement purposes. In short, we believe the amendments would, or at least could, grant the Home Secretary more extensive powers to intervene in, and in some cases block, communications providers’ operational decisions, including enhancing privacy settings for users, with potential knock-on implications for end-to-end encryption on those services for everyone. I think more debate will be needed in this area.
There are other issues of timing, the possible length of a review, extraterritoriality and the level of judicial commission oversight at the notice level. I am sure I will be told by the Minister that this is a narrow interpretation, but it is an interpretation that has legs outside your Lordships’ Chamber. How will this power be used and what are the implications? Will we perhaps see British law officers beating a path to California to serve these notices? In a sense, how far does this go?
Finally, Part 5 invokes some interesting questions, some of which the noble Lord, Lord Coaker, has already asked and we will surely want to probe. We will want to introduce a requirement that the Investigatory Powers Commissioner is informed of, and records in their annual report, the number of warrants authorised each year to permit surveillance of Members of relevant domestic legislatures. For now, perhaps the Minister could tell your Lordships’ House what the process is for gaining permission to intercept and examine the Prime Minister’s communications.
We will also be probing two other important areas on which there is no time to expand today. The first is specific protections to avoid either cementing or introducing systemic bias against certain sections of the community from the AI models of the future that will be built as a result of this legislation. The second is the use of facial recognition technology on the back of the tools created using the low/no databases, a point that the noble Lord, Lord Coaker, raised.
To conclude, we are concerned that the Bill could push legislation further past the point of balance that we started to discuss. We need to ensure that judicial oversight extends right through the activities enabled by the Bill, and there should be no weakening on the encryption issue. I hope the Minister views this critique in the spirit of constructive support that I have sought to invoke, and I look forward to the rest of the debate and the further stages of the Bill. As he can see, our work will be built on the foundation that British residents have a right to expect privacy.
Lord Anderson of Ipswich (CB)
My Lords, I thank noble Lords who have referred kindly to my independent review of earlier this year, a short sequel to the much longer reviews, A Question of Trust and the Report of the Bulk Powers Review, that I was commissioned to conduct, with all-party agreement, in advance of the Investigatory Powers Act 2016.
Given the controversy surrounding electronic surveillance at that time, in the wake of Edward Snowden’s disclosures, the IPA had a remarkably smooth parliamentary passage—although I say that as someone who was outside Parliament at the time. I put that down to the detailed preparation that preceded that Bill, including reports from the ISC and from RUSI, and of course to the work of the draft Bill committee, chaired by the noble Lord, Lord Murphy of Torfaen, who I am delighted to see in his place. I remember being questioned by its members, including the noble Lord, Lord Strasburger, and Suella Fernandes MP, as she then was. That committee made 86 detailed recommendations, practically all of which found their way into the Act. How much time and testosterone can be saved—and was saved in that instance—by debating these important issues before a Bill is published in final form.
The IPA replicated and, indeed, enhanced the very considerable powers conferred by its predecessor, RIPA, on our intelligence agencies and police. However, its emphasis on transparency and effective oversight, in particular by the judge-led Investigatory Powers Commissioner’s Office—IPCO—with its excellent technical support, brought it into the modern age. I believe we have seen the tangible benefits of that in recent years; I will give three short examples.
The UN special rapporteur on the right to privacy, who had previously described our arrangements as “worse than scary”, reported in 2018 after an inspection visit to the UK that, thanks to the balance struck by the IPA, the UK
“can now justifiably reclaim its leadership role in Europe as well as globally”.
The English Court of Appeal overwhelmingly rejected an extensive series of challenges to the IPA in August this year, citing the authority of the European Court of Human Rights, which, rather more than the EU’s court in Luxembourg, has shown itself impressively ready to accept the use of bulk collection powers, properly safeguarded.
In addition, judicial approval of warrants, introduced here by the IPA but long familiar in North America, was instrumental in securing our data access agreement with the United States—a world first, which, given the American ownership of so many big internet platforms, is of particular significance to law enforcement on this side of the Atlantic.
Therefore, the IPA has been good for this country, including by helping to secure the international acceptance and co-operation that are ever more essential to the fight against organised crime and threats to national security.
However, the Minister is right to say that in limited areas, the IPA is in need of what I call running repairs. The Home Office invited me earlier this year to look at some of those areas which it had identified as in need of attention. Other parts of the Bill, including elements of Parts 1, 3 and 4, fell outside the scope of my review. In my report published in June, I largely accepted the Home Office diagnosis, although my prescriptions were in some respects different from its. In particular, in relation to the bulk dataset issues that occupy Part 1 of this Bill, I thought it important that the borderline between Part 7 and the proposed new Part 7A of the IPA, concerning datasets in which there is a low or no expectation of privacy, should be patrolled at the moment of decision not just by the intelligence agencies themselves but externally by independent judicial commissioners.
Since my report was submitted in April, there has been a convergence of views on this issue and on others, one of them in relation to the NCA and Clause 14, which was touched on by the noble Lord, Lord Coaker. I am grateful to the Security Minister and to the noble Lord, Lord Sharpe, for our discussions and the open spirit in which they took place.
The Minister knows that it has not always been my habit to give an unqualified welcome to Home Office Bills; judging from the Statement that was debated earlier this afternoon, I cannot guarantee that things will be any different in future.
I understand that Ministers like to come to this place with a few concessions in their back pocket, and there is no harm in that. But too often, elements of the Bills that arrive with us have a lopsided look; one suspects, rightly or wrongly, that they are the opening gambit in a concession strategy, whereby the energy of this House is occupied with the tabling and discussion of amendments, only for the Government eventually to concede what they had a good mind to do all along. This can be both frustrating and counterproductive; those who mistrust the Government see their worst fears confirmed by the initial version of the Bill, while those who trust them are reluctant to express that support, lest the ground be cut from under their feet.
It is to the credit of those concerned that I do not believe that such an approach has been taken with this Bill. No doubt it is capable of improvement; I welcome the challenges that have been made by NGOs and by the noble Lords, Lord Coaker and Lord Fox, not least because I was not able to consult in quite such specific terms as I would have liked on the proposals that were put to me by the Home Office. Indeed, there are a few points that I may seek to probe in Committee. But I consider that the Bill is an honest attempt to strike a fair balance in these difficult areas. We risk reversing the operational gains that it promises if we overload the Bill with unnecessary safeguards, or seek radically to reshape the judgments that it makes.
We need powerful weapons to combat the scourges of hostile state activity, terrorism, fraud, people trafficking and child sexual abuse, and we need to embed them in a strong framework that includes the gold standard of prior judicial authorisation for the most intrusive powers. This Bill gives us both those things, and we should not discard or devalue either.
History suggests that the lifespan of investigatory powers regimes is no more than 15 years or so, and technological developments mean that we are likely to be working towards a more fundamental revision of the IPA by the end of the decade, if not before. My report contains some ideas on what these technological developments are and how the process might be started, but for the time being I am glad that time has been found for this necessary Bill. I am happy to give it my support.
The Lord Bishop of St Albans
My Lords, I too thank the noble Lord, Lord Anderson of Ipswich, for his very helpful and excellent work in his area. With the rapid acceleration of technology and technological capacity, I recognise the need for this Bill to be updated. In this context, I welcome the Government’s sense of urgency in addressing the changing landscape in this area, and seeking to close those gaps that potentially endanger both the security and the safety of our nation. My right reverend friend the Bishop of Leeds had hoped to be here today, as he has taken a particular interest in this area, but he is detained elsewhere. We would both like to express two concerns that we believe must be addressed as this Bill is debated in your Lordships’ House.
First, the proposed amendments give the intelligence services vastly expanded powers not only to investigate individuals but to harvest and exploit vast amounts of personal data—not just of crime or terror suspects but of anyone. The collection of bulk datasets of personal details, including facial images and social media activity, is far reaching and potentially indiscriminate, so we must rightly be concerned about how effective any safeguards might be in controlling the power that such access gives to our intelligence services. The risks, particularly under a regime less ethically aware than those we are used to in this country thus far, are substantial. The weakening of safeguards risks endorsing the need for updating surveillance capacity, at the same time as threatening basic human freedoms.
Secondly, it has become clearer by the day that we are developing technical capacity well ahead of the ethical consideration of risk. Ethical thinking might well be deemed inconvenient by those who wish to forge ahead with greater advances and greater security provision. However, to fail to address ethical considerations now will simply leave us, at best, running fast to catch up later once the train has left the station and is already at full speed away in the far distance—and, at worst, having compromised personal and societal freedoms and having changed the nature of a free society.
The current proposals are likely to lead to a broad and vague definition of “public safety” in which the security and powers of the state in one area reduce essential personal freedoms. To that extent, I believe the helpful comments made by Big Brother Watch should be taken seriously and answered comprehensively if we are to be fully aware of the trade-off between two goods: public safety and personal privacy.
No one would wish to stand in the way of His Majesty’s Government’s intention to tackle terrorism, state threats, serious organised crime such as child sexual exploitation, illegal migration and fraud. These need to be faced head-on. The question is whether the proposed extensions contain sufficient safeguards to ensure that the mass of law-abiding citizens in a free society are not caught up in a form of mass surveillance in which they cannot trust that justice and privacy will be upheld.
When the Bill was first passed in 2016, the then Home Secretary said
“it is … right that these powers are subject to strict safeguards and rigorous oversight”.
It is essential that the Bill meets those conditions, but I worry that it does not do so in all places in its current form. We look forward to interrogating the Bill as we take it through its later stages.
Lord Murphy of Torfaen (Lab)
That was an interesting speech by the right reverend Prelate the Bishop of St Albans, because he put his finger on the dilemma of any legislation like this: the balance between liberty as a subject on the one hand and the security of our citizens on the other. That has become increasingly complicated as the years have gone by.
As the noble Lord, Lord Anderson of Ipswich, has mentioned, I was asked by the then Home Secretary, Theresa May, to chair a Joint Committee of both Houses of Parliament to deal with the original Investigatory Powers Bill exactly eight years ago this week. She asked me because I had been chair of the Intelligence and Security Committee. We met for about three months and made 86 recommendations, nearly all of which were accepted by the Government. Those recommendations were nearly all about the balance between liberty and security, which the right reverend Prelate referred to. The committee had 57 witnesses, including the noble Lord, Lord Anderson, and 148 written submissions. The process that took place all those years ago was vital for this sort of Bill. For various reasons we have not had that, and perhaps we will come to that in Committee.
That balance is also reflected in the work of government. For example, when I was Northern Ireland Secretary I had to sign warrant after warrant to deprive our own citizens of their liberty. They did not know it, of course, but that is what we were doing. If we had not done so, the chances are that many hundreds if not thousands of people would have perished in Northern Ireland, and indeed in Britain, because of the way in which the intelligence services were able to infiltrate the IRA and the loyalist paramilitaries.
Of course, a major recommendation of that committee was to have a review of the legislation five years after the legislation had been finished in Parliament. We have been very fortunate that the noble Lord, Lord Anderson of Ipswich, has actually conducted that review. I read it on the weekend. It is a lot to read on a weekend—138 pages—but it is, although on a very difficult subject, a relatively easy read for lay people such as myself. It is thorough; it is full of common sense, and it is practical. In the absence of a pre-legislative committee of both Houses, the review has, in a way, replaced that. Without the noble Lord’s review, we might not have the same Bill in front of us as we do now.
I agree with every single one of the noble Lord’s recommendations and, indeed, in Committee, there may well be more recommendations that this House can put before the Government. I hope that we do not get into a situation where we have to vote on those, but that we can have proper discussions between Members of this House and the Government on what those might be. They could cover internet communications records, bulk personal datasets, the issue of telecommunications companies and their notification of changes in the way they operate—all these things are significant. I just want to touch on one, which is of interest to all of us in here, and that is how we deal with parliamentarians.
The Wilson doctrine is as old as Harold Wilson, of course: it was a long time ago that that happened. I understand that, because we now need three people, including the Prime Minister, to consider these matters, but if the Prime Minister is incapacitated—as Boris Johnson was when he had Covid at that time—what do you do? Presumably, you go to the Secretary of State to be able to deal with that issue. I think that is sensible, but I take my noble friend Lord Coaker’s point that it should not be just any Secretary of State. It should be confined to either the Foreign Secretary, the Home Secretary, the Defence Secretary or the Northern Ireland Secretary; in other words, Secretaries of State who have experience of dealing with warrants, because these are such hugely important matters.
I also want to take up the point that my noble friend made about the Intelligence and Security Committee itself. The Minister will answer whether the committee has been consulted on these proposals: if it has not, it should have been and if it has, it would be useful for us as parliamentarians to know what it said. That is of vital importance to us.
Clearly, we need to update how we deal with the evil and unpleasant people who threaten our security and our lives. The technological innovation in the past eight years has been absolutely dramatic and will get even more dramatic as the years go by. My noble friend mentioned China, the war in Ukraine and Russia, and all those other authoritarian countries that exist on our planet. That is going to get worse. He also mentioned how much more sophisticated criminals now are, so we have to keep up with all this. What struck me in the last six or seven weeks, in the horrific and terrible war that we now see in the Middle East, was that the intelligence services of Israel, which were notably good, obviously failed. It could have been that if they had worked, we might not have had the horror that we now see in the Holy Land. I support this Bill, but I also support it on the basis that it has had immense scrutiny from the noble Lord, Lord Anderson; but there is still work to be done and I look forward to debating it in Committee.
Lord Strasburger (LD) [V]
My Lords, I apologise before appearing—or, more precisely, not appearing—before your Lordships in this manner, but I understand that there has been a failure in the parliamentary network and I cannot appear in video; it was either by telephone or smoke signals, so I will settle for the phone.
I should begin by declaring my interest as chair of Big Brother Watch, which campaigns for the privacy and freedom of speech of the citizens of our country and seeks to protect them from unwarranted intrusion by the state into their lives and their data. Big Brother Watch has managed to rapidly prepare a briefing for parliamentarians about this Bill, and I commend it to Members of this House. It sets out five areas of concern, which I will cover later in my contribution.
However, Big Brother Watch had to work at pace to complete the briefing for this Second Reading because the Government published the Bill only on 8 November, just eight working days ago. I wonder what the reason could be for this rushed processing. Could it be that the Government want to avoid the thorough examination that this detailed and complex Bill needs? If so, the small number of Members who are ready to speak about it today—just 11, including the Minister—suggests that this strategy might have worked. Therefore, my first question for the Minister is to ask for an explanation of why so little time has been given to prepare for this Second Reading.
I sat on the Joint Committee that carried out the pre-legislative scrutiny of the original Investigatory Powers Bill in 2015 and 2016. The noble Lord, Lord Murphy of Torfaen, whom I am pleased to follow in this debate, was the chair of that committee and a very good job he did too. My view eight years ago was, and still is, that bulk data collection—that is, the interception or collection and indefinite storage of everybody’s innocent internet, phone and computer communication—is a serious intrusion on every citizen’s privacy and requires very strong judicial oversight.
Those who support this mass surveillance seek to reassure us by saying that if you have nothing to hide you have nothing to fear. However, in truth do we not all have something to hide that we would prefer to keep to ourselves? That is why we shut the toilet or bedroom door behind us. That is why we do not speak in public about troubling issues in our family or friendship circle such as addictions, unwanted pregnancies, financial woes and the like. There are some things that we just feel are private—the kind of information that, in the wrong hands, can be used to demean or blackmail any of us. That detailed knowledge about every individual in the country could be used by an unscrupulous Government—who are considering ignoring laws and treaties, for example, if that rings any bells. They could use it to identify all citizens of a particular religion, political persuasion, sexual proclivity or whatever, to single them out for disadvantageous treatment or worse—much worse.
The state is collecting this personal information about us all and we cannot predict who in a future Government will get their hands on it and might totally misuse it. All I can say with certainty is that East Germany’s Stasi would have thought that every day was Christmas if it could have laid its hands on such a rich source of intimate data about all its citizens. Therefore, we must achieve a balance between the privacy needs and rights of individual citizens and protection of those same citizens from terrorists and serious and organised crime. It is not an easy balance to get right. I fear that the Government are still erring in favour of capturing too much data about innocent citizens—of course, the vast majority of us.
There is another very strong reason for not engaging in the collection of everyone’s data. The problem is that the useful information about terrorism or organised crime gets buried in a blizzard of useless data about the vast majority of us who are innocently going about our lives. In 2016, the Joint Committee on the Draft Investigatory Powers Bill heard startling evidence about the problem that this causes for security services from a gentleman called Bill Binney, a retired technical director of the United States National Security Agency and a bit of a folk hero in the intelligence community because he predicted with great accuracy when the Russians would invade Afghanistan just by analysing the patterns of their military signals. However, later in his career Mr Binney concluded that the NSA’s policy of collecting the data of all American citizens was unconstitutional, so his team devised software called ThinThread. It used smart collection to pick out for inspection only the communications of known terrorists, those they were talking to—and who those people were talking to.
The management of the NSA instead chose to go down the road of collecting 100% of the data through a highly expensive project, Trailblazer—which was later abandoned—and ignoring Bill Binney’s method of giving the analysts a much smaller but richer and more relevant set of data. The consequence was that the NSA missed the data that it already had in its systems which would have alerted it to the plot to attack the twin towers on 9/11. If only the NSA had known that it had it and had looked at it. We know that the NSA did have it because shortly after 9/11, Mr Binney’s team ran its ThinThread software against the NSA’s database at the time of 9/11 and found six of the 9/11 conspirators and their command centres. Mr Binney shocked the committee by revealing that 9/11 could, and should, have been prevented—if only the American security analysts had not been swamped with useless information.
The price paid by the American people for their security services’ predilection for bulk data collection was very high indeed. Yet here we have in this Bill the continuation of that folly by our own intelligence services. I invite noble Lords to recall the terrorist attacks of the last 20 years and that, almost every time, it was later revealed that the perpetrators were known to the police or the intelligence services. Our people being swamped with irrelevant data must have contributed to the failure to further investigate these suspects before they acted.
The Government will no doubt argue that the advent of artificial intelligence makes it more possible for them to search for needles in haystacks. That may well be so, but some of that advantage will be negated by the massive explosion of data volumes they are now collecting from a wide variety of sources, especially social media and video. The fact remains that they are still holding, and have available for inquiry, huge amounts of data about all of us in this House and in this country—all of it at risk of being misused. Bill Binney’s solution was to immediately encrypt the 99.9% of the data that was of no interest to protect it from snooping, official or unofficial. In the UK we have none of that protection.
The Investigatory Powers Act, to the credit of the then Government, sought to reassure the public that there are limitations on the use of personal data by law enforcement and the security services, and how those limitations are policed. However, it is worth noting that it was also disclosed that several intrusive powers have been used on the British people for many years, without any such constraint. That was because they had been in use without the consent or even the knowledge of Parliament. If it had not been for the brave whistleblowing of Edward Snowden, the contractor to the American National Security Agency, the scandal of the UK’s surveillance powers would not have been revealed to Parliament and may never have been addressed.
We need an Edward Snowden-type whistleblower every few years to keep our security services and our Government honest, because the safeguards that are in place to ensure compliance by the security services and prevent misuse of these highly intrusive powers seem to be inadequate, as illustrated by the TechEn case. This was a very serious breach of the statutory safeguards in the Investigatory Powers Act and the Regulation of Investigatory Powers Act 2000. It was the subject of the scathing judgment against the Security Service and the Home Office by the Investigatory Powers Tribunal in January this year. MI5 admitted that it had been aware, since May 2016, that there was a very high risk it was in breach of its statutory obligations concerning the holding of personal data under both Acts. It also admitted that it should have immediately reported to the Investigatory Powers Tribunal but failed to do this for three years.
The Investigatory Powers Tribunal found that
“there were serious failings in compliance with the statutory obligations of MI5 from late 2014 onwards”—
that is, two years earlier than MI5 admitted—and that those failings should
“have been addressed … by the Management Board”.
It was also strongly critical of the Home Office’s failure to inquire further into MI5’s long-standing compliance failures, after being made aware of them several times since 2016. The tribunal found that the Secretary of State breached their duty to make adequate inquiries as to whether the statutory safeguards were being met, and that warrants were issued after late 2014, through to 5 April 2019, that were unlawful and did not meet the safeguarding requirements imposed by the Investigatory Powers Act and RIPA. Other breaches of the safeguards were alleged, but we do not know the tribunal’s verdict on them because they were covered only in the secret part of the judgment.
As the noble Lord, Lord Anderson, whom I also thank for this thorough review, points out:
“MI5’s previous non-compliance has led to it being the subject of particularly rigorous oversight by IPCO with four extraordinary inspections taking place in 2019”.
He later warns that the TechEn case is a
“salutary reminder of the principle underlying the IPA: that exceptional powers require strong and independent external oversight”.
We would do well to remember those words when we come to consider the Bill in detail. There is clear, authoritative evidence that all is not well with the compliance mechanism in the Investigatory Powers Act. Some of us predicted this during the Bill’s consideration in this House. We also called for judicial authorisation to manage the risk of these suspicionless electronic surveillance powers, which are on a scale never seen before in a democracy. Instead, the Government set up a much weaker double-lock system, and now we see the consequences. So my second and third questions for the Minister are: what are the Government’s plans to seriously improve compliance with the Investigatory Powers Act, and will they now recognise that the current supervision regime is failing and needs to be replaced with much stronger arrangements? On a related matter, my fourth question is: when will the Government introduce regulation of a highly intrusive technology that is running riot in policing and security with absolutely no rules, safeguards or oversight—namely, facial recognition?
I turn to this Bill. There are five primary concerns that will be covered in detail in future stages in this House. As has been discussed, it weakens the safeguards against the intelligence services collecting bulk datasets of personal information by potentially harvesting millions of facial images and mass social media data. The Bill’s creation of a vague and nebulous category of information where there is deemed to be a low or no reasonable expectation of privacy is a concerning departure from existing privacy law, in particular data protection law. Such an undefined category requires agencies that are motivated to process such data to adjust safeguards according to unqualified assertions about other people’s expectations of the privacy of their data. On the contrary, data protection law is constructed according to the sensitivity of the information rather than guesswork about the individual’s expectation of privacy concerning personal information. In my view, this provision needs to be worded more tightly.
It weakens safeguards when authorities harvest communications data—for example, membership of and Facebook posts to a racial equality group could be seen as data available to a section of the public as defined in this Bill, and therefore the authorities may wrongly believe that they consequently possess lawful authority to obtain associated communications data from the platform. Once again, more precise wording is needed.
Thirdly, it expressly permits the harvesting and processing of internet connection records for generalised mass surveillance, which is a much wider purpose than originally envisioned.
Fourthly, it increases the number of politicians who can authorise the surveillance of British parliamentarians and members of other domestic legislative bodies. Politicians are not above the law but, given their important constitutional role, spying on them must require the highest authority—namely, that of the Prime Minister.
Fifthly and finally, it attempts to force technology companies, including those overseas, to inform the Government of any plans to improve security or privacy measures on their platforms so that the Government can consider serving a notice to prevent such changes. I am sorry to say that the Government must be suffering from delusions of grandeur if they think that Apple, for example, will agree to desist from improving the privacy protection of its products or to produce an iPhone with downgraded privacy features especially for the UK. Superior privacy for its customers is one of Apple’s main selling features, and it is not going to forfeit that to please the current Government in a small part of its worldwide market.
We have much to discuss when this Bill reaches its Committee stage. In the meantime I look forward to hearing the Minister’s response to my four questions at the end of this debate.
Lord Evans of Weardale (CB)
Not at all.
My Lords, I do not intend to make a long speech. This Bill proposes an important but, I suggest, relatively modest updating of the existing authorisation regime for the use of surveillance powers. It is also based on the excellent and clear review undertaken by the noble Lord, Lord Anderson, who has been thanked many times already and to whom I also give my thanks. His expertise and good judgment in these areas is widely acknowledged, not least within the police and intelligence agencies themselves.
The Investigatory Powers Act 2016 was significant in that it brought the authorisation of surveillance powers into the modern, digital age. Before the 2016 Act, the legal justification for surveillance was achieved by stretching and interpreting laws from an earlier era to cope with new conditions. The 2016 Act addressed modern needs directly with an unprecedented degree of frankness about what was actually possible and necessary. The Act also recognised the highly intrusive nature of investigatory powers that were being authorised and therefore matched those intrusive powers with strong and independent oversight mechanisms.
I respectfully disagree with the right reverend Prelate the Bishop of St Albans: I do not believe the Bill vastly expands the powers of the intelligence agencies. In some areas, it introduces more controls, but it is also very careful to balance any powers with independent oversight. The noble Lord, Lord Strasburger, helpfully drew our attention to the effectiveness of independent oversight where problems have arisen, and he demonstrated that the agencies are drawing attention to areas of failure and that the oversight mechanisms are making the appropriate decisions as to what needs to be done about it. I reassure the right reverend Prelate the Bishop of St Albans that, certainly in my experience, the agencies are extremely conscious of the ethical dimension of their work. In terms of both their external relationship with oversight bodies and their internal discussions, ethical factors are strongly considered and taken seriously.
We are all aware of the speed with which data capabilities, new platforms and artificial intelligence as a whole are developing. It is important that the law should be updated from time to time to keep up with the art of the possible. Data is at least as important as interception when it comes to preventing the very real security threats that we face from causing damage. If we do not update the law, one of two things will happen: either security will be put at risk, or those using the powers will rely on an increasingly creative and elaborate interpretation of the law to keep up with a new situation. We cannot operate within old legislation; neither of those alternatives is desirable, so a new Act is needed.
The key proposals in the Bill seem to be the new regime for bulk datasets and the arrangements for bulk datasets held by third parties but to which the intelligence agencies have access. Neither of these proposals involves a significant increase of intrusion into individual privacy, and in each case, tough oversight controls remain in place. On bulk personal datasets, the 2016 Act created what, in retrospect, appears to be a rather odd situation where the intelligence agencies are not able to use completely open data—such as Wikipedia data—without quite stringent authorisation, but which any member of the public can access without permission. A police force can also access that data without restriction. Our close intelligence allies can do so too, but our own security and intelligence agencies cannot. The same constraints apply for historical or open datasets of the sort that are needed to train artificial intelligence systems to operate effectively.
I cannot think of any good reason why these constraints are needed in their current form, and they have a negative impact on the speed and flexibility with which the agencies can respond to threats. I am therefore glad to see that the Government’s proposals for a less restrictive approach to datasets where there is no or low expectation of privacy have been included. The Investigatory Powers Commissioner will continue to police the low/no boundary so that there is no risk that the less stringent regime will be misapplied or that there will be any form of mission creep. I therefore support the Government’s proposals.
On third-party datasets, the situation appears to some extent to have been reversed, in that access to sensitive data held by third parties is currently not covered by as stringent a regime. This appears to be a small loophole in the 2016 regime, and it is right that access to such datasets should be brought within the authorisation regime, as the Bill proposes. Events since the 2016 Act, including the war in Ukraine, increased state threats and political interference and recent terrible events in the Middle East all mean that the security threats that we face and from which the intelligence agencies help to protect us are at least as acute today as they were seven years ago. At the same time, the technical environment within which the agencies work has changed very fast, and it is right that we should update the legislation that enables them to succeed in their work. I therefore support the proposals in the Bill.
Baroness Bennett of Manor Castle (GP)
My Lords, I apologise to the noble Lord, Lord Evans: my enthusiasm to reinforce the contribution of the noble Lord, Lord Strasburger, who I think made many important points in this debate, got me carried away.
I am delighted to present the Green Party’s position on this Bill. I am very aware of the depth of expertise in this debate, but I reinforce the comments of the noble Lord, Lord Strasburger, in reflecting on the narrowness of the contributions and the short time your Lordships’ House has had to absorb this Bill. I note that I am the only female contributor on the speakers’ list for this debate, which is perhaps one measure of the lack of diversity of views that have been able to participate. I also note that we are talking about further strengthening the Investigatory Powers Act, which, when it was brought in in 2016, was known universally as the snoopers’ charter. Liberty described it as
“the most intrusive mass surveillance regime of any democratic country”.
Since then, a number of court cases brought by Liberty have brought in some restrictions in terms of the operations of the Act, which I very much applaud, but the Act was also subject to a petition from 130,000 people to speak out against the snoopers’ charter. Of course, the speed at which we are operating now makes it very difficult to get such level of public engagement as we saw in 2016.
We are talking about a further erosion of privacy and, as many noble Lords have said, this is a question of balance, but we are tilting the balance very clearly with these amendments to the snoopers’ charter. What is particularly worrying is that this Bill is about granting the security services access to bulk data, which will clearly be used to build what are known as artificial intelligence machine learning models. In essence, the Bill lays the foundation for the Government to use rapidly developing artificial intelligence—so-called; I prefer to call it big data wrangling—in mass surveillance. Not only does this have huge ethical ramifications, but its adoption in surveillance would be extremely irresponsible, given that we do not know how these technologies are going to evolve in future. We have talked about trying to keep up with where they are, but we are potentially opening the door to let them race ahead much further than we can currently comprehend, as we stand in the House today.
In other contexts I have drawn to your Lordships’ attention the rapid increase of privatised medical testing and the widespread advertising of it that we have seen. The noble Lord, Lord Fox, referred to genomic data. What is being assembled is a huge amount of intensely private information about individuals, and if that is then to be opened and exposed to the state on a mass, untargeted basis, that surely is cause for grave concern.
The Bill gives the Government unprecedented powers to monitor and target the entire British population and lays the foundation for use of artificial intelligence in surveillance. This is indiscriminate surveillance. Anyone can be monitored, regardless of whether they are a suspect. This is a complete assault on our right to privacy and raises a real question to ask about the Universal Declaration of Human Rights.
Coming down to some of the detail, Clauses 1 to 4 allow for the mass trawling of social media and for the Government to collect data from every person’s web use, and Clause 14 allows the Government to obtain information from companies around every person’s web use—whereas, before, they were able to look only at specific data. In addition, the potential use of artificial intelligence as part of this Bill means that the Government could in theory identify everyone who is behind every single anonymous social media account, meaning that nobody would have anonymity online.
I am well aware that many people express concerns about anonymity and the behaviour of anonymous accounts online. Here I declare my position as co-chair of the All-Party Parliamentary Group on Hong Kong. I am delighted that the UK has welcomed many exiles from Hong Kong who have sought refuge in the UK, but they remain deeply fearful about the very long arm of the Chinese state. Similarly, we have seen that many Russians have had good cause for concern about the long arm of the Russia state, which, despite the best efforts of our intelligence service, has proved itself capable of reaching within our borders. Anonymity is crucial to some people’s safety in the world. Lest we think of this as being just about states regarded as hostile by the UK Government, let us all remember the fate of Jamal Khashoggi and the actions of our friend and ally Saudi Arabia in his horrific death.
The widespread use of surveillance means that this Bill would push the UK further away from what are considered democratic norms. What is more, as a number of other speakers have already said, this blanket surveillance is not necessarily effective. There is a real risk that, the more information you collect, the harder it is to see the needles in the haystack. This Bill erases some of the checks and balances already in place.
We have seen how far this can go. Again, looking on the international stage—what China is doing to its Uighur population, what it has done in Tibet, and what is happening in Burma—these are situations where the more surveillance there is, the more issues arise. If the UK is heading in the wrong direction, what kind of model are we creating on the international stage? The UK likes to present itself as a leader, a model of democracy, speaking up for democracy in international contexts. We must not be a leader in allowing further steps towards autocracy.
I think it was the noble Lord, Lord Coaker, who spoke of how these technologies have often been used in discriminatory ways. We know that the police, certainly, have unfairly singled out people based on their identity, and that has had dangerous, damaging consequences, both in relation to the treatment of individuals and in relation to communities’ views of the police and our security services. If artificial intelligence is added into this mix, we know that there are built-in biases in the way in which the databases have been developed, and that is a real issue.
We also know—I declare an interest here—that the police and security services in the UK have made disproportionate efforts to monitor politically active individuals, trade unionists and whistleblowers. Providing the police and the security services with greater surveillance capacities means that people who are acting democratically in our society could be—in fact, almost certainly will be—subjected to further unwarranted surveillance. As a number of other noble Lords have said, the fact that Part 5 of the Bill allows further extension of the Prime Minister’s powers to approve interception and examination of MPs’ communications is a cause for grave concern.
To conclude, I will share an experience from the weekend. On Saturday, I was at a protest against the proposed new coal mine in Whitehaven in Cumbria, which is opposed by, among others in your Lordships’ House, the noble Lord, Lord Stern of Brentford. He made similar points to mine about the messages we are sending to the international community. The slogan was “No Time for a Coal Mine”. At that protest, there were 100 or so supporters, and the four of us who were speaking had all advertised this fact on social media beforehand. For nearly all the two and a half hours we were there, flying above us was what I am told was a police drone. There were at this protest of 100 people—all advertised and entirely peaceful with no plans for direct action—at least six police officers, one of whom filmed my contribution and all the other contributions. That is the experience of people peacefully protesting within the UK.
There was another story at the weekend that 15 government departments are monitoring the social media activity of potential critics and compiling files to block them from speaking at public events. This is the experience that people have of the UK state today. We have savage reductions in the right to protest; we have deeply concerning directions of travel, and the Bill is a further step in that direction.
Lord Carlile of Berriew (CB)
My Lords, stimulation comes in many forms, so I think I can say, without any disingenuousness, that it is stimulating to follow the noble Baroness, Lady Bennett. Having heard her and the noble Lord, Lord Strasburger, I feel that I should start with a bit of my own experience, that of dealing with those extraordinary and usually highly intelligent people who work in the various security services. It is outrageous to assume that they would look into an individual’s credit card transactions or anything like that in the way that has been implied by at least two speeches that we have heard. I believe—indeed, I know—that their contributions have been key to the introduction of this Bill and that they have done it with intellectual integrity and with only one thing in their mind: the interests of their country, in which they live. Listening to the noble Baroness, I have a fear that she and I, at least in our minds, live in completely different countries.
The noble Lord, Lord Strasburger, expressed some extraordinary conspiracy theories which just do not exist and which, in my judgment, are—I hesitate to use the word, but I will—misleading. Both the speakers to whom I have referred have been on a safari into irrelevant issues which are not pertinent to the reality of what we are discussing. In the years since 9/11, the date on which I became the Independent Reviewer of Terrorism Legislation—to be succeeded some years later by the brilliance of the noble Lord, Lord Anderson of Ipswich—various Governments all over the world have been challenged repeatedly by both evolving change and unexpected events affecting the terrorist threat landscape.
I suggest that the amount of legislation we have had since 9/11 has reached the point at which the Government should give consideration to a consolidation Bill, a codification in which all counterterrorism, interception and counterextremism legislation is included so that we have a living instrument to which lawyers, police officers, the security services and, of course, parliamentarians concerned can refer—a single place in which all this legislation is kept. This Bill is an example in some parts of the way in which extra legislation is being added piecemeal, although it is fair to say that legislation.gov.uk at least tries to include in Bills, if looked up online, the additional parts that have been created. It really is a time for codification, and the template for that is the Sentencing Code, which was created by Professor Ormerod when he was at the Law Commission.
I used the phrase “terrorism threat landscape” deliberately. Terrorism and related forms of extremism have morphed into one of the major and enduring geopolitical issues. It started with the word “terrorism”, but, since 9/11, these issues have become part of the defence and national security policies in every single country, including our own. It was a surprise when national security originally appeared as part of the defence strategy, but it is now completely established in that context.
Attempts to disrupt the stability of sovereign Governments, sovereign Governments themselves disrupting other Governments and the rise of new international factions are all matters that affect our debate; we have to understand the context of what we are considering. I thank the Minister for ensuring that your Lordships have been fully informed and have been given plenty of time; this has been a matter of discussion for a long time. My noble friend Lord Anderson reported some time ago on the background and primary considerations behind the Bill; I too add my special thanks to him for his excellent, detailed report, which is the foundation of the Bill.
Let us consider the context. The first responsibility of our Government is to keep their citizens safe and free to go about their legitimate business and interests. When we go to a concert, as in Manchester, for example, or to a shopping centre, again, as in Manchester, or come and go to this Parliament, along the streets outside without disturbance, which has not been everyone’s experience in recent days, we should be kept as free and safe from the terrorism threat as is possible within the legitimate constraints we set ourselves as a free society. That does not mean that we should resile for one minute from what we rightly regard as fundamental freedoms, but how fundamental those freedoms are is open to argument based on the assessment of proportionality that was mentioned earlier.
In that context—specifically in connection with bulk data, a major part of the Bill—we need to be realistic. In the years since some of us first handled house brick-sized mobile telephones that slotted into racks in our cars—at the time, I was a Member of the other place—we have ourselves given away, to a wide audience, private matters that, in the past, were closely protected. When we—the middle-aged and older men here, for example—buy clothes online, we give away details of our anatomy, including our shoe and waist sizes. That the security services have any interest in that sort of thing is a myth, but we have given away a huge amount of our information. To allow the state to use that information to catch terrorists seems to me to be a reasonable balance, if that use is circumscribed by the high level of judicial protection that the Bill provides and, in some respects, enhances.
When we speak about bulk data, we should bear in the mind the donation we have made of information, sometimes our most intimate details, and we should reflect on the public interest in allowing the authorities, subject to the protections built into the Bill, to use that bulk data—even the meta data that tells them when we made our calls and to whom, and from whom, they have occurred—to carry out their prime duty to protect the public. Maybe, from time to time, there will be people whose information has been mistakenly or improperly prepared, but they are provided, in this country and in this Bill, with greater legal protections than in any other country that I know.
This is an appropriate and good Bill. The Committee should not be distracted by mythology; it should seek to make the Bill better—but within its existing context.
Baroness Manningham-Buller (CB)
Will your Lordships allow me to speak in the gap? I had not intended to speak in this debate because I knew that my noble friend Lord Evans is more up to date than me. I think my noble friend Lord Anderson has had enough praise already, but I shall add a bit. I promote the noble Baroness, Lady Bennett, because nobody else of her gender was going to speak in this debate. I shall make a few comments on the things that have been said. The noble Lord, Lord Murphy, talked about the balance between liberty and security. Of course that is an issue, but there is no liberty without security. Without making sure that our electoral proceedings, our secrets and our citizens, whether shopping or going on the Tube, have safety in their lives, there is no real liberty. I think sometimes it is an artificial distinction.
I noticed that my noble friend Lord Evans and my successor but one, Ken McCallum, the current head of MI5, gave a public speech in California recently at the Five Eyes conference—a first—and it was reported. There were three things he talked about as really at the top of his concerns: first, whether arising out of the tragic events in the Middle East there would be a resurgence of terrorism in that area; secondly, cyber; and thirdly, the threat to our democracy, including our electoral process, from various states. It is not an accident that the law governing the Security Service emphasises that it is there to protect parliamentary democracy. I find quite strange the idea that it is a threat to it.
I would also like to, I am afraid, dismiss as ignorant the spurious argument that having too much information means that you do not find the people you should have found. As my noble friend has said, you can know of people in this country, and MI5 will know some about whom it has significant concerns, but it does not know what they will do. It is also constrained, rightly so, by the law, and cannot suggest to the police that they arrest people unless there is a good case to do so, any more than it can mount intrusive surveillance unless there is a good case to do so.
The final point I would make in endorsing again what my noble friend has said is that my colleagues in the service and in the other agencies were very conscious that the law gives us powers that are not given to the normal citizen. The Murdoch press occasionally took them with the interception of phones, but they are not given to the normal citizen. They are given to the agencies and the police within the law. Precisely because they are not normal abilities to intrude into people’s privacy, that work has to be done with great care to the highest ethical standards and only when proportionate and necessary. Excuse me for delaying the conclusion of this important debate, but I did not think I could sit patiently and not make those remarks.
Lord Ponsonby of Shulbrede (Lab)
My Lords, I think the whole House will be grateful for the noble Baroness’s intervention speaking in the gap. I thank the Minister for facilitating the briefings which we have had and will have in the coming days on the Bill.
The Bill makes changes to the 2016 Act, as we have heard. The 2016 Act provides a framework for the use of investigatory powers by the security and intelligence agencies, law enforcement and other public authorities. They include the power to obtain and retain communications. It also created the post of Investigatory Powers Commissioner and includes a number of safeguards for the use of such investigatory powers, including a two-stage procedure for obtaining authorisations. Many of the powers in the 2016 Act were pre-existing, as we have heard, and already being used by intelligence and law enforcement agencies. The Government stated that one of the intentions behind introducing the 2016 Act was to bring together and build on the statutory powers already available. The Government explained that the Act was also required to replace emergency legislation passed in 2014, the Data Retention and Investigatory Powers Act, which was subject to a sunset clause.
I agreed with the point made by the noble Lord, Lord Carlile, about the desirability of developing some sort of living instrument and a consolidation Bill to try to bring these pieces of legislation together.
The Bill before us proposes changes which include the creation of a new condition for the use of internet connection records to aid target detection, introducing a less stringent regulatory regime for the retention and examination of bulk personal datasets where individuals have little or no expectation of privacy, and a new notification requirement that can be issued to selected telecommunications operators, requiring them to inform the Government of proposed changes to their products and services that could negatively impact the current ability of agencies to lawfully access data.
I was going to say something about the contributions of the noble Lord, Lord Anderson, to the review of this legislation. My understanding is that all the noble Lord’s recommendations have been accepted by the Government, and I too express the Opposition Front Bench’s gratitude for the work he has done on this.
The Bill is a relatively short Bill of six parts, 31 clauses, and two schedules. I was going to step through its various elements, but I will not do that because it has been adequately covered by speakers earlier in this debate.
Like other noble Lords, I have received emails from industry and advocacy groups raising concerns about the Bill. On 7 November, a Financial Times piece reported that firms, including Apple and Meta, have signalled that they may withdraw from the UK market if they can no longer offer end-to-end encryption to their customers. I will quote from the concluding paragraph of a letter I received from Apple:
“The Home Office’s proposals to expand the IPA’s extraterritorial reach and to grant itself the power to pre-clear and block emerging security technologies constitute a serious and direct threat to data security and information privacy. To ensure that individuals have the tools to respond to the ever-increasing threats to information security, the Home Office’s proposal should be rejected”.
The piece, which I am sure we all received, then went on to explain their concerns about providing what they refer to as a back door into end-to-end encryption, and how that undermines the firms’ business model and the security of many other groups operating elsewhere in the world. It is right that we take the points raised by these commercial providers seriously, and maybe we will address them as the Bill progresses.
Similarly, online privacy advocacy groups such as Open Rights Group and Big Brother Watch have expressed their concerns, and we have heard from the noble Lord, Lord Strasburger, and the noble Baroness, Lady Bennett, today. It is worth saying that I agreed with every word of the noble Lord, Lord Carlile, when he said that he and I live in a different country from that spoken about by the noble Lord and the noble Baroness. We need to consider the concerns being addressed in the Bill, but also the wider context that other countries and other very large companies have access to bulk datasets—maybe not our bulk datasets—and are using that data in ways that we need to understand and pre-empt, if they are working against our national interest.
I conclude by talking about my own experience as an engineer, which is relevant to the debate we have just had. It used to be my working life to deal with very large datasets, make predictions based on them, and inform management about those predictions. One of my experiences was that it is very easy to mislead oneself because one is analysing large amounts of data. One needs to be realistic and at the same time see the possibilities of these extremely large datasets. It is a huge challenge. Huge amounts of data are used just to process them, and the maths and the imagination behind it is developing as we speak. The Bill in front of us now is a relatively modest step in the road, and we need to keep reviewing the processes available to us and reviewing the legislation to try to underpin them.
Lord Sharpe of Epsom (Con)
My Lords, I thank all noble Lords who have spoken. There have been many expert and valuable contributions to today’s debate. I particularly thank the noble Lords, Lord Coaker, Lord Ponsonby and Lord Fox, for their broad and very constructive support for the Bill. Obviously, I very much thank—again—the noble Lord, Lord Anderson, for his work. I also thank the noble Lords, Lord Murphy and Lord Evans, and particularly the noble Lord, Lord Carlile, who I thought was very eloquent, for their contributions. I thank the noble Baroness, Lady Bennett, for provoking the noble Baroness, Lady Manningham-Buller—a thing I am always very reluctant to do.
The support was more qualified from the right reverend Prelate the Bishop of St Albans, but I hope to assuage his concerns in my remarks and will certainly endeavour to deal with some of the concerns of the noble Lord, Lord Strasburger, who asked whether we were trying to avoid detailed scrutiny. The answer is: absolutely not. The Bill was ready, having followed the detailed and expert scrutiny of the noble Lord, Lord Anderson—as noted by the noble Lord, Lord Carlile—and, of course, we could not pre-empt what might be in the King’s Speech. In the case of this Bill, parliamentary time currently allows. We have engaged extremely extensively and, frankly, the country needs it. That is a very compelling set of circumstances behind introducing the Bill now.
I feel I ought to take issue with the fact that the noble Lord, Lord Strasburger, said that the country, or all countries, “need a Snowden” occasionally. As I understand it, it has been alleged that people died because of the activities of Snowden, so I am not sure that that is a generally fair point.
I will deal with the questions raised in as much detail as I can in the time available and will start with bulk personal datasets and, in particular, privacy. I thought the noble Lord, Lord Carlile, gave an excellent speech on this subject, but obviously there are concerns so let me do my best to assuage them. The Bill creates a new regime for the retention and examination of bulk personal datasets where there is a low or no reasonable expectation of privacy. The nature of these datasets means that individuals to whom the data relates would have low or no reasonable expectation of privacy in relation to the datasets so, for example, an individual may have consented to the data being made public or the data has already been manifestly made public by the individual. That includes categories of datasets such as public and official records, news articles, content derived from online video-sharing platforms, and publicly available information about public bodies.
For example, a dataset that is likely to meet the test of having no or only a low expectation of privacy is the Companies House register, a government register of company information that is open to the public to search online and download. I have noted the recommendation of Big Brother Watch and I read it in some detail. I think it is based on a misunderstanding but perhaps it is worth going back into the reason why we are making these changes now. The way the existing regime was designed did not foresee the exponential increase in the use of, complexity of and changing nature of data. The scale and different kinds of data that are now available is unrecognisable in comparison to the picture in 2016. It did not foresee the extent to which cloud and commercially available tools would make analysis of datasets possible, the extent to which publicly available data would increase in value for the intelligence agencies compared to sensitive data which used to be obtained through traditional covert powers, and the extent to which intelligence agencies would need vast quantities of publicly available data to train machine learning models.
The intelligence agencies have been inhibited from maximising opportunities when compared with the private sector and academia, as well as our adversaries, as a result of the gold-plating of some of the Part 7 regime. It is important to note that the datasets would not necessarily be authorised under the new regime in Part 7A solely by virtue of their being publicly or commercially available, and that is particularly important when considering datasets which have been hacked and/or leaked.
On the subject of safeguards, there are of course safeguards in place to prevent misuse of the powers in the Bill. The safeguards that will apply to bulk personal datasets with low or no expectation of privacy will be calibrated to reflect the intrusion that is likely to arise from their retention and examination, ensuring that the rights of the individuals to whom the data relates is adequately protected while also enabling the intelligence services to make more effective use of these datasets. This will include requiring prior judicial authorisation on whether a category of datasets or an individual dataset can be considered to meet the test for authorisation under the new Part 7A regime; that is, that they meet the test for low or no expectation of privacy.
In answer to the noble Lord, Lord Fox, the Bill creates an obligation on the head of an intelligence service to stop any activity that relies on any data discovered in a BPD where the low or no reasonable expectation of privacy assessment no longer applies. The safeguards are being recalibrated to ensure that the regime better reflects the threats and opportunities of the modern world, but they remain robust, with the important protection of judicial approval at their heart.
Internet connection records were referred to by the noble Lords, Lord Coaker and Lord Strasburger, among others. They asked why there are no specified time limits for the period that internet connection records can be sought under the new condition. The driver for this change is to enable the intelligence services and the National Crime Agency alone—I will come back to the National Crime Agency—to carry out target detection to identify previously unknown high-harm offenders. The current requirement for unequivocal knowledge of the time a service is accessed, which service is accessed, or the identity of a person, before an internet connection record can be sought is preventing this from happening. So, it is important we do not create similar conditions under this proposal which will continue to restrict this critical investigative work.
These investigations will be targeted and case-specific, so it is not possible to include a time limit which could work across the range of investigations being undertaken. However, I can reassure noble Lords that requests will be time-bound based on the specifics of the case and they will be driven by intelligence, not used as speculative fishing exercises. Furthermore, the new condition is also limited in terms of the purposes it can be utilised for. It can, and I stress this, be used only for national security and serious crime purposes. It is important to note that there are several other safeguards in place, including a requirement for the request to be both necessary and proportionate. A request that sought records over a very long period of time is highly likely to be neither necessary nor proportionate, and all ICR requests are subject to independent ex post facto oversight. All ICR requests are valid for only one month and an application must be renewed at the end of that period.
The noble Lord, Lord Coaker, asked why this is being extended to the NCA. I recognise that the noble Lord, Lord Anderson, initially proposed that the new condition should extend only to the intelligence services, although I understand that he now sees value in it being extended to the NCA because the NCA plays a vital role in protecting children from sexual exploitation and abuse, so it is essential that it has all the tools at its disposal to counter that particular threat.
The noble Lord, Lord Fox, asked about roaming data, and in particular subjects of interest using a foreign SIM card. On that example, in the circumstances where a subject of interest was using a SIM card obtained in a third country and was therefore using international roaming while in the UK, under the proposed amendments an exception for this data will be made, allowing UK telecoms operators to retain it under a retention notice which has been double locked. This will then allow operational partners with the appropriate authorisation to access the retained data when necessary for the purpose of prevention and detection of crime and, again, protecting national security.
On the subject of the notices reforms and the tech companies, which I think most noble Lords referred to, some tech companies have expressed concerns in public fora in advance of the Bill’s publication that these measures may place onerous or burdensome obligations on an operator, could undermine security or could allow the Secretary of State to prevent technical or relevant changes. I assure all noble Lords that these concerns are misplaced. The Bill does not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures by companies, contrary to what some tech companies have incorrectly speculated. Rather, we are making a series of adjustments to ensure that the notices regime continues to be effective in the face of modern technologies and the structures of companies in the modern digital economy.
None of the measures in the Bill seeks to reduce the competitiveness of UK tech firms, or indeed to discourage innovation. Careful consideration has been given with regard to these measures, striking a balance to ensure that the law enables us to mitigate the risks posed by changing technology, while still promoting technological innovation and the legitimate interest in increased privacy of the majority of our citizens.
These measures do not create any new acquisition powers but will maintain the efficacy of long-standing powers. We therefore do not anticipate that they will put disproportionate burdens on businesses. Rather, they formalise processes that are already in place.
The Government support technological innovation and advances and have always been clear that we support strong end-to-end encryption, as long as it does not come at a cost to public safety. Together with our international partners, we believe that tech companies have a moral duty to ensure that they are not blindfolding themselves and law enforcement to abhorrent crimes such as child abuse and terrorism on their platforms. These amendments will not introduce significant changes to the existing powers, ban end-to-end encryption or introduce a veto power for the Secretary of State regarding the rollout of new technologies and security measures.
On a question asked of me by the noble Lord, Lord Fox, with regard to notices and the pre-clearance requirement, these amendments do not introduce a requirement for pre-clearance for the Secretary of State regarding the rollout of new technologies and security measures by companies. Fundamentally, the changes to the notice regime are about ensuring that the decisions on public safety are made by Ministers and are subject to judicial oversight as Parliament intended and as the public would expect, to keep them safe.
On the triple lock, noble Lords—in particular the noble Lords, Lord Coaker and Lord Murphy—asked for clarification as to whether the Prime Minister could delegate an authorisation requiring the triple lock to anyone they wanted to. I can reassure noble Lords that that is not the case. The Bill proposes that the Prime Minister will designate in advance a group of Secretaries of State who could authorise the warrant on his or her behalf. The alternative approver would need to be a Secretary of State and not the same Secretary of State who authorised the warrant at the earlier stage of the triple lock. I hope that provides the necessary reassurance on the restrictions that will be in place under this clause. Restricting the decision on suitable deputies is for the Prime Minister to decide, but it is clear that there needs to be sufficient resilience in the system to ensure that there are enough alternative approvers with the necessary experience.
The noble Lord, Lord Coaker, also asked me about ISC oversight and parliamentary oversight. He will be aware that the Intelligence and Security Committee examines the policies, expenditure, administration and operations of the UK intelligence community, and sets its own agenda and work programme. Obviously, it will maintain that oversight function for the measures in the Bill, but I can tell the noble Lord that the Security Minister will spend some time with him on the subject of the Bill next week, which I hope will assuage any concerns.
I need to go into the subject of safeguards in more detail in light of the speeches given by the noble Lord, Lord Strasburger, the noble Baroness, Lady Bennett, and the right reverend Prelate the Bishop of St Albans. I assure noble Lords that the measures contained in the Bill, and in the IPA, are underpinned by a robust and world-leading safeguards regime. They are not failing.
Numerous safeguards exist to prevent the misuse of investigatory powers, ensuring that they are used in accordance with the law and in the public interest. The Bill contains measures that will introduce new safeguards and improve the resilience of the Investigatory Powers Commissioner. We are improving oversight and increasing safeguards to ensure that powers in the IPA are not misused.
Strong safeguards are already in place to ensure that investigatory powers are used in a necessary and proportionate way. That includes independent oversight by the Investigatory Powers Commissioner’s Office and a right of redress through the Investigatory Powers Tribunal.
The powers can be used only for the statutory purposes set out in the Act, including in connection with the most serious crimes and national security. We are also taking the opportunity to strengthen safeguards in other parts of the regime—for example, by creating a new statutory oversight regime for the intelligence agencies’ access to datasets held by third parties rather than retained by the agencies themselves.
On the subject of retention, the noble Lord, Lord Strasburger, talked about data being held indefinitely. However, retention of data is subject to stringent safeguards under the IPA. It can be retained only provided it is necessary and proportionate, and it is not authorised indefinitely. This is regularly reviewed, and records of holdings are subject to inspection by the Investigatory Powers Commissioner’s Office.
The noble Lord, Lord Strasburger, also referenced the recent TechEn judgment. The investigations carried out by the Investigatory Powers Commissioner and his team in response to TechEn are evidence that the oversight, transparency and safeguarding arrangements provided for in the IPA are working as they should. In the Liberty judgment of 2019, the High Court found that
“The safeguards contained within that Act are capable of preventing abuse”.
While the TechEn case outlined widespread corporate failings between the Home Office and MI5, these issues are historic and the Home Office has taken steps internally to increase collaboration with MI5 and ensure that there is appropriate resourcing in place within the relevant Home Office teams responsible for investigatory powers.
I also wish to be clear that there has been no finding by the tribunal that MI5 misused the data in question nor any suggestion of this at any time during this process. As the then Home Secretary, Sajid Javid, noted in 2019,
“none of the risks identified relate in any way to the conduct and integrity of the staff of MI5”.—[Official Report, Commons, 9/5/19; col. 30WS.].
Finally, I reference the endorsement that the tribunal has provided on the robustness of the oversight regime and safeguards contained within the IPA, including the adequacy of the measures available to the Investigatory Powers Commissioner. TechEn does not, therefore, suggest that the system is fundamentally flawed but shows that it works as intended when non-compliance occurs.
Many noble Lords have made important points about balance in this debate, particularly regarding privacy. I particularly note the noble Baroness, Lady Manningham-Buller, whose comments were spot on. It is fair to express concern about the impact that the Bill will have. Privacy is at the heart of the IPA, and this will remain the case under this Bill. The IPA contains robust, transparent and world-leading safeguards centred around considerations of intrusion into privacy. This includes a requirement for investigatory powers to be used in a necessary and proportionate way, with independent oversight by the Investigatory Powers Commissioner and redress through the Investigatory Powers Tribunal. The Bill builds upon these already world-leading safeguards, further strengthening the oversight regime, as I have just outlined. I also note that in 2018, the then UN special rapporteur on the right to privacy noted that the introduction of the IPA allowed the UK to claim a global leadership role in the protection of civil liberties. I note that this was not referenced by the noble Lord, Lord Strasburger, but I am sure that he would like to read that notification.
The noble Lord, Lord Carlile, made some very good points about codification of the various laws in this space. I defer to his extensive knowledge. I will also ensure that his thoughtful remarks are noted in the appropriate parts of government. Obviously there is very little that I can comment on regarding this now, however.
I have endeavoured to address the contributions made by noble Lords today. I apologise if I have missed any questions that were asked of me. I will scour the record and write if that is the case. I express my commitment to further engagement with noble Lords. I look forward to further discussions as the Bill continues its passage, as we seek to ensure it achieves the crucial objective of making our country and our citizens safer. For now, I commend this Bill to the House.
Lord Sharpe of Epsom
That the Bill be committed to a Committee of the Whole House, and that it be an instruction to the Committee of the Whole House that they consider the Bill in the following order:
Clauses 1 to 13, The Schedule, Clauses 14 to 31, Title.