Investigatory Powers (Amendment) Bill [HL]
Monday 11th December 2023
(4 months, 2 weeks ago)
Lords ChamberInvestigatory Powers (Amendment) Act 2024 View all Investigatory Powers (Amendment) Act 2024 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 3-II Second marshalled list for Committee - (11 Dec 2023)
Lord Coaker
“(b) the extent to which information contained within the personal data has been made public as a result of steps deliberately taken by the data subject;”Member’s explanatory statement
This amendment would ensure the definition of a low privacy bulk personal dataset is in line with the definition set out in Schedule 10 of the Data Protection Act 2018.
Lord Coaker (Lab)
My Lords, before I get to the specifics of my Amendment 1, I will make some general remarks. I thank the Minister and all his officials for their very helpful briefing and the collaborative way in which they have approached the Bill. As he knows, we support the Bill, but we will seek clarification and further information about a number of clauses and the details in them.
It is important for me to say that this is the Committee stage, so some significant details will be explored that will be helpful to us. Indeed, on my own part, there may be one or two misunderstandings as to the actual meaning of certain parts of the Bill. None the less, it is an important Bill and an important step forward for our country and its security; I think we all want to see it be as successful as it can be.
This group of amendments deals with bulk personal datasets. These include personal data where a large majority of people included will not necessarily be relevant to an intelligence investigation. Currently, all BPD warrants must go through a double-lock process of approval via the Secretary of State and then a judicial commissioner, and must be renewed every six months. Agency heads must also perform certain functions associated with the warrant.
As the importance of data-based intelligence grows, the Bill rightly includes several measures to make it easier and quicker to analyse various datasets. Individual BPDs considered to have a low or no expectation of privacy could be approved by intelligence agency heads if urgent or if they fall into a category approved by a judicial commissioner. For urgent cases, judicial commissioners have three days to review the warrant.
BPD warrants will need to be renewed only after 12 months, instead of six, which seems sensible. Some functions can be delegated from heads of agencies to an official while maintaining overall responsibility. The Bill also ensures that third-party BPDs—mostly commercially held data—are regulated similarly to other BPDs. The double lock of the Secretary of State and the judicial commissioner would remain for all BPDs, apart from ones considered urgent by the Secretary of State. For urgent cases, a judicial commissioner would have three days to review the warrant. Again, much of that is very sensible and improves the current situation.
I tabled my amendments in the spirit of probing what the Government mean, and I will ask some questions for clarity. Amendment 1 probes why the definition of low-privacy datasets differs from existing data protection legislation. Being the sort of person I am, yesterday I read the relevant section of the Data Protection Act 2018. It differs from Clause 2, where the Minister lays out:
“Low or no reasonable expectation of privacy”
for authorisations and the various factors to be taken into account. Given that the Data Protection Act also talks about access to data, about intelligence services having to have consent and about intelligence agencies having various conditions applied to them when seeking authorisations to access data, it would be helpful to the Committee to understand which applies to the authorisations and how the various pieces of legislation interact with each other. Otherwise, we have what is included in this Bill as well as what is included in the Data Protection Act 2018. Amendment 1 seeks to understand where and how the two relate to each other, whether one supersedes the other and whether the Data Protection Act is now irrelevant to the authorisations laid out in the Bill. It would be helpful for us to understand that.
Lord Fox (LD)
I rise to speak to Amendment 2 and several others in this group in my name. This amendment probes the extent to which paragraphs (d) and (e) of proposed new Section 226A(3) depart from current privacy laws. Like the noble Lord, Lord Coaker, we seek clarification. Also like the noble Lord, as far as we are concerned the purpose of this Committee is to probe, get information and understand how the Government interpret some of the measures in the Bill.
Bulk personal datasets represent the largest part of the Bill, and this amendment primarily probes the differences in the definitions in the Bill and those set out in Schedule 10 to the Data Protection Act 2018. The Bill creates a new and essentially undefined category of information where there is deemed to be low or no reasonable expectation of privacy: so-called low/no datasets. This is a departure from existing privacy law, in particular data protection law. With regard to low-privacy bulk datasets, the relevant circumstance, in Schedule 10 to the DPA, is that
“information contained in the personal data has been made public as a result of steps deliberately taken by the data subject”.
This is a different standard from the expectation of privacy in the new BPD category, whereby information is considered low privacy according to
“the extent to which the data is widely known about”
and if it
“has already been used in the public domain”.
As your Lordships will observe, there is a big difference between those two definitions. For example, whereas facial images from public CCTV may be considered low-privacy BPD under the Bill, they would be considered personal data and possibly subject to sensitive processing under the DPA. As the Minister knows, this is a contentious area of law, and a real-life example is Clearview AI’s database of 30 billion facial images harvested from social media platforms for highly facial recognition searches. Some could have been classified as low privacy, as the photos have already been made public by the individuals, but the Information Commissioner’s Office found Clearview AI in breach of the DPA.
Similarly, a database of all public Facebook or other social media posts could be argued to be a low-privacy database, despite the fact that it will be a comprehensive database of billions of people’s social networks, sexual orientations, political opinions, religion, health status and so on. Under the DPA, much of this data qualifies as sensitive personal data, incurring extra protections when it comes to retention and processing, regardless of whether the information can be considered to have been made public.
The DPA would still apply to the intelligence agencies in processing—at least, that is our view, and we would like to like the Minister to comment on that—but under the Bill as drafted the contradictory standards would also apply. How do these two standards work together? I assume the department has looked at the likelihood of possible challenges to this new category of data, and indeed the likelihood of such challenges being successful, so it would be helpful if the Minister could enlighten us in that regard.
Schedule 10 to the DPA sets out circumstances in which the agencies can conduct sensitive processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; data concerning health or sexual orientation; biometric or genetic data that uniquely identifies an individual; and data regarding an alleged offence by an individual. Does Schedule 10 apply in the case of data identified as “low” or “no” by the Bill?
An example highlighting the potential divergence is data that has been hacked and then leaked out. While not deliberately made public, as per the DPA requirement, it is arguably public and available in the public domain. What is the Minister’s view as to how the Bill regards that sort of data in a low/no context? To test this, the amendment seeks to strengthen the condition in proposed new Section 226A(3)(b) by aligning it with the test in the Data Protection Act for sensitive processing. Data protection law is currently constructed according to the sensitivity of information rather than the individual’s expectations of privacy concerning personal information. As we know, expectations differ greatly from reality, and from person to person. The central questions this poses are: why does the new Bill deviate from Schedule 10 to the DPA, and how will the DPA and the IP work together using the new definition of this Bill?
We are debating a small number of quite large groups today which, unfortunately, means that quite a number of my amendments appear one after another. I will speak as briefly as I can, but I am afraid there is quite a lot of detail coming up. I will speak first to Amendments 4, 5, 6 and 7. Amendment 4 probes the purpose for which bulk datasets will be used by the intelligence services. Amendments 5 and 6 probe the circumstances in which an authorisation is urgent and therefore not authorised in advance by a judicial commissioner. Amendment 7 would require the person granting an authorisation in urgent cases to immediately notify the judicial commissioner that they have done so.
These amendments are similar in purpose and spirit to Amendment 3 from the noble Lord, Lord Anderson, which I have co-signed and support. The basic explanation from the Government for proposed new Part 7A has been that these datasets are needed to train tools using machine learning and that they already exist and are being used in the commercial world, but the Part 7 process makes them difficult for the intelligence services to use. If training AI tools is the stated prime mover for Part 7A, the inclusion of urgent data as one of the three types of data clearly indicates it is also needed for ongoing investigations.
In that regard, proposed new Section 226BC refers to a “relevant period” of three working days between the acquisition of the urgent data and the granting of full judicial approval, giving the relevant service three days to work with data and information that might eventually be ruled out of bounds by the judicial commissioner. All the amendments are intended to understand how Part 7A is to be used in operations, rather than tool training, and what urgent circumstances are envisioned that would negate the need for prior JC approval of an authorisation.
Amendment 4 seeks to restrict the application of Part 7A powers to training and learning functions of the intelligence services, meaning that operational purposes would be excluded. This is designed to get the Minister to explain the operational needs which define an urgent need.
Amendment 5 removes the ability of a person to grant an authorisation if there is an urgent need. Clearly, this gives the Minister a chance to justify why such data might be operationally needed. Amendment 6 provides a definition of what might be considered “urgent circumstances”. The Minister might want to contribute a different definition, but we feel the definition of “urgent” should be included in the Bill. Amendment 7 provides an additional safeguard by requiring a JC to be notified immediately where an authorisation has been granted in an urgent case. This essentially creates an opportunity to close the potential gap between when the data is deployed and when the JC rules on its admissibility—but not, of course, removing the gap entirely.
Lord Anderson of Ipswich (CB)
My Lords, I welcomed this Bill at Second Reading, and the warmth of my welcome has not diminished. However, I am pleased to see so many amendments down to Part 1. As the noble Lord, Lord Fox, has said, the new rules for certain bulk personal datasets do not displace or dilute the currently applicable protections under the Data Protection Act, but they are probably the most operationally significant of the changes that we are looking at, and therefore can only benefit from careful scrutiny of the kind that noble Lords have so enthusiastically invited.
I have one general comment. Despite some of the kind words that were said about my report at Second Reading, I was not asked to design this Bill from scratch, nor to comment on anything as precise as a provisional text. Rather, my task was to assess proposals that were put forward by government and that in some cases evolved during the currency of my review. Although I did run a consultation as part of my review, its value was reduced by the rather limited amount I was able to say about the Part 1 proposals and some of the others. So although I did receive a handful of very helpful responses, there will certainly be points that did not occur to me and to which others were not able to alert me. The Bill is also, of course, in some respects more detailed than my recommendations. I look forward to hearing the Minister’s response to the various amendments in this group.
I will say a quick word about each of the amendments in my own name; there are only two. My probing Amendment 3 I offer to the Government as a Christmas present, as I thought it might suit them. If for any reason they do not like it—and I suspect they may not—then that is up to them; we can hardly force it on them. The background is this: it seemed to me that the question of whether individuals have a low, or no, expectation of privacy might depend in part on the use to which the datasets will be put. If, for example, an agency were prepared to commit to using a dataset only for training a large language model and not for operational purposes, perhaps that might be one of the factors pointing towards a low/no classification. The agencies and the Government politely explained to me—if I paraphrase correctly—that this was not a very practical suggestion, so I did not push it further, save to mention the point in paragraph 3.51 of my report.
Sure enough, the anticipated use of a dataset is not one of the factors listed in new Section 226A(3), where the factors are set out. But turn over the page to new Section 226BA, which deals with category authorisations, and there you see in subsection (3) that a category authorisation may describe a category of BPDs by reference to—among other things—
“the use to which the data will be put”.
My question to the Minister is simply this: if the use to which a dataset will be put can be relevant to the formulation of a category of low/no datasets, then why is it not relevant to the assessment of an individual dataset as low/no or otherwise? The Minister’s answer may be that the list in new Section 226A(3) is not exhaustive and that there is no reason why intended use should not be one of the circumstances taken into account under subsection (2) when considering whether a BPD is low/no. In that case, can he explain why intended use is not mentioned in new Section 226A when it is mentioned in new Section 226BA?
Lord West of Spithead (Lab)
My Lords, if I suddenly fall over, it is not excitement over my amendments but that I have a brand new starboard knee, which is still slightly wobbly, so I might look a little wobbly at times.
Noble Lords will recall that the Investigatory Powers Act was introduced as a result of the Intelligence and Security Committee of Parliament’s 2015 report, Privacy and Security, which recommended that a new Act of Parliament be created to
“clearly set out the intrusive powers available to the Agencies, the purposes for which they may use them, and the authorisation required”.
However, as the noble Lord, Lord Anderson, recognised in his recent report, which he referred to, there have been a number of changes since the Act was introduced. We now face a very different threat picture from that which we did in 2016, with an increased threat from state actors such as China, Russia and Iran, and a significant rise in internet-enabled crime, including ransomware and child exploitation. The pace of technological change has been incredible. Developments in the fields of data generation, cloud services, end-to-end encryption, artificial intelligence and machine learning have all created challenges, as well as opportunities, for law enforcement and the intelligence community.
The Intelligence and Security Committee, of which I am a member, therefore welcomes the introduction of this Bill. The ISC has considered classified evidence relating to the Bill and questioned all parts of the intelligence community and Ministers on the need for change. However, as ever, the devil is in the detail. The committee considers that there are several areas in which the Bill must be improved and, in particular, safeguards strengthened.
Parliament must ensure that the balance between privacy and security is appropriate, and that there is sufficient independent oversight of the work of the intelligence community, given the potential intrusiveness of its powers. The Bill seeks an expansion in the investigatory powers available to the intelligence services. While this expansion is warranted, any increase in investigatory powers must be accompanied by a concomitant increase in oversight. I have previously spoken about the refusal of the Government to update the remit of the ISC, or to provide the necessary resources for its functioning, such that it has
“oversight of substantively all of central Government’s intelligence and security activities to be realised now and in the future”,—[Official Report, Commons, Justice and Security Bill Committee, 31/1/13; col. 98.]
as was the commitment given by the then Security Minister in the other place during the passage of the Justice and Security Act.
The House has made known its views on this long-standing failure during debates on several recent national security Bills, including the National Security and Investment Act, the Telecommunications (Security) Act and the National Security Act. However, despite repeated attempts by this House to ensure effective oversight, this has been ignored by the Government. The Government cannot continually expand and reinforce the powers and responsibilities of national security teams across departments and not expand and reinforce parliamentary oversight of those teams as well. The committee expects the Government to take this opportunity to bolster the effective oversight they say they value. If they do not, then they should expect that Parliament will. I therefore call upon the Government once more to update the ISC’s memorandum of understanding to ensure sufficient oversight of all intelligence and security activities across government. Indeed, this was the quid pro quo that Parliament expected during the passage of the Justice and Security Act 2013, and I trust that Parliament will take the same view now.
I turn to Amendment 10, which is designed to close a gap in oversight. Proposed new Section 226DA requires that each intelligence service provide an annual report to the Secretary of State detailing the individual bulk personal datasets that they retained and examined under either a “category authorisation” or an “individual authorisation” during the period in question. My amendment would ensure that there is independent oversight of this information, rather than just political oversight. The amendment would provide that the annual report be sent also to the Intelligence and Security Committee of Parliament and the Investigatory Powers Commissioner. IPCO has a degree of oversight included in the Bill already, since judicial commissioners approve both individual and category authorisations at the point of issue and approve the renewal of any authorisations after 12 months. This is not full oversight. Further, there is currently no democratic oversight at all of category authorisation, which is not appropriate. My amendment would ensure that IPCO and the ISC have oversight of the overall operation of this new regime.
Noble Lords will note that I have also tabled an amendment to notify IPCO of any new individual datasets that are added to category authorisations by the intelligence services. That amendment would work alongside this, and the ISC considers that the combination would provide an appropriate balance of real-time and retrospective oversight for these new powers. It is vital that the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation are not watered down by the changes under this new Bill. Instead, they must be enhanced in line with the increasing investigatory powers. This is what the ISC seeks to achieve by the amendments I have tabled today.
Amendment 12 is consequential on the amendments that I have just talked about.
I speak now to Amendment 13. Part 7A of the Bill provides for a lighter-touch regulatory regime for the retention and examination of bulk personal datasets by the intelligence services where the subject of the data is deemed to have a low or no reasonable expectation of privacy. Approval to use such a dataset may either be sought under a category authorisation—which encompasses a number of individual datasets that have similar content or may be used for a similar purpose—or by an individual authorisation, where the authorisation covers a single dataset that does not fall neatly within a category authorisation or is subject to other complicating factors. In the case of a category authorisation, a judicial commissioner will approve the overall description of any category authorisation before it can be used. A judicial commissioner will also approve any renewal of a category authorisation after 12 months and the relevant Secretary of State will receive a retrospective annual report on the use of all category and individual authorisations.
This oversight is all retrospective. What is currently missing from the regime is any form of real-time oversight. Under the current regime, once a category authorisation has been approved, the intelligence services then have the ability to add any individual datasets to that authorisation through internal processes alone, without any political or judicial oversight. This would mean relying on the intelligence service to spot and rectify any mission creep, whereby datasets might be added to a category authorisation in a way that was not consistent with the definition of the original authorisation, which lasts up until the 12-month marker for renewals.
While we have every faith in the good intentions of the intelligence services—and I do not mean that in a joking way, because we have been amazingly impressed by them—no legislation should be dependent on the good will of its subjects to prevent misuse of the powers granted therein, particularly where those powers concern national security. The ISC therefore seeks to fill that very worrying gap.
My amendment proposes a new section in Clause 2—proposed new Section 226DAA—which would ensure that the IPCO was notified whenever a new individual bulk personal dataset was added by the agencies to an existing category authorisation. Notification would simply involve the agencies sending to the Investigatory Powers Commissioner the name and description of the specific bulk personal dataset as soon as reasonably practicable after the dataset was approved internally for retention and examination by the intelligence services.
The amendment would require not that the use of the dataset be approved by the IPCO but merely that the commissioner be notified that it had been included under the authorisation. It therefore does not create extra bureaucracy or process. Indeed, it provides for a flow of real-time information between the intelligence services and IPCO, to allow for the identification of any concerning activity or trends in advance of the 12-month renewal period. Any such activity could then be investigated by the commissioner as part of its usual inspections. The ISC believes that this amendment strikes the right balance between protecting the operational agility of the intelligence services and safeguarding personal data at any level of sensitivity.
Noble Lords have already considered my related amendment, to provide the annual report to the IPCO and the ISC, as well as to the Secretary of State. The committee believes that this combination of real-time oversight through the notification stipulated in this amendment and retrospective oversight, through the involvement of judicial and political oversight bodies, is necessary to provide Parliament and the public with the reassurance that data is being stored and examined in an appropriate manner by the intelligence services.
I repeat my entreaty to the House: the robust safeguards and oversight mechanisms so carefully considered by Parliament in respect of the original legislation must not be watered down by the changes under this new Bill; they must be enhanced in line with the increasing investigatory powers.
Lord Hope of Craighead (CB)
My Lords, I have added my name to Amendments 3 and 15 in the name of the noble Lord, Lord Anderson. I have nothing to add to what he said in support of Amendment 15, but I shall add a word about Amendment 3, which was the subject of the Christmas present of the noble Lord, Lord Anderson. It requires one to look a little more carefully at proposed new Section 226A(2), which provides as follows:
“In considering whether this section applies to a bulk personal dataset, regard must be had to all the circumstances, including in particular the factors in subsection (3)”.
What the noble Lord, Lord Anderson, is seeking to offer the Minister the invitation to include is the use to which the datasets are to be put. He draws strength for that proposition from what one finds in new Section 226BA(3), in which express reference is made to the use to which the datasets will be put. It can be said in support of this proposal that it seems a little strange not to include the use to which the datasets are to be put, if they are mentioned expressly in new Section 226BA(3). I suppose that one could say that, since new Section 226A(2) is very widely phrased and includes all the circumstances, that the Christmas present of noble Lord, Lord Anderson, is already there as already there as one of the circumstances, but it is probably happier to include it expressly, just for the avoidance of doubt. It is for the avoidance of doubt that the strength can be found in the proposal that he has put forward.
Lord Murphy of Torfaen (Lab)
My Lords, I support my noble friends Lord Coaker and Lord West with regard to the Intelligence and Security Committee amendments. In 2005, when I became the chair of the Intelligence and Security Committee, nearly two decades had passed since the committee originally started life, when people did not really understand what it was all about. It had not been accepted, particularly, by agencies or by the Government, but over those 20 years, it became accepted. After I left, in 2007, even more changes to the powers and responsibilities of the committee were made, to such an extent that the ISC is now a significant and serious part of our constitutional landscape. But I fear that, over the last number of years, that has slightly declined.
I understand, for example, that the ISC has not met a Prime Minister—there have been lots of them, of course—over the last number of years, nearly a decade. Certainly, when I chaired it, we met the Prime Minister every year or so. It is an indication, I suspect, of what the Government think about it if they do not see it as so important as to meet the head of the Government now and again. I hope that is wrong, but I am sure the Minister will enlighten the House later as to what he and the Government think about the importance of the ISC. It is hugely significant; it is serious.
I shall move briefly on to the significance of the ISC with regard to the passage of the original Investigatory Powers Act, some years ago now, in 2015-16. I had the privilege of chairing the Joint Committee of both Houses on that Bill, and the ISC simultaneously was taking a huge interest in what it contained. For example, I met the then chair of the ISC, Dominic Grieve KC, and the committee itself produced a report on how it thought the original Act could be improved. I just hope that this small but important Bill—which I entirely support, by the way—mirrors what happened to the original Bill, so that the Government can indeed meet the ISC, at a ministerial level and at an official level, and have a proper dialogue as to how they see the ISC working after the Bill goes into law. I hope I can get some assurances from the Minister that that will happen.
It is an important Bill, the ISC is an important body, and they should operate together in a very special way. I wholly support the Bill, but I support the amendments from my two noble friends.
Lord Carlile of Berriew (CB)
My Lords, it is a pleasure to follow the noble Lord, Lord Murphy, who has served with such distinction on the issues we are discussing this afternoon. I do not want to repeat what I said at Second Reading; I spoke in support of the Bill in general terms, and I remain in support of it. The only additional thing I would say is that we should not allow unnecessary amendment of the Bill to create a sort of legislative game of Dungeons and Dragons in which a bureaucratic labyrinth would be created which can be met in a much more practical way. On the whole, the Bill is pretty practical about a modern problem—a more modern problem than existed, say, 10 years ago—which has to be addressed in real time and sometimes with great urgency in that real time.
I want to say something that follows from what the noble Lords, Lord Murphy and Lord West, said about the ISC. I hope that we can tease a little more information out of the Minister, who has been extremely helpful to all of us who are interested in the Bill. I can see, and I would be grateful if the Minister would tell us, that there might be some practical problems relating to national security in the way in which the ISC was informed about problems arising under the provisions in the Bill when it becomes an Act. It would be helpful to the Committee if the Minister were to say from the Dispatch Box that the Government certainly do not exclude the involvement of the ISC in the consideration of the Bill. I should also be very grateful if he would say that the Home Secretary would regard it as a duty to inform the ISC on his personal responsibility if issues arose which ought, in the national interest, to be the subject of information to the ISC. Thus, the ISC might be able to report on these issues without too much bureaucracy being involved and any arguments about what is or is not disclosable in a wider way concerning national security.
Baroness Manningham-Buller (CB)
My Lords, I do not know whether I can help the noble Lord, Lord Fox, on his question of urgency. One of the things that the Security Service and the other intelligence agencies do is deal with matters of life and death, of imminent terrorist threats, of states pursuing one of their dissidents. There is many an occasion when moving at vast speed outside the hours when IPCO is available is necessary and proportionate. I am out of date, so it is hard to give lots of current examples, but many a time there is an urgent need to move fast to try to save life.
On the point from the noble Lord, Lord Murphy, about the ISC—we will come on to look at these amendments in more detail—as far as my service is concerned, we did not need to get used to the ISC in that we had been demanding its creation for a number of years, with resistance from the Prime Minister of the day until it actually came into being. And when it did, we very much welcomed it.
I have hardly had more pleasure since I have been in this House than from the amendment in the name of the noble Lord, Lord Fox, on seeking to forget stuff. Like some noble Lords, I have difficulty in remembering things—I am sorry, I should speak only for myself—but if I was legislated to forget something, it is almost certain that I would be capable of remembering it.
The Parliamentary Under-Secretary of State, Home Office (Lord Sharpe of Epsom) (Con)
My Lords, I am grateful for the contributions to this debate, which have been very interesting. I thank all noble Lords for the points raised. I shall do my very best to address all of them and apologise in advance for going into significant detail. I also thank everyone in the Committee for their broad support for the Bill.
I will start with the low/no privacy factors on bulk personal datasets, which I will henceforth call BPDs, and the various amendments relating to the test set out in Clause 2, to be applied when an intelligence service is considering whether a particular dataset is one that can be retained, or retained and examined, under new Section 226A in the new Part 7A. This test requires that regard must be had to all the circumstances, and that particular regard must be had to the factors set out in new subsection (3). The list of factors is not exhaustive and other factors may be considered, where relevant.
Schedule 10 to the Data Protection Act is related to Section 86 of that Act, which is concerned with sensitive processing of personal data by the intelligence services. Schedule 10 sets out a list of conditions which must be met for such processing to be lawful for the purposes of the Data Protection Act. There is a risk that applying these words here, in a different context and for a different purpose, may be seen to create a link, albeit fallacious, between the type of datasets that will be retained and examined under new Part 7A and sensitive processing under the Data Protection Act. For that reason, their inclusion here risks doing more harm than good, as the noble and learned Lord, Lord Hope of Craighead, noted.
In any case, the safeguards in new Part 7A are already sufficient to ensure due regard for privacy. Every dataset proposed to be retained, or retained and examined, must be individually authorised. In addition to the test at new Section 226A, as new Section 226B makes clear, an individual authorisation may be granted only if it is both necessary and proportionate.
The factors have been chosen because they are most relevant to the context in which the test will be applied and have been drawn from existing case law. They provide a guide to the decision-maker in reaching a conclusion as to the nature of the dataset. Furthermore, a form of prior judicial approval will apply to all authorisations so that there is independent oversight of the conclusions reached.
Amendment 1, tabled by the noble Lord, Lord Coaker, seeks to replace factor (b) with language drawn from Schedule 10 to the Data Protection Act 2018. Factor (b) is concerned with the extent to which an individual has made public the data in the dataset, or has consented to the data being made public. The Government do not consider the amendment necessary. I am sure the noble Lord’s aim is to improve the safeguards in the Bill, and he has drawn inspiration from existing precedent to do so in an effort to bring consistency across statute. However, the amendment fails to achieve that aim, and risks creating an unclear and unnecessary link between this Bill and the Data Protection Act, which I have already explained. I will return to the Data Protection Act in due course.
Amendment 2, tabled by the noble Lord, Lord Fox, probes the inclusion of factors (d) and (e), relating to publicly available datasets that are already widely known about or are already used in the public domain—for example, in data science or academia. As I mentioned, the test in new Section 226A is one in which
“regard must be had to all the circumstances”.
The removal of factors from new subsection (3) would not, therefore, fundamentally change the test; it would mean simply that the decision-maker would not be bound to have particular regard to the absent factors. This amendment would, in fact, result in less transparency in the considerations the intelligence services apply when assessing expectation of privacy in relation to Part 7A authorisations.
The Government consider it important that particular regard is had to these factors. I know that noble Lords particularly enjoy the example of the “Titanic” manifest. It is a useful example of where such factors would be relevant, as it is a dataset that is widely known about and widely used, and contains real data about real people who would, unfortunately, no longer have an expectation of privacy. I also point to the helpful example in the independent review by the noble Lord, Lord Anderson: the Enron corpus. This is a large dataset of emails that came into the public domain following the investigation into the collapse of the Enron Corporation. Although initially sensitive, the dataset has been available in various forms for almost 20 years and is widely used in data science. It is right that such datasets are in scope of the new regime.
The noble Lord, Lord Fox, asked specifically about the extent to which these factors depart from existing privacy laws. The law concerning the reasonable expectation of privacy is likely to develop over time, and new Section 226A is intended to be sufficiently flexible to accommodate future changes. Rather than departing from the law, new Section 226A is intended to ensure that the intelligence services can continue to apply the law as it develops.
On Amendment 3, I thank the noble Lord, Lord Anderson, for tabling this helpful probing amendment. I am afraid the Government do not think it is necessary in order to achieve what we understand the intended effect of the amendment to be. The amendment does, however, provide an opportunity to better explain the difference between what the Bill calls “individual authorisations” and “category authorisations”. An individual authorisation will authorise the retention, or retention and examination, of a dataset under the new Part 7A being inserted into the Investigatory Powers Act—which I will henceforth refer to as the IPA—by this Bill.
All datasets that are to be retained under Part 7A must have an individual authorisation. Individual authorisations are subject to prior approval by a judicial commissioner unless the dataset described falls within an existing category. A category authorisation will not authorise the retention, or retention and examination, of a dataset. Instead, it is a mechanism through which a judicial commissioner’s permission may be sought in order to depart from the normal rule on prior approval, but only in respect of datasets that meet a particular description.
Lord Fox (LD)
If the Minister and indeed the noble Baroness had listened to what I said, they would know that I do not think it is forgettable; I just wanted the Minister to confirm that point.
Lord Sharpe of Epsom (Con)
Thank you; point taken.
Section 226D provides a mechanism to achieve what I understand the intent of the amendment to be. It is clear that remedial action must be taken if it is discovered that Section 226A does not apply or no longer applies to part of a dataset authorised under Part 7A. Anything in the process of being done must be stopped as soon as possible, and that part of the authorisation is treated as cancelled. The effect of that part of the authorisation being treated as cancelled is that the data to which it relates must be deleted unless there is some other lawful basis for its retention. It may well be that it is appropriate for the intelligence service to continue to retain the data. That is why subsection (3), in effect, puts that part of the dataset back into the decision-making machinery in Section 220 of Part 7 of the IPA—so that such a decision can be made. We provide a fuller explanation of that in the draft code of practice for Part 7A, at paragraphs 4.26 and 5.39.
In conclusion on this amendment, if the noble Lord is suggesting that any actionable intelligence that has been identified while the agency was operating on the basis of that retention and examination being lawful under Part 7A should not be acted on, I am afraid I must playfully suggest that it is he who ought to forget his amendment.
I turn now to the various amendments on reporting on BPDs, including several that seek to amend the provisions set out in Clause 2, under Section 226DA, which require the heads of the intelligence services to provide an annual report on Part 7A to the Secretary of State. The first amendment proposed by the noble Lord, Lord Fox, Amendment 11, seeks to mandate that certain statistical information in a given year—specifically, the numbers of authorisations sought and granted—be provided to the relevant Secretary of State. This amendment is not necessary or appropriate. First, those Secretaries of State who are politically accountable for the intelligence services will have in place arrangements to that end and may demand of the relevant intelligence service any additional information he or she feels necessary. This may go beyond the level of detail the noble Lord has proposed be included in the annual report and may be more frequent. This is not a matter for the Bill, because the exact information the Secretary of State requires may evolve over time. Secondly, if this sort of specific reporting requirement is found to be necessary or desirable, it is more appropriate for inclusion in a code of practice, rather than being in the legislation. Indeed, the draft code of practice for Part 7A sets out some relevant details under paragraph 7.4.
I turn now to Amendments 10 and 12, proposed by the noble Lord, Lord West, and I take this opportunity to reassure him and the noble Lord, Lord Murphy. On behalf of the Security Minister, we thank them for their valuable work on the ISC and for the constructive engagement with the Bill Committee to date. I am pleased to see the noble Lord, Lord West, in his place today, and I am glad that he is on a more or less even keel.
The amendments the noble Lord has tabled would require the intelligence services to provide the same annual report that they provide to their Secretary of State, on the operation of Part 7A, to the ISC and the Investigatory Powers Commissioner. I do not believe that this additional requirement would provide the enhanced oversight of the regime that the amendments purport to provide. The annual reporting requirement is a formal statutory mechanism by means of which the Secretaries of State will receive information from the intelligence services about their use of Part 7A on an annual basis. This is a mechanism intended to ensure effective political oversight by the Secretary of State.
The ISC is a committee of Parliament. Oversight by the ISC is neither of the same nature as, nor a replacement for, the oversight of the Secretary of State. The ISC, as a committee of Parliament, already has a long-standing and well-established role in the oversight of the intelligence services to which these provisions will apply, and that role will continue here.
Sending the annual report to the Investigatory Powers Commissioner will not increase the level of independent oversight provided, for the following reasons. First, the Investigatory Powers Commissioner will be required to keep this new regime under review, as he does with the current Part 7 regime, and he will continue to report annually on his findings. Secondly, the information these amendments seek to include in the annual report is already information that the draft code of practice will require the intelligence services to keep, as is clear from paragraphs 7.1. and 7.2. The commissioner, and anyone acting on his behalf, has access to all locations, documentation and information systems as necessary to carry out a full and thorough inspection regime. The intelligence services are legally obliged to provide all necessary assistance to the commissioner, or anyone acting on his behalf, including by providing documents and information.
The noble Lords, Lord Fox, Lord Murphy and Lord West, asked about the continued engagement with the ISC. On both the policy proposals informing the Bill and the Bill itself, through a combination of ministerial, operational and official engagement, we have maintained continual engagement, which includes recent sessions with the Security Minister and the agency heads. As I said earlier, we are grateful to the committee for its engagement and scrutiny of the Bill. We will continue to involve it throughout the Bill’s passage, and I am more than happy to take the noble Lords’ comments back to the Home Office and make sure they are widely understood.
Amendment 13 would see the intelligence agencies notify the Investigatory Powers Commissioner every time an individual authorisation is granted in reliance on a category authorisation. I have already set out the distinct processes for individual and category authorisations under new Part 7A. As I set out earlier, categories will be authorised only with the prior approval of a judicial commissioner. IPCO inspectors will then be able to review the individual authorisation granted in reliance on a category authorisation during their regular inspections of the intelligence services throughout that time. Category authorisations will expire at 12 months and will then need to be renewed and that decision reapproved by a judicial commissioner.
Lord Coaker (Lab)
My Lords, that was an extremely helpful response from the Minister and shows the importance of tabling probing amendment sometimes: to get things read into Hansard that can be referred to.
With respect to the point around children, I would be grateful for the letter to be made available to other Members of the Committee. Again, that was a helpful point and helpful clarification, should it be needed. I also very much agree with him—to show my point about the importance of things being read into Hansard—about my Amendment 17, but it was helpful for the Minister to read into the record the definition of serious crime to be used throughout the Bill, so that there is no ambiguity with respect to that.
I totally agree with what the noble and learned Lord, Lord Hope, said about my Amendment 1. I think the wording in the Bill is better than that contained in Schedule 10 to the Data Protection Act 2018, but I wanted that to be read into the record so that we had it there. I agree with his criticism of my Amendment 1, but the reason I tabled it was exactly to get the point that he made in criticising my amendment, which the Minister reinforced—if the noble and learned Lord understands my logic.
The points made by the noble Lord, Lord Anderson, with respect to Amendment 3 raise an issue. The Minister’s response to that was, “Well, it’s a non-exhaustive list so it’s not necessary, but I’m happy to talk to the noble Lord about it”. One wonders where that will get to. It will be interesting for the Committee to see the outcome of that. I thought that Amendment 3, of all the various amendments, was particularly useful and again drew out whether the factors listed in Clause 2 are the right ones, or whether they need adding to. It was important that the Minister clarified that it is not an exhaustive list.
There is one area that I think may need to be looked at further, as mentioned by my noble friends Lord Murphy and Lord West, and the noble Lord, Lord Carlile, if I understood his remarks properly. We need to clarify the role of the Intelligence and Security Committee. I note the Minister’s reassurances, but what is its role? The clear point of difference between what I would say and what my noble friends Lord Murphy and Lord West and others would say is that we are talking here about parliamentary oversight. The Government have an annual report which goes to the Secretary of State. That is political oversight of a sort but it is not parliamentary oversight. The whole point of the ISC being set up was to give parliamentary oversight to all these sorts of matters. We have a Bill before us called the Investigatory Powers (Amendment) Bill, which deals with all sorts of issues of national security and the powers that the intelligence agencies and others should have on our behalf. It is only right and proper that the Intelligence and Security Committee should have a role that is properly defined within the legislation before us. That is one aspect that I need to reflect on and discuss with other Members of your Lordships’ House and with my noble friend Lord West, as our member of that committee.
That is the one area where, to be honest, I was not satisfied with what the Minister had to say. Notwithstanding Amendment 3, and all the other points made to the noble Lord, Lord Fox, and many others, the definitions the Minister has helped clarify and the various ways he has sought to ensure that people understand the Government’s intent have been extremely helpful to the Committee. With that, I seek leave to withdraw the amendment.
Lord Fox
Member's explanatory statement
This amendment is intended to probe the legal basis for surveillance of the type of data described in new subsection (3A)(e).
Lord Fox (LD)
My Lords, Amendment 20 is intended to probe the legal basis for surveillance of the type of data described in new Section 11(3A)(e). This amendment would prevent public authorities—councils, police forces, intelligence agencies, government departments including the DWP and HMRC, the Gambling Commission, the Food Standards Agency, and many more—having “lawful authority” to obtain and use communications data from a telecommunications or postal operator solely because the information is available to the public or a section of the public even if only on a commercial basis.
Communications data is defined in the IPA as data that may be used to identify, or assist in identifying, the sender, recipient, time, duration, type, method, pattern, or fact of a communication, along with the system used to make a communication, its location and the IP address or other identifier of any apparatus used. The broad list of public authorities able to obtain communications data is set out in Schedule 4 to the IPA.
Clause 11 of the Bill before us now amends the Section 11 IPA offence of unlawfully obtaining communications data from a telecommunications or postal operator. Whereas the IPA currently defines an offender as,
“A relevant person who, without lawful authority, knowingly or recklessly obtains communications data from a telecommunications operator”,
this Bill would add a list of examples to the Act of what constitutes lawful authority.
Lord West of Spithead (Lab)
My Lords, I stand to address the clause stand part notice for Clause 13 and also Amendments 21, 22, 24 and 26. The aim of looking at the clause relates to the communication data disclosure powers. The current IPA wisely restricted the number of public authorities that are able to compel the disclosure of communications data from telecommunications operators, given the potentially intrusive nature of this power. Consequently, authorities such as the Environment Agency or Health and Safety Executive are currently required to take further procedural steps in order to compel disclosure of communications data. They must obtain either an authorisation under the current IPA, a court order or other judicial authorisation, or regulatory powers in relation to telecommunications or postal operators, or they must obtain the communications data as secondary data as part of a valid interception or equipment interference warrant.
However, the Bill before us seeks to remove these restrictions for a wide range of public regulatory authorities and restore their ability to compel the disclosure of communications data from telecommunications operators in service of their statutory regulatory or supervisory functions. The Government’s argument for removing these restrictions is that a broader array of communications now fall into the category of communications data, and that a wider number of organisations now constitute telecommunications operators. As a result, the current restrictions prevent some regulatory authorities from acquiring the information necessary to exercise their statutory functions, in a way that was not anticipated at the time of the original legislation.
It is argued that this is particularly relevant to bodies with a recognised regulatory or supervisory function, which would collect communications data as part of their lawful functions but would be restricted under the current Act if their collection was not in service of a criminal investigation. In particular, the change is focused on improving the position of certain public authorities responsible for tax and financial regulation, whose powers were removed in 2018 as a result of the rulings of the European Court of Justice.
Clearly, such bodies must be able to perform their statutory functions effectively, but we have been told that this Bill delivers only “urgent, targeted changes needed”. That is not the case here. These sections represent a sweeping restoration of powers across a wide number of public bodies, most of which have no national security or serious crime function.
The original Act was very particular about the purposes for which communications data could be gathered under the legislation and by which bodies. It ensured that this power was tied to national security and serious crime purposes only, to avoid impinging on the right to privacy without very good reason. Clause 13 and its related schedule fly in the face of this very deliberate policy in the original Act, and overturn Parliament’s careful deliberation of the point.
Will the Minister confirm which bodies will have their powers restored under this legislation? Which of those bodies have reported a significant reduction in their ability to perform statutory functions as a result of the IPA? Have some bodies been more effective than others? Might it be possible and appropriate to significantly pare back this list of organisations?
At present, the case has not been made. We need to be satisfied that these powers are given to those bodies which cannot adequately function without them. It cannot be the case that some are simply given these powers back by default. I am prepared not to take this amendment to a vote if the Minister can assure the House the Government will bring forward their own amendment, which restores these powers in a more limited and targeted way.
The next stand part notice is consequential on that one being taken.
I move on to Amendments 21, 22, 24 and 26. These seek to remove the ability of the agencies to internally authorise the use of a new broader power to obtain internet connection records for target discovery. The agencies would instead be required to seek approval from IPCO, thereby creating an element of independent judicial oversight.
As I noted previously, Clause 14 creates a new broader power for the agencies and the NCA to obtain ICRs for the purpose of target discovery. It represents a significant change from the current position, removing the current demand that the exact service used and the precise time of use be known. Instead, the agencies will be able to obtain ICRs to identify which persons or apparatus are using one or more specified internet services in a specified period—a far broader formulation.
After consideration of the relevant classified evidence, the ISC agrees with the intent. However, the newly expanded power is potentially very intrusive. It allows the agencies to obtain ICRs from a range of internet services over a potentially long period of time and could, therefore, potentially intrude on a large number of innocent people. Parliament must therefore ensure that there are appropriate safeguards in place.
The ISC acknowledges that there are safeguards in place relating to the obtaining of ICRs. However, in all cases relating to national security and economic well-being, the agencies are able to authorise use of this newly expanded power internally. They make the assessment as to whether it is necessary and whether it is proportionate. There is no independent oversight of the agencies’ assessment.
The Government may argue that the ability of the agencies to authorise use of this power internally replicates the existing provisions when authorising the obtaining of ICRs for target discovery or target development. They will also no doubt refer to how the noble Lord, Lord Anderson, said in his report that “arguably” the potential intrusiveness of this newly expanded target detection power is no greater than the existing provisions for obtaining ICRs.
In the ISC’s view, the new provision—which is considerably broader than the existing target discovery power, removing the need to know the exact service used and the precise time of use—is significantly more intrusive than existing provisions. Consequently, greater oversight is required to ensure that the power is always used appropriately. This is not because we expect the agencies to act in bad faith but because independent oversight is essential, acting as a counterbalance to the intelligence community’s intrusive powers and providing vital assurance to Parliament and the public.
This amendment and the two linked Amendments 24 and 26 therefore remove the ability of the agencies to authorise use of this power internally. The agencies would instead be required to seek the approval of an independent judicial commissioner from IPCO in order to authorise the obtaining of ICRs under this new broader power.
Incorporating this independent judicial oversight would ensure that use of this power is always necessary and proportionate and strikes the right balance between security and privacy. It also aims to minimise any burden on the agencies. It does not, for example, incorporate the “double lock” mechanism, which is used for the most intrusive powers under the Investigatory Powers Act.
We recognise that the Government may wish to bring forward their own amendment to include provision for urgent cases; therefore, I do not propose to move this amendment to a vote at this stage. It should, however, indicate to the Government the ISC’s firm view that independent judicial oversight in this area is essential.
I will say a little more about Amendment 22. This amendment seeks to limit the purposes for which the new, broader target discovery power, which has been introduced under Clause 14, could be used. Clause 14 creates a new, broader power for the agencies, and the NCA, to obtain internet connection records for the purposes of target discovery. Target discovery is a great deal more intrusive than target development, potentially intruding on the privacy of a great number of innocent individuals. This is why we must tread very cautiously in this area and be quite satisfied of the need for the power, and that it is tightly drawn and properly overseen.
Currently, in order to obtain ICRs for target discovery, the agencies must unequivocally know the precise service used and the precise time of use by the unidentified individual. It is, therefore, very tightly drawn. The new target discovery power removes these requirements, allowing the agencies to obtain ICRs to identify which persons or apparatuses are using one or more specified internet services in a specified period. Noble Lords will recognise how potentially broad this is by comparison.
Lord Anderson of Ipswich (CB)
My Lords, I will make a brief comment on two aspects of Clause 14 which have been developed today and which were considered in my report. Amendments 23 and 25 in the name of the noble Lord, Lord Fox, would restrict the changes relating to internet connection records in Clause 14 to the intelligence services only. The noble Lord correctly noticed that, while I support the use of ICRs for the new target detection purpose in condition D1, I mentioned at paragraph 4.18 of my report that it would be
“open to Parliament to require further safeguards”
and suggested that those safeguards include
“making the extra condition available only to UKIC”—
in other words, the intelligence services—
“at least in the first instance”.
I pointed out a range of safeguards that already apply to ICRs. These are fully set out in the draft addition to section 9 of the code of practice that was helpfully provided in advance of these debates. I also pointed out, by way of mitigation to my proposal that only UKIC should have access, that
“working arrangements … could facilitate the use of UKIC powers in the service of NCA or CTP in particular”.
That is as much as I am told I can say on working arrangements, though noble Lords may be able to use their imaginations.
Clause 14, instead of going for this workaround, opted to give the NCA, though not counterterrorism policing, its own direct access to the new power. It is certainly true that the NCA has primary responsibility for many of the crimes where the new power may prove most useful—in particular, child sexual abuse, where it has strong potential. I will listen to what the Minister says about that, but I think there is no great division of opinion between us on this issue. We are really debating different mechanisms by which the NCA might get access to this material, and although it is not precisely what I suggested, I have no objection to the more direct route taken in the Bill.
I turn to Amendments 21, 24 and 26 in the name of the noble Lord, Lord West of Spithead, which would introduce a requirement for requests by the intelligence services and the NCA to be independently authorised by the Office for Communications Data Authorisations. This would be an exceptional state of affairs for communications data requests by the intelligence agencies. Existing ICR requests are internally authorised and some of those, in particular under condition B and C, will be arguably, as I said in my report, as intrusive as requests under the new condition.
However, the noble Lord has emphasised the undoubted intrusiveness of the new condition and I know from my own correspondence with the ISC that, very much to its credit, it has looked at this issue in considerable detail. Furthermore, I raised the possibility of independent authorisation for such requests in my report. While I said that the full double-lock procedure would be disproportionately burdensome, independent authorisation by OCDA, which is not a possibility on which I commented expressly, sounds as though it could be a more manageable proposition. I have some sympathy with Amendments, 21, 24 and 26. They raise an important issue on any view, and I look forward to hearing what the Minister has to say about them.
Lord Ponsonby of Shulbrede (Lab)
My Lords, I thank the three previous speakers in the short debate on this group. There are no opposition amendments in it, so I shall set out some more general questions that arise out of the amendments spoken to.
Why have the Government brought forward the widening powers to obtain communications data when the original Bill did the opposite? Can the Government provide an exhaustive list of the bodies that will be able to use these communications data collection powers? Why are they not in the Bill or the Explanatory Notes? Giving bodies such powers during any criminal investigation appears out of step with the rest of the Bill, which covers investigatory powers for national security or serious crime reasons. Why is this power so broad as to cover any criminal investigation? Given that the double lock exists for most of the powers in the Bill, why have the Government given wide-ranging powers for intelligence authorities and the NCA to self-authorise accessing internet connection records while undertaking subject discovery work? How does this compare to the powers for conditions A, B and C, which cover access to ICRs, for more restrictive purposes? Finally, what will the role of the IPC and the ISC be in monitoring how the new powers are used?
I was particularly interested in what the noble Lord, Lord Anderson, said when he was commenting on the two other speakers in this short group. I, too, will listen with great interest to what the Minister has to say on this, but this is all done in the spirit of exploration, as my noble friend Lord Coaker said. I look forward to the Minister's comments.
Lord Sharpe of Epsom (Con)
I thank all noble Lords who have spoken in this group. I will first speak to Amendment 20, tabled by the noble Lord, Lord Fox, which would amend Clause 11. I want first to make it clear that Clause 11 does not enable any new activity under the Investigatory Powers Act but places into primary legislation the existing position set out at paragraph 15.11 of the Communications Data Code of Practice.
Paragraph 15.11 clearly sets out that it is not an offence to obtain communications data where it is made publicly or commercially available by the telecommunications operator or postal operator or otherwise, where that body freely consents to its disclosure. In such circumstances, the consent of the operator provides the lawful authority for the obtaining of the data on which public authorities can rely. Making this position explicit within primary legislation will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in Section 11. As such, there will be no doubt that acquiring communications data in this way means that an offence will not be committed in such circumstances.
The purpose of new subsection (3A)(e) is not permitting so-called surveillance, as the noble Lord’s amendment asserts. Rather, it is about clarifying the basis for lawful access to material which has already been published and should not require additional authority for its disclosure by a telecommunications operator, with the consent of that operator, to a public authority. I can assure noble Lords that telecommunications and postal operators will still need to satisfy themselves that any communications data disclosure is in accordance with the Data Protection Act, and any subsequent processing by public authorities must also be compliant.
The inclusion of this paragraph in the definition of “lawful authority” in the IPA will provide reassurance to public authorities on the basis for which they have lawful authority to acquire communications data where this authority falls outside the IPA itself. Inserting a definition of lawful authority does not remove the offence of knowing or recklessly obtaining communications data without lawful authority; it is still possible to commit this offence if the disclosure by the telecommunications operator is not lawful or if the public authority knowingly or recklessly acquires the communications data without lawful authority. The inclusion of this definition of lawful authority will encourage public authorities to ensure that they have lawful authority before they acquire communications data. I therefore respectfully ask the noble Lord to withdraw his amendment.
I turn to Clause 13 and the proposal from the noble Lord, Lord West, to remove this provision and the associated schedule from the Bill. The purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited in performing the roles expected of them by Parliament. It restores their important pre-existing statutory powers to acquire communications data in support of those functions. When the IPA was passed in 2016, it made specific provision, at Section 61(7)(f) and (j), for acquisition of communications data for the purposes of taxation and oversight of financial services, markets and financial stability.
As a result of the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, a number of changes were then made to the IPA. Crucially, not all the changes made at that time were a direct response to the judgment itself, but instead the opportunity was taken to streamline the statute book. This included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers. At that point, much of the relevant data fell outside the definition of communications data and therefore outside the provisions of the IPA. However, as businesses increasingly move their services online, so many have become, in part at least, telecommunications operators under the definition in the IPA. Therefore, more of the data they collect, and which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers, now falls within the IPA’s definition of communications data, and regulatory and supervisory bodies are, inadvertently, unable to acquire it.
The Financial Conduct Authority, His Majesty’s Revenue and Customs and Border Force are all examples of public authorities in Schedule 4 to the IPA and already have the power to acquire communications data using a Part 3 request. However, many of the matters that these bodies regulate or supervise fall short of serious crime, as defined in the Investigatory Powers Act at both Section 263(1) and Section 86(2A), which means that they are unable to acquire a Part 3 authorisation to get the data they need to perform the statutory functions expected of them.
The UK is not alone on this issue; European colleagues have identified similar issues for their equivalent bodies with regulatory and supervisory functions. The functions these bodies perform on behalf of the UK are simply too important to let this situation continue. They go to the heart of our safety in preventing terrorist funding, seeking to ensure financial stability, and the oversight of banking and financial markets, among other matters. For example, the Financial Conduct Authority has responsibility for supervising some 50,000 regulated firms to ensure they have systems and controls in place concerning the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Border Force has the responsibility of quickly identifying from the huge volumes of packages crossing our borders each day, those that may contain illegal items such as drugs, firearms and other illicit goods that present a risk to the UK. It is vitally important that these bodies are not inhibited in carrying out their core functions because of the way the world has changed since 2016.
The changes to the IPA brought about by Clause 13 strike an appropriate balance between necessity and proportionality, making clear as it does that the acquisition by these regulatory bodies should only be in support of their civil functions and not used in support of criminal prosecutions. Additional safeguards are provided for within codes of practice governing how this should work in practice. To be clear, this applies to a relatively small cadre of public authorities in support of specific regulatory and supervisory functions; it is not creating a way to circumvent the safeguards of the IPA. It instead ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential.
Lord Fox (LD)
My Lords, this has been a really worthwhile part of our debate, and I thank those who have tabled amendments and the Minister for his response. I was particularly interested to hear both the substance of and response to the amendments of the noble Lord, Lord West of Spithead. I think it best that we spend some time reviewing this in Hansard in deciding what, if anything, needs to come back. With that said, I beg leave to withdraw Amendment 20.
Lord Fox (LD)
My Lords, in opposing that Clause 16 stand part of the Bill, I shall also speak to the clause stand part notices on Clauses 17 and 20.
This is one part of the Bill that has attracted a huge amount of external interest and deserves some positioning to understand why external parties might be suspicious of what they see. We should recognise that one of the most important security features available to protect personal information, both on a device and in the cloud, is end-to-end encryption. That encryption technology ensures that only users, and not the companies which provide the cloud services, can access their personal data and communications. Computer scientists and cryptographers have argued for many years that there is no safe way to decrypt one person’s messages without compromising the whole system’s security infrastructure. As soon as a backdoor, as it is called, is created to scan private messages, a security vulnerability is created that can be exploited by bad actors as well as good actors. I assume that that was why the Online Safety Bill left things hanging, waiting for a technological breakthrough, though I was not party to the processes of that Bill.
I remind your Lordships that once the company has created a backdoor key for encrypted systems, even for a single user in a single case, and certainly for any mass scanning, it has created a vulnerability that can eventually be abused by bad actors as well as law enforcement. I also remind your Lordships that the Home Office already can and presumably, on occasion, does require companies to weaken their security apparatus in the interests of law enforcement and national security.
To a great extent, the proximity of this Bill to the debate in the Online Safety Bill, has not helped matters: sensitivities were raised during that debate, and this is a chance for the Minister to try to calm them. As I mentioned earlier, the impending arrival of the Data Protection and Digital Information Bill is also putting people’s nerves on edge. There is a deal of management required here.
End-to-end encrypted messaging service providers were vociferous in their concerns during the passage of the Online Safety Bill, yet Section 121 of the Online Safety Act remains. However, Ministers clarified that Ofcom could only require scanning once it becomes technically feasible to do so—that is, when the technology is invented and allows scanning without violating encryption. But Ofcom retains the power to order service providers to use their “best endeavours” to develop that technology.
It is not surprising that some of those same encrypted message service providers were raising flags when it came to some of the clauses in the Bill. The IPA, as it stands, already enables the Home Office to instruct service providers to remove electronic protection for communications of interest to the police or security services by issuing them with a technical capability notice—a TCN. This effectively empowers the Home Secretary to require the removal of end-to-end encryption on those services across any number of suspects and criminal offences. Currently, for the Home Secretary to issue a TCN to a service provider under the IPA, they have to satisfy a number of considerations, which your Lordships will be pleased to hear I am not going to list. Even if the answers to all those conditions is positive and leads to a TCN, a process of checks and balances sits alongside the request, including informal and formal consultation between the Home Office and a service provider before the TCN is issued, oversight by the independent judicial commissioner assessing the request’s proportionality and, of course, recourse for the service provider to request a review of the TCN, allowing it and the Home Secretary to make representations to the judicial commissioner and the technical advisory board for assessment. Crucially, the service provider is not required to start acting on the notice until the review process is concluded.
Lord Ponsonby of Shulbrede (Lab)
My Lords, I will briefly speak to the five amendments in this group in the name of my noble friend Lord Coaker. Amendments 35 and 37 would introduce a double-lock process to notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for the three existing types of notices that can be issued to telecommunications operators. Amendment 36 would add a further factor that the Secretary of State must consider when deciding to give a notice under this section, bringing this type of notice into line with the three existing types of notices that can be issued to telecommunications operators. Amendments 38 and 39, along with the others in my noble friend’s name, would introduce a potential double-lock process to the variation of notices given under the notification of proposed changes to telecommunications services, bringing it in line with the procedure for variation of the three existing types of notices that can be issued to telecommunications operators.
In introducing this group, the noble Lord, Lord Fox, set out very comprehensively the concerns of the various tech companies. I have read the same briefings that he has. He was right to see this as an opportunity for the Minister to address those concerns.
I have a few questions arising out of these amendments. First, why have the Government not included a double-lock structure of approval to this new type of notice, given that the three other types of notices that telecom companies can be issued have the same structure, along with many of the provisions in this Bill and the IPA? Further, why does it not have the same review structure as the other notices? What will companies be able to do to challenge this decision? New Section 258A states that companies must respond within “a reasonable time”. What would the Government consider a reasonable time to be in this regard? What assessment has been made of what other companies are doing to ensure they are aware of changes that would potentially impact national security? Finally, can the Government be more specific about the types of changes that would be considered relevant for this new notification of the proposed changes?
Lord Sharpe of Epsom (Con)
My Lords, once again, I thank noble Lords for their amendments and the points they have raised in this debate. I will do my very best to answer the questions that have been asked. Again, I am afraid I am going to do so in some detail.
The noble Lord, Lord Fox, has proposed removing Clause 16 from the Bill in its entirety. Clause 16 concerns the extraterritorial enforcement of retention notices. Under subsections (9) to (11) of Section 255 of the IPA, any technical capability notice—TCN—is already enforceable by civil proceedings against a person in the UK. Only TCNs that provide for interception and targeted communications data acquisition capabilities are enforceable against a person overseas. Section 95 of the IPA also provides that a data retention notice—DRN—is enforceable by civil proceedings against a person in the UK. DRNs already have extraterritorial applicability within the IPA, meaning that they can already be given to a person outside the UK. However, unlike TCNs, the current legislation does not permit the enforcement of a DRN against a person outside the UK.
Clause 16 therefore seeks to amend Sections 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs to strengthen policy options and the legal levers available when addressing emerging technology, bringing them in line with TCNs. As technology advances, data is increasingly held overseas. The clause will ensure that, if required, there is a further legal lever to protect and maintain investigatory powers capabilities overseas. This will ensure that law enforcement and the intelligence agencies have access to the communications-related data that they need to tackle serious crime and protect national security. It will also ensure consistency across the regime.
Lord Fox (LD)
My Lords, I thank the Minister for an admirably comprehensive response. That was what we were looking for—perhaps not everyone, but certainly our Front Benches. There is a lot to get our heads around, so we will take this away and look into it.
There are a number of observations I would make. First, the Minister emphasised co-operation, collaboration and discussion. Of course, the legislation does not look like that, so it would help if the Government could find some confidence-boosting measures, be they from the code or the draft annexe, or something that enables the Government to signal their continued intention to co-operate and collaborate.
The Minister talked about an interconnected data world—that is exactly the point the operators are making. Because of that interconnection, a hiatus in delivering a service in the UK could also be a hiatus in delivering that service to the rest of the world, given that everyone is using the same service. That is one of the points that was not picked up by the Minister at the time. That interconnectedness is the very issue that some operators have: if they are prevented from doing it in one place, how do they do it elsewhere?
The issue of corporate entities is interesting. What the Minister described was something I used to call “corporate veil”, and I am interested to know how robust that is in corporate law. With corporate veil, it became very difficult, even at court level in the United States, to break down the corporate entities and their interconnections. For no other reason than making an observation, I am interested to see how that works. I certainly see why the Government are putting it forward in their legislation.
There is a lot for us to digest, which we certainly will, between now and the next stage; it gives us something to get our teeth into over Christmas. That said, I beg to withdraw my proposal that Clause 16 stands part of the Bill.
The Deputy Chairman of Committees (Baroness Fookes) (Con)
I am afraid that the noble Lord is not in a position to do that. This is a clause; one votes for it or against it.
Lord Sharpe of Epsom
Member's explanatory statement
This amendment is consequential on the amendment in the name of Lord Sharpe of Epsom at page 41, line 14.
Lord Sharpe of Epsom
Member's explanatory statement
This amendment and the amendment in the name of Lord Sharpe of Epsom at page 41, line 4 correct an inconsistency in clause 20 by omitting references to a notice under section 258A of the Investigatory Powers Act 2016 being given or revoked in relation to a description of persons.
Member's explanatory statement
See the amendment in the name of Lord Sharpe of Epsom at page 41, line 2.
“(4) The Regulation of Investigatory Powers Act 2000 is amended as follows.(5) In section 65 (the Tribunal)—(a) in subsection (5)(czi)—(i) for “or 253” substitute “, 253 or 258A”;(ii) for “or technical capability” substitute “, technical capability or proposed changes to telecommunications services etc”;(b) in subsection (5)(czl)(iii), for “or 253” substitute “, 253 or 258A”;(c) in subsection (8)(bc), for “or 253” substitute “, 253 or 258A”.(6) In section 67 (exercise of the Tribunal’s jurisdiction), in subsection (7)(azc), for “or 253” substitute “, 253 or 258A”.(7) In section 68 (Tribunal procedure)—(a) in subsection (5)(b), for “or 253” substitute “, 253 or 258A”;(b) in subsection (7)(f), for “or 253” substitute “, 253 or 258A”;(c) in subsection (7)(ha), for “or 253” substitute “, 253 or 258A”.”Member's explanatory statement
This amendment provides for the Investigatory Powers Tribunal to consider complaints about notices given under new section 258A of the Investigatory Powers Act 2016 (proposed changes to telecommunications services etc) in the same way as it considers complaints about other notices given under Part 9 of that Act.