Investigatory Powers (Amendment) Bill [Lords] Debate
Full Debate: Read Full DebateDepartment: Home Office
Stuart C McDonald
Main Page: Stuart C McDonald (Scottish National Party - Cumbernauld, Kilsyth and Kirkintilloch East)Department Debates - View all Stuart C McDonald's debates with the Home Office
Investigatory Powers (Amendment) Bill [Lords]
Stuart C McDonald ExcerptsMonday 19th February 2024
(2 months, 1 week ago)
Commons ChamberRead Full debate Investigatory Powers (Amendment) Act 2024 Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: HL Bill 36-I Marshalled list for Report - (19 Jan 2024)
Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)
Let me start with two thank yous. First, let me put on record my party’s gratitude to the intelligence services and law enforcement organisations that work so incredibly hard to keep all our citizens safe in the face of constantly changing and developing threats. Secondly, I thank all those who took part in the reviews of the 2016 Act that have informed the Bill. However, as Lord Anderson said in his own review, they should be a starting point for parliamentary scrutiny and debate rather than a finishing point.
Although any opportunity to revisit and improve the 2016 Act would generally be welcome, my party has serious concerns about certain provisions in this amendment Bill. In short, while it is constantly presented as “updating”, and as protecting and making efficient pre-existing powers, we fear that the reality is a very significant expansion of what are, we must remember, already extraordinarily wide powers by international standards. There are significant privacy and human rights risks, and the danger of increasingly widespread suspicionless surveillance. We fear that we may be handing invasive powers to intelligence and law enforcement agencies not because the powers are necessary or essential to their work but because they are convenient, and that is not striking the right balance.
All this is consistent with the very detailed and principled privacy and human rights concerns that my party raised in relation to the 2016 Act itself—particularly in the speeches made by my hon. and learned Friend the Member for Edinburgh South West (Joanna Cherry), who is here to take part in the debate again today. As will be the case today, we did not oppose the Second Reading of that Bill, but in the absence of important amendments, or concessions and reassurances—again, as with the 2016 legislation—we keep open the option to oppose the current Bill at a later stage.
Today I will focus on concerns relating to bulk personal datasets, and on notices relating to changes in telecommunication services. I will also briefly flag up our concerns about internet connection records and changes to the offence of unlawfully obtaining communications data. My party also believes that this Bill provides an opportunity to revisit the whole issue of snooping on parliamentarians, if we are bold enough to take it.
I shall turn first to bulk personal datasets and part 7 of the 2016 Act. In short, we struggle to see that the proposed changes have been shown to be necessary. We fear that they will instead create even larger gaps in the oversight regime in relation to these capabilities. A whole host of concerns arises in relation to the provisions of clause 2 and the concept of data in relation to which there can be
“low or no reasonable expectation of privacy”.
Bluntly, I struggle to see how a decision maker is supposed to assess people’s reasonable expectations of privacy, and when we say “people” we can be talking about hundreds or thousands of people or potentially several million people. Within that group of individuals there will be many varying attitudes to further privacy, and the data related to individuals could vary hugely from the mundane to the deeply personal. It may be that there is supposed to be some type of “reasonable person” test applied, but is that reasonable person black, gay, Jewish or indeed a trade unionist? How are potentially very different subjective attitudes to be accounted for? These might seem like odd questions, but the experience in the United States of America, where a similar test is involved, proves that these questions are very real indeed. Is it a general question of privacy in relation to the data or a more specific question of expectations of the use of that data by intelligence services? What precisely is low expectation? This seems to be an impossible assessment to undertake in any realistic or meaningful sense.
Joanna Cherry
I thank my hon. Friend for his kind comments earlier. As usual, he is making a very forensic speech. On this issue of a reasonable expectation of privacy, does he agree that clause 2 and clause 11(3) seem to be based on a legal misunderstanding that people lose their right to privacy when they happen to share certain information with someone else? He will be as aware as I am that that runs contrary to the jurisprudence of the European Court of Human Rights and that, by contrast, the Court has actually said that privacy includes
“the right to establish and develop relationships with other human beings”.
Does he agree that it is important to ensure that this Bill is commensurate with our obligations under the European convention on human rights?
Stuart C. McDonald
My hon. and learned Friend will not be surprised to hear that I completely agree with her.
In fact, that brings me to the next point I want to raise in relation to clause 2. As well as putting in place what I struggle to see as being a reasonably operated assessment, the clause raises concerns in relation to consistency with data protection legislation and with human rights obligations. The factors to be taken into account when undertaking that really difficult assessment do not even expressly include the sensitivity of the data in question, which surely should be central to any question of processing. That is an inconsistency with existing data protection principles and laws, and I agree that the compatibility of such provisions with our human rights obligations is also surely highly dubious. Just because someone has shared personal data does not mean that they automatically lose their right to further protection around how that data is shared and processed, especially when it is sensitive personal data, as my hon. and learned Friend has just said.
The role of judicial commissioners in this area is even further diluted, reduced to reviewing by judicial review standards whether datasets do indeed relate to data where there can be low or no expectation of privacy. Frankly, that is not a safeguard at all. At the very least, their role needs to be strengthened when the Bill is considered in Committee. We also need to seek assurances around how the Bill will impact on the reporting of the retention and use of bulk personal datasets. If large numbers are retained under category authorisations, we may not know how many datasets are actually being gathered.
Let me turn to various aspects of part 4, on notices. Again there are some controversial provisions, particularly in clause 21 and the requirement on selected telecommunications operators to inform the Secretary of State if they propose to make changes to their products or services that would negatively affect existing lawful access capabilities. That seems like an extraordinarily broad power, without anything remotely appropriate in terms of oversight and limitations. These powers are going to make the UK a real outlier. Essentially, the Secretary of State will be empowered to say to tech companies, “You are not allowed to improve your products without consulting us, so that we can still break in to access the data that we need and when we want it”. Despite what the Secretary of State says, taken together with other changes to review processes, such powers could easily be used to significantly delay, or de facto veto, updates to security, rendering everybody’s data more vulnerable to hacking by third-party actors.
The Minister for Security (Tom Tugendhat)
That is simply incorrect, and I know that the hon. Gentleman would not wish to continue down a road that he knows to be incorrect. Let me just be very clear: this is a continuation of a power that was granted in 2016. The notice does not extend that power; it merely enables a conversation to begin with companies before any action is taken, to maintain an existing standard and not in fact to change it.
Stuart C. McDonald
I am grateful for that clarification from the Minister, and we will of course engage further in this debate in Committee.
These concerns have been raised not just by me but by significant tech companies; this is not something that has come to me simply through perusing the Bill. The key question remains: why is there to be no proper oversight of these notices and notice powers by independent advance authorisation? Why is there not even the double lock that applies to other notices that can be served on communications providers under that Act? Surely that scrutiny should be carried out in advance. There are also lots of question marks around the expanded claims of international jurisdiction. How will potential conflicts of law be resolved, especially if a company subject to one of these notices that is contrary to its domestic laws cannot even say anything about it because it is bound to secrecy by this legislation? What are the prospects of other Governments copying what our Government are doing and seeking to replicate such provisions, and what would the impact of that be on UK companies?
Turning to internet connection records, the starting point is that we should remember that no other European Union or Five Eyes country permits the requiring of ICR generation or retention in relation to its own residents, so this was a hugely controversial development in the 2016 Act. As we have heard, ICRs can reveal huge amounts of deeply sensitive information about a person. For now, secret services can seek ICRs only when certain facts that are already known, such as the identity of a person connecting or the time and use of the connection, so that the retention is at least targeted in some way.
The risk in this Bill is that reasonable suspicion will no longer precede targeted surveillance. Instead, the Bill would seek to use ICRs for the discovery of new targets, which is a really significant jump and development. I can genuinely understand some of the reasons being offered for this change, and I am not unsympathetic to the case being made, but if these powers are not carefully circumscribed, they risk creating a big step towards mass surveillance and fishing exercises. We need to ask whether there are less invasive alternatives and whether these powers are therefore really necessary. Alternatively, we need to look again at the oversight mechanisms for the use of these powers.
We also have concerns about the Bill’s proposals in relation to the offence created by the 2016 Act, where relevant persons in a relevant public body knowingly or recklessly obtain communications data from a telecoms or postal operator without lawful authority. This Bill seeks to set out examples of what would amount to lawful authority, which is a laudable aim. However, there are real questions about whether some of the examples in clause 12 are not in fact redefining the concept of lawful authority. In particular, the assertion that there would be lawful authority simply because
“the communications data had been published before the relevant person obtained it”
is controversial. That is particularly so when
“‘published’ means make available to the public or a section of the public (whether or not on a commercial basis).”
As I said in relation to bulk personal datasets, limited publication is not authority for intrusive surveillance. Could a simple private message not amount to publication of comms data? The implications of this definition of lawful authority need very careful scrutiny indeed.
Finally, on the interception and hacking of parliamentarians, making provision for circumstances where the Prime Minister is unavailable to play his part in a triple lock seems sensible, but the fact that the issue of snooping on MPs and others is being revisited should trigger us all to rethink the whole scheme. Our role of representing our constituents, interrogating legislation and holding the Government to account should not be interfered with lightly. We should take the chance to consider post-surveillance notification of MPs who have been spied upon, by judicial commissioners, once investigations are completed. As matters stand at the moment, redress is almost impossible to obtain. We should also require that the investigatory power commissioners be informed every time these powers are used, so that there is transparency about how often this is happening. All other options should be on the table as well.
I started by thanking intelligence and law enforcement authorities and I am happy to do so again in closing, but our respect for them does not mean we should ever consider writing blank cheques or handing them whatever powers they ask for. They are not perfect. From time to time they exceed their powers and certain individuals abuse their lawful capabilities. The powers that they seek through this Bill are extremely invasive and broad in scope. There is a real danger that key provisions of the Bill will go beyond what is necessary and get the balance with privacy and human rights wrong. These provisions will need serious scrutiny and revision in Committee, and that is what we in the SNP will seek to secure.
Investigatory Powers (Amendment) Bill [ Lords ] (First sitting) Debate
Full Debate: Read Full DebateDepartment: Home Office
Stuart C McDonald
Main Page: Stuart C McDonald (Scottish National Party - Cumbernauld, Kilsyth and Kirkintilloch East)Department Debates - View all Stuart C McDonald's debates with the Home Office
Investigatory Powers (Amendment) Bill [ Lords ] (First sitting)
Stuart C McDonald ExcerptsThursday 7th March 2024
(1 month, 3 weeks ago)
Public Bill CommitteesRead Full debate Investigatory Powers (Amendment) Act 2024 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 7 March 2024 - (7 Mar 2024)
Dan Jarvis (Barnsley Central) (Lab)
It is a pleasure to serve under your chairship, Mrs Cummins. I rise to speak very briefly to clause 1, and to thank the Minister for his opening remarks.
At the outset of our consideration, we should all take the opportunity to pay tribute to the exceptional men and women who have served in our law enforcement and security services. We owe them a deep debt of gratitude. Let me say that the Opposition support the Bill, which updates aspects of the Investigatory Powers Act 2016. It is imperative that legal frameworks are updated to ensure that our security and law enforcement services keep up with the challenges to communications technology in an increasingly challenging and complex landscape of threats to our safety and national security. None the less, the important provisions proposed in this Bill need to be scrutinised carefully. The shadow Home Secretary and I made it clear on Second Reading that we will work with the Government to improve it in places, following the example of the constructive cross-party work that was done in the other place.
Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)
It is good to see you in the Chair, Mrs Cummins.
I echo what the shadow Minister says. We are all here to assist the brave personnel in our security and intelligence services, but that does not mean that we will not closely scrutinise this legislation. We did not oppose the Bill on Second Reading. Some parts are good, but we have indicated our serious concerns about other parts because we think the powers go too far. They have not been shown to be necessary and proportionate; rather, they are more for the convenience of the security and intelligence services. How these powers are drafted also causes us concern, because they seem to allow behaviours beyond what we were told the powers were going to be used for. At other times, it is the nature of the oversight that is a concern, as the Bill introduces potentially intrusive powers.
I have one other brief point to make, which I indicated I would make at last night’s meeting of the Programming Sub-Committee. I had hoped that this morning we could perhaps have had some witnesses to guide us through this process. I think that would have been very helpful. It was very helpful in 2016, when we were looking at the original legislation, and I regret that we do not have such an opportunity this morning.
The provisions on bulk personal datasets and so-called low/no datasets are an area where we fear that the legislation is rather more a matter of inconvenience than something that has been shown to be a necessity. That will emerge in the debate about clause 2, which contains quite a lot of the detail about how the regime is supposed to work. Basically, we have been told that there will be a significant increase in the use of bulk personal datasets. We have been told that scrutiny is too slow, so we will either have to remove it or, perhaps more accurately, water it down in relation to these so-called low/no datasets. Fundamentally, I do not like that argument. The Minister will need to make a compelling case.
When we discuss clause 2, it would be useful if the Minister told us how many bulk datasets are retained and examined each year currently; how many datasets it is envisaged will be retained and examined after these powers come into force; what percentage of the datasets he thinks would be considered low/no datasets; how long authorisation processes take currently and why they take that length of time; and why cannot we improve or accelerate that process in some way, rather than having to water it down in the way that this Bill suggests. We will ask the Minister for that sort of evidence, because he is asking us to do away with parts of the oversight system that were put in place in 2016, and we want to understand how that oversight system is causing a problem at the moment. If he cannot explain that, we cannot support this new regime.
Mr Kevan Jones (North Durham) (Lab)
It is a pleasure to serve on this Committee with you in the Chair, Mrs Cummins.
My hon. Friend the Member for Barnsley Central said very clearly that there is general support for the Bill. The need for it is self-evident: things have moved on since the passage of the 2016 Act—indeed, they have moved on very quickly in terms of the amount of data there is, not only data that the security services have to deal with but data in general life.
Bringing the legislation up to date is important, but if we look at the Hansard reports of the debates in 2016, when the right hon. Member for South Holland and The Deepings took the original legislation through the House, we see that there was then, quite rightly, concern that the state acquiring bulk data was intrusive into people’s private lives.
Having read those Hansard reports a couple of days ago, I accept that some of the concerns expressed in 2016 were overblown, as are some of the concerns expressed about this Bill. Frankly, if the accusations regarding what our security services are able to do were true, they would be 10 times, if not 100 times bigger than the actual security services we have today. Nevertheless, it is important in a democracy to ensure that the security services act proportionately—I am confident that they do—and that there is the necessary oversight of their actions and how they deal with the data they have. It is not just parliamentarians who need reassurance in that regard, but the public. The public need reassurance about the data that the state is holding.
Examples have been given, but frankly, they are a bit silly, because things such as the electoral register, which you, Mrs Cummins, I and everybody else can access, fall under the existing regime. The expectation that the data will not be made public is ridiculous, and the same is true of some of the other examples that have been given. For instance, some datasets for machine learning are open on the internet for everybody to see. I do not have any problem with that and I do not think that anybody else does.
Oversight, which we will discuss later, is important. We are giving the security services the powers to determine what is low and what is no. Do I trust that they will have the protocols in place to ensure that that process is done fairly? Yes I do, but I have been on the Intelligence and Security Committee for the last seven years; I know exactly how the protocols work internally in those organisations. To reassure the general public, we need a definition of how this process will take place. I will not touch on that now, but later I will raise the question of how we will have independent oversight of that process.
Neither I nor anyone else is saying that we distrust how the security services will handle those datasets, but one thing the ISC has been very clear on is that if we are going to extend the security services’ powers, there needs to be a corresponding extension of oversight to balance that. I do not want to put in place oversight that prevents operational effectiveness; it would be silly to give the security services powers and then make it impossible or too onerous for them to operate in practice, but striking a balance is important in a democracy.
We broadly got that balance right in the 2016 Act. Looking at international comparisons, we are way ahead of many other democracies in how we deal with oversight of those potentially very delicate issues.
Dan Jarvis
May I reflect on my gentle amusement at hearing the Minister’s remarks about a former shadow Security Minister and his onward passage to becoming Leader of the Opposition? I know that these are matters on which he speaks with great authority.
We have already had very helpful contributions from two senior Intelligence and Security Committee members. Questions about the meaning of “low or no reasonable expectation of privacy” in relation to BPDs have been raised throughout the Bill’s progress in the other place and on Second Reading in this House, including by members of this Committee. The amendment seeks to probe the meaning of the phrase, but I should be clear at the outset that I do not intend to divide the Committee on this or any other amendment on which I intend to speak.
I will set out two scenarios. It would be genuinely helpful if the Minister could clarify the limits to the factors relating to the Data Protection Act 2018. The first scenario is where the data can be attributed to a leak that, although unintentional, resulted in the unconsented publication of personal information in the public domain. Would a leak of the personal details and working patterns of the staff of Members of this House—a number of hon. Members will remember the one that happened in March 2017—be subject to a low or no reasonable expectation of privacy?
The second scenario is the deliberate and unlawful publication of personal information into the public domain. If there were a hack resulting in the unlawful publication of personal information into the public domain, would that information also be subject to a low or no reasonable expectation of privacy? Data breaches of that nature occur regularly: the personal information of more than 2 million Duolingo users was compromised last year. A user’s mastery of French verb conjugation is unlikely to be of interest to anyone, with the possible exception of our friends over the channel, but other personal information could be. The Duolingo data was put up for sale on the dark web, so it might be regarded as third party BPDs. It is important that the Minister clarifies the meaning of “low or no reasonable expectation of privacy” in relation to those two scenarios.
Labour Members are not opposed to the concept of “low or no reasonable expectation of privacy” in relation to BPDs. We want to ensure that the police and security services are not unnecessarily limited in their intelligence gathering, but there need to be parameters for what is considered fair game. There must be clarity on important definitions relating to personal data. I hope that the Minister will respond in the constructive spirit in which the amendment was intended.
Stuart C. McDonald
Clause 2 will remove the need for further judicial authorisation for personal dataset retention and examination if the datasets are deemed to fit into the low or no category, for which there is already authorisation, or if there is urgency. Many personal datasets can be contained within one warrant, so we have lots of questions about how proposed new part 7A will work. Amendment 14 demands an explanation of how the regime fits alongside data protection standards and how it applies to leaked and hacked datasets, as opposed to those that are lawfully obtained.
Our amendment 21 simply seeks to push the Minister to give examples of personal datasets that would be considered to have a low or no reasonable expectation of privacy. I refer hon. Members to a letter from the Chair of the Joint Committee on Human Rights, my hon. and learned Friend the Member for Edinburgh South West (Joanna Cherry), which has been shared with us all:
“There is perhaps some ambiguity or confusion as to what data is envisaged to be caught by these provisions. For example, is it merely online encyclopaedias, Companies House registers or news articles; or would it also cover, for example, quite extensive discussions over the internet or mass voice or face images, as has been mentioned in evidence?”
That is the question that we are getting at here.
The whole concept of a reasonable expectation of privacy seems to have been borrowed from the US, where it has been criticised for permitting fairly intrusive surveillance at quite a considerable scale. To my mind, it difficult to grasp the concept or even understand how the test to be applied. It is bad not just for citizens in general, but for people who are having to make these decisions who are not absolutely clear whether or not they can consider a set of data to have a low or no expectation of privacy.
Would bulk datasets of CCTV images or Facebook posts be no/low? How can someone assess whether a bulk personal dataset falls into the category if they do not know all the information within it because they cannot see it until they have a warrant? If the dataset contains information about many thousands or millions of people, with different types of information about different people, how can there be one single level of expectation? People with a low expectation of complete privacy might reasonably have a high expectation that their data will not be retained and processed by the intelligence services.
Why is the sensitivity of the data not expressly mentioned in the Bill? That should surely be pivotal, particularly if the Government want to operate within our human rights obligations. There is no clarity in the Bill to reassure us that sensitive information such as health data would absolutely not be captured by these provisions. Why could that not be on the face of the Bill? Why is publication the important factor instead? Publication in the context of small Facebook groups, for example, does not mean that there are no expectations that security services would not hold that information.
Dan Jarvis
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Stuart C. McDonald
I beg to move amendment 22, in clause 2, page 4, leave out lines 27 to 30.
This amendment is consequential on Amendment 23.
The Chair
With this it will be convenient to discuss the following:
Amendment 23, in clause 2, page 5, leave out lines 1 to 14.
This amendment would remove proposed new section 226BA, thereby removing the ability to grant “category authorisations”.
Amendment 24, in clause 2, page 5, line 17, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 25, in clause 2, page 5, leave out lines 23 to 25.
This amendment is consequential on Amendment 23.
Amendment 26, in clause 2, page 5, line 34, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 27, in clause 2, page 5, line 39, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 28, in clause 2, page 7, line 3, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 29, in clause 2, page 7, line 27, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 30, in clause 2, page 8, leave out lines 6 to 15.
This amendment is consequential on Amendment 23.
Amendment 31, in clause 2, page 8, leave out lines 19 to 23.
This amendment is consequential on Amendment 23.
Amendment 32, in clause 2, page 8, line 37, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 33, in clause 2, page 8, line 41, leave out from “authorisation” to “they” on page 9, line 1.
This amendment is consequential on Amendment 23.
Amendment 34, in clause 2, page 9, leave out lines 14 to 16.
This amendment is consequential on Amendment 23.
Amendment 35, in clause 2, page 9, leave out from the beginning of line 38 to the end of line 13 on page 10.
This amendment is consequential on Amendment 23.
Amendment 36, in clause 2, page 11, leave out lines 17 to 29.
This amendment is consequential on Amendment 23.
Amendment 37, in clause 2, page 11, leave out lines 32 and 33.
This amendment is consequential on Amendment 23.
Stuart C. McDonald
First, unless I was distracted, I do not think I got a specific answer on the types of data mentioned in the amendment—for example a Facebook post, CCTV footage or anything else.
Tom Tugendhat
Those are covered under sensitive data areas; they would not be covered under bulk personal data. The hon. Gentleman also mentioned health data, and he is absolutely right that I did not answer that. I should be absolutely clear: it is hard to envision a case in which health data would be considered “low or no”, unless it was of very ancient historical standing, or there were other exceptional reasons.
Stuart C. McDonald
I am grateful for that. Could the Minister perhaps follow up on that in writing? That is useful to have on the record.
This discussion is mainly about amendment 23; the other amendments are all consequential. Basically, the amendments would remove the concept of category authorisations from the Bill. Again, I take the same approach as the shadow Minister; I will not be pushing any of these amendments to a vote, but they are designed to probe and allow for debate on some of the important concepts in the Bill.
It is this clause, and the notion of category authorisations, that leads to the restricted judicial oversight of the “low or no” categories that are being retained. It would be useful for the Minister to give us an example here of what a category authorisation might look like. I am not on the ISC, so it is hard for me to understand exactly how broadly they might be drafted. I absolutely appreciate that there are operational reasons why the Government might have to be careful about the examples they give. However, to provide some reassurance, I am sure it would be possible to put on record what one of these authorisations might look like, just so we know how broadly they will be drafted, or indeed how focused they will be.
The Minister spoke a little about oversight at the end of his previous contribution, but it is the oversight of category authorisations that causes me some concern. The tests for a category authorisation set out in proposed new section 226BA of the Investigatory Powers Act 2016 are simply that it must be classed as “low or no” and that the decision has been approved by a judicial commissioner. There are none of the other tests that are set out for the individual authorisation, such as it being necessary for the
“exercise of any function of the intelligence service,”
that it
“is proportionate to what is sought to be achieved,”
or that there are various arrangements in place.
It seems to me that the degree of oversight at the stage of granting a category authorisation is far more restricted. That has a knock-on consequence: when the judicial commissioner comes to review the granting of a category authorisation, they are only then considering whether it applies to a “low or no” group of datasets. The judicial commissioner, even on the low-level judicial review criteria, does not look at whether the category authorisation will be necessary or proportionate, or any of the other tests for the other authorisation.
Sir John Hayes
I do not want to do the Minister’s job for him, because I am sure he will say this anyway, but when an application is made by an agency for the acquisition and retention of bulk personal datasets, a specific case needs to be made in the warrant application, and a particular case has to be made where that application applies to exceptional material. That case is considered through the double-lock mechanism by both the judicial commissioner and the Minister. That case needs to specify the reason that it is necessary for operational purposes.
Stuart C. McDonald
It is useful to have that explanation. I understand that is the existing process, as the 2016 Act applies just now. However, my simple question concerns the fact that that does not seem to be what is set out here.
Tom Tugendhat
I will just answer that directly, as the hon. Gentleman seems to be running away with this issue slightly. The test set out in proposed new section 226A still applies to all datasets. It is not removed; it goes through the whole thing.
Stuart C. McDonald
That is useful to know. I will pray in aid the fact that we did not have any witnesses; anything I say that is daft, and anywhere that I do not understand how the Bill operates, I will blame on the lack of witnesses.
That is useful to know. I will go away and look at that and make sure that that all makes sense to me. That just leaves me with my earlier request: can we have some examples of what a category authorisation looks like? I can imagine that they could be incredibly broadly drafted, but they could also be very narrow. It would be useful to get a better understanding of how they will operate.
My final point is that the Government’s case appears to centre quite largely on using the material for machine learning. We have heard about language, online encyclopaedias and whatever else. If nothing else, why not use this streamlined process on that category of information and keep the existing processes in place for everything else?
Tom Tugendhat
I welcome the spirit in which the hon. Gentleman approaches this issue. He is asking important questions, and I do not challenge at all the validity of the way he has approached the issue; in fact, I should put on record that I am grateful for the way the whole House, and this Committee in particular, have approached it. It is important that any questions that any Member has, particularly the questions honourably and reasonably raised by the hon. Gentleman, are addressed.
The hon. Gentleman’s question on category authorisation is important, because the individual authorisation authorises the retention or retention and examination of a bulk personal dataset, to which part 7A applies. In other words, for every individual dataset there will be an individual authorisation. The normal rule is that each individual authorisation must be approved in advance by a traditional commissioner, as my right hon. Friend the Member for South Holland and The Deepings quite rightly addressed.
A category authorisation does not itself authorise the retention or retention and examination of a dataset; rather, the category itself is the means by which the normal rule of prior judicial approval may be disapplied in respect of the individual authorisation of datasets that fall within the description approved by the category authorisation. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East knows, that allows for the internal authorisation of an individual dataset that falls within an existing category. By definition, those categories are narrow enough to be identifiable but large enough to be useful. The reality is that that must be done on a case-by-case basis, but under the watchful eye of not just the unit within the intelligence service that requests it, but a senior officer in that service and a judicial commissioner.
That oversight means that we have an effective way of ensuring that we are able to use bulk personal data as categorised in different areas in a speedy fashion to enable the detection and prevention of harm, but with the oversight regime that the hon. Gentleman quite rightly expects of any apparatus of the state. The intelligence services in particular, for reasons of operational necessity, operate in the shadows, and therefore require an extra guarantee of reliance.
Stuart C. McDonald
I will go away and consider what the Minister said. Our basic issue here is that a process is in place whereby every single individual dataset must be approved and have the approval and authorisation of a judicial commissioner. Under this scheme, if there is a category authorisation and then an individual authorisation under it, there will not necessarily be any involvement from a judicial commissioner. That is the bit that we have an issue with.
Tom Tugendhat
May I come back straightaway on that? To be clear, category authorisations are reviewed by IPCO at the very latest a year—12 months—after the authorisation, but they could actually be reviewed at any point. I am afraid the idea that a category authorisation stands forever just because it has been allowed is not accurate—I know that is not what the hon. Gentleman is suggesting. The judicial commissioner would have oversight of the wider category authorisation, and the IPCO review means that the whole thing is checked at the very latest every 12 months, and probably more frequently than that.
Stuart C. McDonald
Again, I get all that, and I do not think that we are really at cross-purposes. However, we are talking about 12 months of access to datasets without necessarily having them before a judicial commissioner.
I do not think that anyone disputes that this is a slightly weaker form of oversight, which is because the services want to access this material at scale and regard the existing oversight mechanisms as cumbersome, slow and whatever else. We still ask the question of whether there is another way to do that that would still involve judicial commissioners but happen much more randomly and at scale. However, we will go away and consider that. I repeat my request—I know it is not easy—for some examples to reassure members of the public on how exactly this will work. That would be useful. In the meantime, I do not intend to push the amendment to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Dan Jarvis
I beg to move amendment 15, in clause 2, page 5, line 14, at end insert—
“(4) The head of an intelligence service, or a person acting on their behalf, must notify the Investigatory Powers Commissioner as soon as is reasonably practical after a decision has been taken to include a bulk personal dataset within a category authorisation in effect under this section.”
This amendment would require that the Investigatory Powers Commissioner is notified when a new bulk personal dataset is added by an intelligence agency to an existing category authorisation.
The Chair
I remind members of the public to please turn their electronic devices to silent as well.
Stuart C. McDonald
I will be very brief, because I fully support what the shadow Minister and the right hon. Member for North Durham have said. If we are going to go down the route of somewhat watering down the oversight of certain bulk personal datasets, we need greater transparency and accountability. Our amendment 38 has very similar motivations. It requires complete transparency with the ISC by listing all the bulk personal datasets that would be retained under a category authorisation in the report the Bill requires to be sent to the ISC. It answers the question of how we are supposed to know how these new powers will be and are being used unless we have one of these methods of transparency.
Tom Tugendhat
If I may, I will come to the last point first. The information going to the ISC on this basis would be, as far as possible, the same as that going to the Secretary of State. Obviously, the operational data may not be included, depending on the relevant operational case. I hope that will reassure this Committee and, indeed, the ISC that the intention is to make sure that the ISC is as fully informed as possible.
On the point made by the right hon. Member for North Durham, he will know that the Bill, in many ways, has been a joint project between the Government and the ISC. I have spent many hours with members of the ISC, including the Chair, my right hon. Friend the Member for New Forest East (Sir Julian Lewis), and with various members of the Committee. Their input has been exceptionally important to me and has been included in many areas of drafting on this.
Turning to amendment 15, the right hon. Member for North Durham and the hon. Member for Barnsley Central, in many ways, have both been the Occam’s razor of the Bill process, not just here, but in other areas. They have been rightly keen that we should not include powers or requirements that would otherwise constrain or block processes or confuse the law. I understand the argument that hon. Members are making about a one-line email, but the reason that I am not convinced—though I am very happy to have the conversation suggested—is that the reality is that it is possible for IPCO to investigate at any point, and it must investigate at 12 months. Therefore, if we ask for a legal requirement on the services, that would force an extra legal duty into the various elements and it will be an extra change.
Stuart C. McDonald
I fully understand the questions that have been proposed by the shadow Minister, and it will be interesting to hear the answers that he gets.
On clause 5, it makes sense to ensure that access to third-party bulk personal datasets is subject to the general Investigative Powers Act scheme and oversight regime, including the double lock. Of course, we had extensive debates back in 2016 on whether that double lock was strong enough. My party argued that the judicial review standard was not tough enough and that we should be asking judicial commissioners to look at the positions again on their merits. But we lost that battle, and we are where we are.
Some of these datasets will include hugely personal information on internet searches and shopping history. These profiles can build up a pretty intrusive picture of how we go about our lives, and sometimes not very accurately. We are also talking expressly about personal datasets, which could include health data. That is on the face of the Bill. Does the Minister envisage that such access will be used only to make inquiries on subjects of particular interest, or will it be used for broader trawls of information?
As set out in the letter from the Chair of the Joint Committee on Human Rights, there is also concern about how this provision will apply to datasets that have been obtained unlawfully. Should there be additional safeguards on the use of illegally obtained data? What is the Government’s thinking on that?
Investigatory Powers (Amendment) Bill [ Lords ] (Second sitting) Debate
Full Debate: Read Full DebateDepartment: Home Office
Stuart C McDonald
Main Page: Stuart C McDonald (Scottish National Party - Cumbernauld, Kilsyth and Kirkintilloch East)Department Debates - View all Stuart C McDonald's debates with the Home Office
Investigatory Powers (Amendment) Bill [ Lords ] (Second sitting)
Stuart C McDonald ExcerptsThursday 7th March 2024
(1 month, 3 weeks ago)
Public Bill CommitteesRead Full debate Investigatory Powers (Amendment) Act 2024 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 7 March 2024 - (7 Mar 2024)
Tom Tugendhat
Clause 11 will ensure that there is clarity for telecommunications operators operating within the IPA framework about which regulatory body certain personal data breaches should be notified to. It also provides a statutory basis for the Investigatory Powers Commissioner being notified of such breaches. Without this change, there will be confusion about personal data reporting obligations and a regulatory gap in respect of certain personal data breaches by telecommunications operators not being dealt with by the appropriate regulatory body. The clause also ensures that an individual affected by a personal data breach can be notified of the breach by the Investigatory Powers Commissioner, if the IPC deems to it to be in the public interest to do so. This will enable them to seek remedy from the Investigatory Powers Tribunal.
Government amendments 1 and 2 build upon the provisions already contained in clause 11 by providing a clear route to redress for those affected by personal data breaches committed by telecommunications operators. They ensure that the Investigatory Powers Tribunal has the jurisdiction to consider and determine complaints about personal data breaches committed by TOs and grant a remedy. The IPT already has significant experience of considering complaints from individuals who believe they have been the victim of unlawful interference by public authorities. It is therefore the appropriate forum to consider complaints regarding certain personal data breaches.
Amendment 1 agreed to.
Amendment made: 2, in clause 11, page 32, line 19, at end insert—
‘(1A) In section 65 of the Regulation of Investigatory Powers Act 2000 (the Tribunal)—
(a) in subsection (2), after paragraph (b) insert—
“(ba) to consider and determine any complaints made to them which, in accordance with subsection (4AA), are complaints for which the Tribunal is the appropriate forum;”
(b) after subsection (4) insert—
“(4AA) The Tribunal is the appropriate forum for a complaint if it is a complaint by an individual about a relevant personal data breach.
(4AB) In subsection (4AA) “relevant personal data breach” means a personal data breach that the individual is informed of under section 235A(5) of the Investigatory Powers Act 2016 (serious personal data breaches).”
(1B) In section 67 of the Regulation of Investigatory Powers Act 2000 (exercise of the Tribunal’s jurisdiction)—
(a) in subsection (1)(b), after “65(2)(b)” insert “, (ba)”;
(b) in subsection (5)—
(i) the words from “section” to the end become paragraph (a), and
(ii) after that paragraph insert “, or
(b) section 65(2)(ba) if it is made more than one year after the personal data breach to which it relates.”
(c) in subsection (6), for “reference” substitute “complaint or reference has been”.
(1C) In section 68 of the Regulation of Investigatory Powers Act 2000 (Tribunal procedure), for subsection (8) substitute—
“(8) In this section “relevant Commissioner” means—
(a) the Investigatory Powers Commissioner or any other Judicial Commissioner,
(b) the Investigatory Powers Commissioner for Northern Ireland, or
(c) the Information Commissioner.”’—(Tom Tugendhat.)
This amendment provides for the Investigatory Powers Tribunal to be the appropriate forum for complaints by individuals about certain personal data breaches reported to the Investigatory Powers Commissioner under section 235A of the Investigatory Powers Act 2016 (personal data breaches).
Clause 11, as amended, ordered to stand part of the Bill.
Clause 12
Offence of unlawfully obtaining communications data
Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)
I beg to move amendment 39, clause 12, page 33, leave out lines 16 and 17.
This amendment would remove one of the examples cases where a relevant person has lawful authority to obtain communications data from a telecommunications operator or postal operator, being where the data has been “published”.
The Chair
With this it will be convenient to discuss the following:
Clause stand part.
Clauses 13 and 14 stand part.
The schedule.
Stuart C. McDonald
The clause relates to section 11 of the Investigatory Powers Act 2016, which created an offence where a relevant public authority knowingly or recklessly obtained communications data from a telecoms or postal operator without lawful authority. That is an extra protection against unlawful invasions of privacy by public authorities. Comms data can of course be vital to prevent serious crime or to assist in missing persons investigations, but it can also be seriously invasive if not monitored, as such data can reveal all sorts of details about our lives and the people that we are linked with. The clause makes changes to that offence.
It is said that there is a lack of clarity around the concept of lawful authority, so the clause includes some examples of what lawful authority is. Most are uncontroversial—for example, where there is a statutory basis for gathering the data, where there is a relevant court order or an authorisation, or where it is obtained to respond to a call to the emergency services. However, we contest the assertion that new subsection (3A)(e) is a proper example of lawful authority, referring to:
“where the communications data had been published before the relevant person obtained it”.
We are concerned that that is not a correct expression of the law as it stands.
The simple fact of data being published is not in and of itself lawful authority for it to be obtained and subject to surveillance. The fact that I publish a Facebook post at such and such a time in such and such a place does not give public authorities the right to seek it from Facebook. In fact, on a Zoom meeting about a controversial political campaign, it cannot be the case that Zoom can then be ordered by the police to obtain the relevant communications data simply because the data was published and available to those who attended the meeting.
We need a very careful explanation from the Minister about what precisely is intended by the example in paragraph (e) because as drafted—again, it depends on how we interpret these things—it seems to be open to an interpretation that anything even semi-publicly available can be obtained by public authorities without anything more.
Tom Tugendhat
I will speak more widely to clause 12 before addressing the amendment. The clause does not create new routes to obtain communications data outside the Investigatory Powers Act. Rather, it provides examples of existing routes to acquire communications data in order to put the existing position, as set out in the communications data code of practice, on to a statutory footing. This will provide clarity that acquiring communications data in this way will amount to lawful authority for the purposes of the offence in section 11 of the IPA. It makes it clear that sharing of communications data between public bodies is lawful. It is not the intention of section 11 to discourage public sector sharing of data when administering public services for purposes such as fraud prevention. Clause 12 puts that beyond doubt.
While discussing clause 12, I will take the opportunity to set out that a communications data authorisation can amount to lawful authority to require a telecommunications operator to carry out any necessary activity on their systems to enable or facilitate the obtaining of the relevant communications data. The list of examples of what will amount to lawful authority in clause 12 will provide additional clarity to the existing drafting of section 60A(5) in the Investigatory Powers Act, which sets out what can be authorised under part 3 for the purposes of acquiring communications data.
I would also like to address an inconsistency with paragraph 176 of the explanatory notes for the 2016 Act and the conduct that the Act permits. To be clear, a communications data authorisation may authorise interference with equipment by a person where that is done to enable or facilitate the acquisition of communications data for the purposes of identifying an entity as well as information about their previous or current location.
The Government do not support amendment 39, moved by the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East. Additional authority for published material should not be required for its disclosure by a telecommunications operator to a public authority when that data has been disclosed with the consent of that operator. The consent of the operator provides the lawful authority for the obtaining of the previously published communications data, which public authorities can rely on. It places the existing position, set out in paragraph 15.11 of the communications data code of practice, on a primary legislative footing. It does not create new acquisition routes.
Clause 13 amends the definition of communications data to include subscriber and account data, ensuring that this communications data is available to investigators with an IPA part 3, even if it is transmitted as the content of the message. That is not a broadening of the definition but a clarification of scope. “Subscriber data”, or “account data”, includes the details provided when someone completes an online registration form for a telecommunications service or system. This change overcomes the current uncertainty for investigators about the data types that will be “communications data” and therefore available to them.
Clause 14 restores the general information gathering powers to regulatory or supervisory bodies, which were repealed by section 12 of the 2016 Act. It will ensure that public authorities will be able to utilise their own pre-existing statutory powers to acquire communications data for civil purposes. These are existing statutory powers that have been conferred on public authorities by Parliament—for example, in the regulation of the financial markets to ensure market stability.
Since 2016, the data sought has increasingly moved online and is now being caught by the definition of “communications data” in the 2016 Act. For example, His Majesty’s Treasury is responsible for the civil enforcement of financial sanctions regulations. Some information that is essential in carrying out its civil enforcement functions, such as the timestamp of an online banking transaction, is now communications data, and His Majesty’s Treasury cannot currently use its powers to compel that information to be provided by a telecommunications operator. Communications data is available under the IPA only if the matter under investigation is a serious crime, and so is out of reach for public authorities exercising civil enforcement functions.
Stuart C. McDonald
I thank the Minister for his response and his explanation. We will of course take that away and give it consideration again. He has referred to codes of practice being put into statute, so we will go away and look at those codes of practice. Of course, codes of practice can sometimes be inconsistent with various laws as well, so this is not necessarily the end of the matter. It would be helpful if the Minister could perhaps—in writing, or perhaps we will have to revisit it on Report—look at the specific examples that I gave and just explain whether or not those amount to prior publications of comms data.
Stuart C. McDonald
I very much appreciate that, and that will hopefully help to clear things up before we get to the next stage of proceedings. I will withdraw the amendment.
Stuart C. McDonald
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 12 ordered to stand part of the Bill.
Clauses 13 and 14 ordered to stand part of the Bill.
Schedule agreed to.
Clause 15
Internet connection records
Question proposed, That the clause stand part of the Bill.
Tom Tugendhat
The changes made by clause 15 should transform the intelligence services and the National Crime Agency’s ability to detect serious criminals and those seeking to undermine national security. Current internet connection record conditions only enable identification of individuals involved in known events. That means an investigator must know the date, time and service being used, preventing identification of offenders where they cannot be linked to a specific time of access. For example, where analysis of a seized device identifies a site serving images of child sexual exploitation, it would not currently be possible to search ICRs for subjects accessing that site beyond a specific known event. New condition D would help to identify other subjects accessing those sites. This will not be a fishing exercise. As with all investigatory powers, the case for requesting ICR data must be necessary, proportionate and intelligence-led. As Committee members will have heard this week, the benefit to the agencies is in being more, not less, specific.
The new condition will be subject to robust safeguards, including limiting the statutory purposes available, stringent necessity and proportionality requirements and independent oversight, including regular inspections by the Investigatory Powers Commissioner’s Office. Where internal authorisation takes place for urgent and national security-related applications, authorising officers must be independent of the operation and not in the line management chain of the applicant. If an investigator knowingly or recklessly obtained ICRs—for example, if the request was clearly not proportionate—they would be at risk of having committed a section 11 offence of unlawfully obtaining communications data, which can result in a fine or imprisonment.
Stuart C. McDonald
We are now looking at internet connection records. Whether we are for or against the provisions, the requirement in 2016 for companies to generate and provide internet connection records was a radical departure and makes the UK something of an outlier: as I understand it, there is no other European or Five Eyes country that allows the same sort of requirements to be made, certainly in relation to its own citizens.
As the Minister explained, there are various conditions on who can access the records. At present, the investigating bodies need to know which personal device they are looking for ICRs in relation to or know a specific time when a website was accessed to identify who was responsible for the events of interest to them. There is some judicial oversight, but not always. We are being asked to move a little further from that already fairly radical starting point and remove the need for a particular time to be identified, so as to have a general look at who uses certain internet sites and services over broader grades of time. That risks moving us step by step away from suspicion-based surveillance towards broader mass surveillance. People become targets of surveillance because of websites they have visited that are not only of questionable ethics, but potentially in breach of article 18 of the European convention on human rights. Various examples of how that might work are given in the explanatory notes, particularly in paragraph 120.
The Minister also gave some examples in relation to access to sites that are clearly illegal. I was quite surprised to learn that there are not already other powers that can be used to investigate who is engaging with such sites. If that is not the case, why not confine the power to sites that are clearly illegal in and of themselves, rather than enabling a trawling of data in relation to other sites that are not? I am not a tech geek, as will become more and more apparent the more that we debate the Bill, but the explanatory notes themselves confirm that there is a danger of and huge susceptibility to error here. Paragraph 123 says:
“Whilst clearly having the potential to provide significant operational utility it is recognised that such queries are highly susceptible to imprecise construction. As a result, additional safeguards are proposed in this Bill with the intention of managing access to this new Condition and mitigating public concerns.”
I am not absolutely convinced by the additional safeguards that follow in paragraph 124, which seem to revolve around training and various other requirements.
At the very least, I would prefer to see us go for independent judicial oversight in all cases, including authorisations under condition D2. As I understand it, under condition D1 a judicial commissioner would need to authorise what has been sought, but under condition D2 it could be internal. If the Minister wants us to expand the powers without the need for judicial authorisation in all cases, he needs to explain how often he expects the powers to be used and why judicial commissioner involvement in all such cases would not be realistic. Are there not other ways in which we can make this work while still retaining judicial oversight in all cases under the new provisions? I understand what the goals are here, but this is an example where it could be framed more narrowly and oversight could be strengthened.
Mr Jones
I agree with the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East, and the ISC feels strongly on this issue. We are clearly speaking English and the Minister is speaking Japanese, because this is about understanding what is actually being given to the agencies without any judicial oversight, which is being dismissed as if these powers are no greater or more intrusive.
As the Committee will know, under the IPA an internet connection record is a form of communications data. It contains data on who has accessed something: it does not actually provide the content of what they have seen or been in contact with. However, under the IPA information can be sought to develop knowledge of who is speaking to who. I think the ISC see the value of this for not only security services but issues around child protection and organised crime, as has already been argued. We are giving the security services and agencies a degree of authorisation here, which I would argue they have not had up until now.
We then come to the argument made by the Minister and the Government that these regulations are not any more intrusive than what we have at the moment. I would argue differently because the power is broad. Previously, targeted discovery condition A, under section 62 of the IPA, required that the agency and officer know the service and precise time of use to discover the identity of an individual, so that they actually know what they are targeting. The Minister used the words “fishing expedition”—this regulation will be a fishing expedition. By default, it will bring in a broader range of individuals who have nothing to do with the target the agencies are looking at the time and connection records for, and are of no interest to the agencies or anybody else.
The Government are arguing that this regulation is no more intrusive—but it is, if we are dragging in a large number of people in that way. Actually, by not having any judicial oversight, they are allowing the agencies to agree that internally. Although the intrusion is not deeper, it is certainly a lot broader than what we have at the moment. The Bill says that the new powers can only be used for “national security” and the catch-all phrase
“economic well-being of the United Kingdom”.
I am still yet to be convinced of that terminology, but I understand that the Minister and the civil service like consistency across Bills, and that is why it is in this Bill.
Under sections 60A and 61 of the IPA, requests to obtain an ICR are like requests to obtain other communication data: they have to be “necessary and proportionate”, which runs through all of this. Again, the Government are allowing the agencies to decide what is necessary and proportionate. I am not suggesting for one minute that they are going to go on a fishing expedition, but again there is a problem with the Government’s approach to the Bill, and certainly with the agencies’ approach. They want these powers, and I do not personally have an objection, but we have to look at how other people, who are not drowned in the detail of this Bill, will perceive them. Some opponents would say, “Why should I be dragged into this?” It is really about giving public confidence; as the right hon. Member for South Holland and The Deepings said this morning, when the IPA was passed, it was about trying to reassure people.
It would be very simple to ensure that this regulation has independent judicial oversight, as the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East has just said. I know the catch-all phrase that the Minister will come back with, because I am a quick learner: he will say, “The IPC has the ability to look back at anything.” Again, that is the haystack—where is the needle? It would be better and more reassuring if they were to have some judicial approval in advance. I will give the Committee one example. Let us suppose that we are looking at train records and patterns of behaviour on WhatsApp or a train-ticketing website. There is possibly a valid reason to do that—to see someone’s patterns of travel, and so on—but it will scoop up a lot of innocent internet users. The assurance here is that they will not be of interest and therefore they will not be part of it, but their information is being dragged into the system. Then a decision has to be made as to which ones people are interested in and which ones they are not.
That is a big change. I accept that it would not be the exact content that somebody accessed, but the connections would be there. It does not sit comfortably with me to leave such a big change to the security services. Knowing them as well as I do, I do not suspect that they will use the provision illegally or for alternative motives, but we have to reassure the public, and I do not think this does that. Would that be onerous? I am not sure that it would be. This comes back to the point that we have made about the ISC all the way through. If we are giving the security services extra powers, we need the counterbalance of a safeguard.
As the right hon. Member for South Holland and The Deepings said this morning, that was exactly how the IPA was approached. Clearly, he was a very good Minister, because he accepted amendments and suggestions, whereas only one has been accepted for this Bill so far. The Minister spoke this morning about working with the ISC. The Minister speaks to us, but he does not necessarily listen to what we say or take a great deal of interest in what we propose. This is an important point. It comes back to the fundamental point that if extra powers are going to be given, it is only right that they come with responsibilities and safeguards.
New condition D removes the existing requirement for the exact service and the precise time of use to be known. Basically, it will now be possible to do a sweep, which will mean dragging people in. Therefore, I cannot see the problem in having some oversight of these powers. I would like to know why the Minister thinks that condition D is not more intrusive. It is more intrusive, because a lot more people will be affected by it. I think the Government are hiding behind the idea that because it is not possible to identify what the individuals have actually seen, it is not really interesting. If that is the case, why have it in the first place? I know the reason for that, but it would be interesting to know what thought has gone into this and how many people will be dragged in. It obviously depends on how the provision would be used in practice. If we went down the street and said to people that we are giving these powers without any judicial oversight—the Minister will say that IPCO can always look at it, and I understand all that—I think that most people would be quite worried. We would give reassurance by providing that important oversight.
This provision certainly needs to be looked at. Is it of benefit and am I convinced that this is a new power that the agencies need? I am, and I think it is right, but coming back to the previous point, we have to ensure that we do not do anything that undermines what is done or that gives ammunition to those people who want to cast aspersions on what is actually done.
I think I know the arguments that the Minister will put forward. We will no doubt come back to this matter on Report, when there will, I think, be amendments from members of the Committee; and if we have an election wash-up, this is one proposal that I think will be pressed by the Opposition.
Tom Tugendhat
The right hon. Gentleman is creating his own haystack here. Although I hope as ever that this power will be used only exceptionally rarely, sadly the nature of serious and organised crime and terror in this country means that it will be used more often. There is a slight misunderstanding as to how this will be used. Targeting a train website or a single authority would not be proportionate or meet the necessity provisions within the Bill. It would be neither necessary nor proportionate. In fact, it would be unnecessary and would be vastly disproportionate, because it would be a mass collection exercise that would neither be targeted in a way that would satisfy the proportionality requirement, and nor would it give a useful answer—it would give such bulk data as to be useless—and therefore it would not be necessary.
The whole point of this is that it sets out a series of conditions in which these powers could be used—perhaps against a certain website, that is true—but on the basis of intelligence. It would have to have a particular cause and a particular time. This is not a Venn diagram with a single circle, but a Venn diagram with four or five circles; it must be in the centre of those for it to be necessary and proportionate.
Stuart C. McDonald
I would be reassured if there was independent advanced judicial oversight. The Minister has said a couple of times that the powers will be used “exceptionally”. What is the difficulty in making sure that there is an exception for urgent cases of advanced judicial authorisation for use of these powers?
Tom Tugendhat
“Exceptional” does not mean that there is necessarily huge amounts of time to act; exceptional means that the seriousness of the offence is extremely grave. These powers are for things such as child sexual exploitation. I wish it were not so, but even in this country, the police very often have to act extremely speedily to prevent harm to a child and sometimes, very sadly, multiple children. They have also to act extremely speedily to prevent terrorist plots or other forms of very serious organised violence or criminal activity.
That is why “exceptional” does not necessarily mean that it can be dealt with in a procedural way over a number of weeks; exceptional may mean absolutely pressing as well, and that is what this is designed for. The right hon. Member for North Durham may have been aware from briefings that I believe he has received that, in some circumstances, this Bill will reduce the time taken to interrupt serious abuse of children, from months and occasionally years down to days and weeks. That is surely an absolutely essential thing to do, but that will not work unless these powers are used according to the Act, with the important words being “proportionate” and “necessary”. The reason I repeat those words is that were the intelligence services to go on some sort of fishing expedition—and I know that the right hon. Gentleman is not suggesting that they would—that would not be legally permissible under this Act and nor would it achieve the required results, because it would turn up so much data that it would simply be an unusable, vast collection of fluff. Effectively, instead of targeting the needle, they would have merely collected another haystack.
Stuart C. McDonald
As I understand it, the Minister is describing the powers that already exist under the 2016 Act. If we are down to that level of knowledge of where, when and who, then what in the Bill goes beyond that? I do not follow.
Tom Tugendhat
In the existing Act, one would have to be entirely specific about a particular time. It could not be 5.30 pm to 6.30 pm; an internet connection record could be done only at 5.30 pm exactly. The Bill extends that a bit, but it still has to be very targeted. This is a proportionate change in the law to allow the intelligence services to collect information that would enable the targeting of serious and organised crime.
Tom Tugendhat
Section 87(4) of the IPA provides that a data retention notice cannot require the operator to retain so-called “third party data”. There is no intention to revisit the principle of this important provision, but technological advancements have highlighted some discrete and unintended consequences. For example, the Secretary of State is prevented from placing communications data retention obligations on a UK telecommunications operator in relation to data associated with users of a foreign SIM card within the UK.
Clause 16 addresses those unintended consequences and makes an exception for that data within Section 87(4), so that data in relation to roamers using a foreign SIM in the UK would be treated in an equivalent way to the data that could be retained in relation to users of UK SIM cards. Clause 16 also clarifies that communication data required for an internet connection record can be subject to a data retention notice. All existing safeguards will continue to apply.
Continuing to clause 17, the IPA already has extraterritorial effect. Data retention notices—or DRNs—and interception technical capability notices—or TCNs—can be given to a person overseas where there is an operational requirement, and it is necessary and proportionate to do so. However, only TCNs are currently enforceable in relation to a person overseas.
Clause 17 amends section 95 and 97 of the IPA to allow extraterritorial enforcement of DRNs, if required, for UK security purposes when addressing emerging technology and the increasing volume of data being held overseas, bringing them in line with interception TCNs. It is vital to have this further legal lever, if needed, to maintain the capabilities that the intelligence and law enforcement agencies need to access the communications data that they need to in the interests of national security and to tackle serious crime.
Stuart C. McDonald
I have some comments to make about extraterritoriality, but I will do so in the next debate.
Question put and agreed to.
Clause 16 accordingly ordered to stand part of the Bill.
Clause 17 ordered to stand part of the Bill.
Clause 18
Review of notices by the Secretary of State
Question proposed, That the clause stand part of the Bill.
Dan Jarvis
I will be very brief. I am grateful for the Minister’s remarks, but I want to raise the concerns of some telecommunications operators and of organisations representing the sector about clauses 18 and 19. These include a view that the role of the proposed new notices regime would hinder and even veto product development.
I know that the Minister and his Department have engaged with stakeholders about those concerns, as have Labour Members. I would be grateful if the Minister briefly set out whether recent engagement has taken place with stakeholders with regard to these matters, and whether he has any further plans to address the concerns that they have expressed about clauses 18 and 19.
Stuart C. McDonald
I want to make a similar case. We are now getting into territory where I struggle to understand exactly what is going on, because I am not a tech geek. We are speeding past this measure almost as if it were inconsequential, but the language in some of the briefings that we have received about it is pretty dramatic.
The bundle that was emailed to Committee members this morning includes evidence from Apple that I think needs to be addressed:
“At present, the SoS must navigate important oversight mechanisms before they can block the offering of a new product or service they believe will impact…ability to access private user data.”
Apple summarises the suite of clauses that the Committee is considering, including the requirement in clause 18 to maintain the status quo during the review process, as allowing the Secretary of State
“to block, in secret, the release of a product or service even before the legality of a Technical Capability Notice can be reviewed by independent oversight bodies. The effect of this amendment will be to, extraordinarily, hand the SoS the power to block new products or services prior to their legality being ascertained. This result upends the balance of authority and independent oversight Parliament struck in the IPA.”
Given the new definition of “telecommunications operator” in clause 19, Apple has also warned that there will be serious implications for conflicts with other laws, including the EU GDPR and with US legislation.
As well as Apple, we have heard from various other organisations. TechUK has highlighted problems with broadening the definition of “telecommunications provider” before control of provision of a telecoms service, including to UK users, is established overseas. It also highlights the potential conflict of laws. What if the domestic law in the country in which a company is based does not allow for compliance with the notice that the Home Secretary has delivered? That company might not even be able to raise the issue of a conflict of laws, because it would be sworn to secrecy under the Bill.
According to TechUK, the proposed changes mark a departure in the way that the UK approaches the extraterritorial reach of the UK or UK laws and the consequential conflicts of laws. That was all recognised in the 2016 Act, in which a partial solution was found in the form of a UK-US agreement. Currently, however, the Government have not set out any plans to work towards equivalent solutions.
In relation to clause 21, I will raise similar concerns from other experts, but it is clear that some very serious companies and organisations have significant concerns about what the combination of these notices may end up delivering. Those concerns need addressed.
Tom Tugendhat
I thank hon. Members for the spirit in which they have engaged. To be clear, it is absolutely right that we listen to representations from companies around the world, as I am absolutely sure all Members across the House would expect. We are still engaged in conversations: the Home Secretary was on the west coast of the United States only last week, I think, and I maintain regular communication with many different companies, including many of the same companies to which the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East referred.
Let me be quite clear about one aspect. There is a real challenge here, and it is absolutely worth getting to the heart of it. The way in which communications data has evolved means that there are now jurisdictions in which the UK cannot protect its citizens without the co-operation of certain companies overseas. That was always bound to happen to a certain degree, but it is now very much the case: I do not know whether the hon. Gentleman has children, but he will know that many children use tablets and internet-connected devices in their bedroom.
The reach of these companies into the personal life of children in our country has to be a matter of concern to the British Government—it just has to be. The question is who governs these spaces. Are they governed by the association agreements and terms and conditions of the companies, or are they governed by the laws of the United Kingdom passed by Members of this House, of whichever party? That is the fundamental question.
The jurisdiction of this House must be sovereign. If sovereignty is to mean anything, it must mean the ability to protect our children from serious harm. That is basic. Under the IPA and previous legislation going back to the 1980s, this House has always exercised a certain element of influence. Yes, the Bill is extraterritorial, but so are many other Bills that this House passes in relation to the protection of our citizens and our interests. We can have operational reach further than the UK border in order to protect our citizens. That is what we are doing here, and that is what makes it proportional.
It is true that there are conflicts of interest that we have to resolve. I must be honest with the hon. Gentleman: this has come up before. It has even come up in my time. It is something that we have to look at in order to ensure that we address those conflicts and see where the balance of proportionality lies.
It is our very good fortune that many of the conflicts arise between jurisdictions with which we are extremely close. The United States, for example, is an extremely close ally. We regularly—in fact, I regularly—have conversations with the US Justice Department and others to make sure that we manage those conflicts of interest in the best interests of all our citizens. It is unusual for us not to find a resolution, but there are means of dispute resolution when we do not. Although I take the hon. Gentleman’s point, it is not exceptional for companies rightly and understandably to defend their interests where they feel that they have a commercial advantage. That is, of course, reasonable.
The reality is that we are not stopping companies doing anything; we are asking them not to change our ability to protect our citizens, until we have found a fix. If they want to introduce a new product or service or change the way they operate, that is fine: it is nothing to do with us. All we ask is that they maintain our ability to protect our citizens during that translation and into the future.
Stuart C. McDonald
I will come on later to another line of argument that relates to the unintended consequences of these permissions, but for now I have a specific question. The Minister has spoken about how conflicts of law can be resolved. Is there not an added complication? If we put a notification notice—if we are calling it that—on a company, it cannot share the fact of that notification with anybody at all. Does that not make it well-nigh impossible to resolve the issue with conflicts of law?
Tom Tugendhat
Without going into details that it would be inappropriate to share: no, it does not. I can assure the hon. Member that this is a long-standing practice that has been tested, and it does operate.
On clause 19, I wish to put one further point on the record. The clause will amend the definition of a telecommunications operator, out of an abundance of caution, to ensure that the IPA continues to apply to those to whom it was intended to apply, building on the work that my right hon. Friend the Member for South Holland and The Deepings has laid out. There are circumstances in which a telecommunications system that is used to provide a telecommunications service to persons in the United Kingdom is not itself controlled from the United Kingdom; we have talked about some of those services. The clause will ensure that multinational companies are covered in their totality in the context of the IPA, rather than just specific entities.
Clause 19 does not seek to bring additional companies within the scope of the definition, nor does it seek to constrain how a company structures itself. It is a clarificatory amendment that will improve the effectiveness and efficiency of the regime and the process of giving notices.
Question put and agreed to.
Clause 18 accordingly ordered to stand part of the Bill.
Clause 19 ordered to stand part of the Bill.
Clause 20
Renewal of notices
Question proposed, That the clause stand part of the Bill.
Tom Tugendhat
Clause 21 is required to safeguard lawful access to critical data, which is needed by law enforcement and intelligence agencies to keep the public safe from serious threats such as terrorism and child sexual exploitation.
Technology has advanced rapidly since 2016, presenting a risk to lawful access capabilities. Notification notices have been introduced in response to technological advancements and will require relevant operators who provide, or are expected to provide, lawful access to data of significant operational value to inform the Secretary of State of any technical changes that they intend to make that will have an impact on existing lawful access capabilities.
The requirement will apply only to relevant services or systems specified within the notice, which will be agreed in consultation with the operator, prior to the notice being given, and will not necessarily apply to all elements of their business. It should be noted that technical capability notices already contain a notification requirement; this is not a new concept to the IPA. The clause replicates the power as a standalone obligation within notification notices.
To be clear, there is no ability within the notification process for the Secretary of State to delay, prevent or alter the roll-out of the operator’s intended change. The requirement is needed to provide the Secretary of State—and, by extension, operational partners—with time to identify and evaluate any potential impact that the change may have on lawful access capabilities. It will also be important in giving operational partners time to adjust their ways of working to ensure that lawful access is maintained. The primary objective of the obligation is to create an opportunity for collaborative working between operators and Government to protect the crucial capabilities required to keep people safe.
Amendments 6 to 13 are minor and technical amendments to ensure consistency of language throughout the clause and the IPA.
Stuart C. McDonald
I want to pursue another line of argument that has been put to members of the Committee. I spoke earlier about the principles of the notification regime; I now want to probe the Government on the extent to which they have considered the possible unintended consequences of setting it up.
The evidence circulated this morning includes a letter from academics and experts from the United Kingdom and across North America, who express considerable concern about the outcome of the proposal. During the last debate, the Minister explained that the justification is that companies from across the world have a reach into children’s homes in the United Kingdom, and it is the duty of this Parliament and legislators to keep them safe. I do not think anyone would dispute that at all.
The experts argue that an unintended consequence of being as radical as the proposal in the Bill is that citizens in the United Kingdom could be less safe. Although the Government are trying to restrict the scope of the regime to what happens in the United Kingdom, in reality it will mean that certain updates and security features will not be rolled out to the United Kingdom. In fact, certain organisations may think twice about developing products for the UK market at all.
I am way outside my comfort zone, so I will go straight to what the experts argue in their evidence:
“If enacted, these proposals would have disastrous consequences for the security of users of services operating in the UK, by introducing bureaucratic hurdles that slow the development and deployment of security updates. They would orchestrate a situation in which the UK Government effectively directs how technology is built and maintained, significantly undermining user trust in the safety and security of services and products.”
They argue that this contains a significant risk of increased cyber-crime, as well as of endangering the encryption of important services. They conclude that
“these proposals are anathema to the best interests of UK citizens and businesses and internet users everywhere, and contradict universally accepted security best practices.”
I want to probe the Government on the extent to which they have considered the possible unintended consequences of how these companies may react to their proposals.
Tom Tugendhat
I thank the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East for the way in which he has approached the issue, and I am grateful to him for raising it, but I simply disagree. I disagree on the basis of advice that I have received from intelligence services, from UK-based companies, from the National Cyber Security Centre and indeed from many others.
Let us be quite clear. A notification notice does not create any conflicts of law, prevent any updates or prevent the application of any security patches. The only thing that it does is ask a company to keep the UK Government informed if it is going to change the way the UK Government will be able to protect British people. That has led to somewhat more caution in the reading than is necessary in reality; I have had many conversations with companies about that.
Stuart C. McDonald
This is a difficult area, but as I understand it, the argument is not that the notification notices themselves have that issue, but that the combination of notices, together with the technical capability notice, the new provisions in relation to review and the status quo, could give the Government that sort of power. That is the argument.
Tom Tugendhat
I hear the hon. Gentleman’s point. I will just say that many of these powers have been in place for a significant period. The situation that he describes is not one that we have found or noticed in any way at all. I believe that this is a case of people gilding a lily to turn it into lead.
Amendment 6 agreed to.
Amendments made: 7, in clause 21, page 45, line 8, leave out “person’s” and insert “relevant operator’s”.
See amendment 6.
Amendment 8, in clause 21, page 45, line 29, at end insert—
“‘relevant operator’ has the same meaning as in that section.”
See amendment 6.
Amendment 9, in clause 21, page 45, line 35, leave out “notice, as varied,” and insert “variation”.
This amendment provides that references to the variation of a notice are used consistently in Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
Amendment 10, in clause 21, page 46, line 2, leave out first “person” and insert “relevant operator”.
See amendment 6.
Amendment 11, in clause 21, page 46, line 2, leave out second “person” and insert “relevant operator”.
See amendment 6.
Amendment 12, in clause 21, page 46, line 5, leave out “person” and insert “relevant operator”.
See amendment 6.
Amendment 13, in clause 21, page 46, line 6, leave out “person” and insert “relevant operator”—(Tom Tugendhat.)
See amendment 6.
Clause 21, as amended, ordered to stand part of the Bill.
Clause 22
Interception and examination of communications: Members of Parliament etc
Stuart C. McDonald
I shall speak to new clause 4. We are discussing our very important role as legislators—people who have to scrutinise the Government to represent our constituents. Any interference with that role, and any surveillance of us, is a matter of great significance and some controversy, so there should be as much oversight and transparency as possible. I am not a member of the ISC, and I do not know whether this is something the Minister will be able to tell us, but I would be interested to know how often powers have been used to institute surveillance on MPs in each and every of the past few years.
New clause 4 allows us to debate the possibility of post-surveillance notification. That proposal was debated in the House of Lords, but I think it is something that MPs should be alive to as well. Post-surveillance notification would give judicial commissioners a mandatory duty to notify parliamentarians subject to surveillance once a particular operation or investigation had ended. That would typically introduce a further safeguard to protect democracy and our role as legislators, and would ensure the Government are complying with their obligations under article 8 of the European convention on human rights.
Various objections were made to that line of argument in the House of Lords. For example, it was argued that notification would risk revealing sources or methods. That does not have to be the case; post-surveillance notification can inform an individual of the fact of past surveillance without having to disclose such information. Such a post-surveillance notification regime works in Germany, for example.
In particular, there would be no risk—this was alleged by the Government in the House of Lords—of affording judicial commissioners any operational decision-making power. That is because notification would occur only when a surveillance operation was no longer active and, secondly, any such notification regime could allow the judicial commissioner to consult whomever applied for the warrant in the first place. I am absolutely open to a discussion with the Government about the safeguards that would needed to allow such a measure to be implemented.
The other line of argument pursued by the Government in the House of Lords was that redress is already available to parliamentarians thorough the Investigatory Powers Tribunal. As we all know, however, if someone does not know that they have been subject to surveillance, they have no reason to go to the tribunal in the first place.
This proposal is not without some difficultly, but it is worthy of discussion. The Government’s resistance to it has not always stacked up so far, so I look forward with interest to hearing what the Minister will say.
Tom Tugendhat
On the point about notification: forgive me, but it is inconceivable that it should be required in law to inform somebody that they have been subject to an investigation by the intelligence services in such a way. I would be delighted to discuss with the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East in a more secure environment why, for a whole series of reasons, that may not be such a good idea. On the question of the Prime Minister appearing before the ISC, my friend the hon. Member for Barnsley Central knows my views—I have expressed them on many occasions—but that is way above my pay grade.
Investigatory Powers (Amendment)Bill [Lords] Debate
Full Debate: Read Full DebateDepartment: Home Office
Stuart C McDonald
Main Page: Stuart C McDonald (Scottish National Party - Cumbernauld, Kilsyth and Kirkintilloch East)Department Debates - View all Stuart C McDonald's debates with the Home Office
Investigatory Powers (Amendment)Bill [Lords]
Stuart C McDonald ExcerptsMonday 25th March 2024
(1 month ago)
Commons ChamberRead Full debate Investigatory Powers (Amendment) Act 2024 Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: Consideration of Bill Amendments as at 25 March 2024 - large print - (25 Mar 2024)
Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)
It is a pleasure to follow the right hon. and learned Member for Kenilworth and Southam (Sir Jeremy Wright), and to take part in what has already been a very thoughtful debate. We also had a very constructive Committee stage, so the amendments in my name and that of my hon. Friend the Member for Midlothian (Owen Thompson) are designed first to pose some further questions to the Minister, particularly in relation to the offence of unlawfully obtaining communications data, which we discussed in Committee. Secondly, and perhaps more significantly, we again seek to remedy some of the serious concerns that we continue to have about the Bill extending powers beyond what we regard as necessary and proportionate, and the absence of sufficient judicial oversight where such judicial oversight is really required.
First, and briefly, our amendment 13 builds on the discussion in Committee about the offence created by the 2016 Act that will be amended by clause 12. We argued in Committee that the so-called example of “lawful authority” for obtaining communications data in proposed new subsection (3A)(e) of the 2016 Act was an extension of the power rather than a restatement of it. The Minister countered that he was actually seeking only to put existing codes of practice into statute. There is obviously a line of argument that codes of practice do not always necessarily comply with the law, but having gone away to look at the codes of practice it seems that there is a difference between what is currently in the codes of practice and what is currently in the Bill. The wording of amendment 13 reflects the code; the wording of proposed new paragraph (e) seems potentially broader than that. The question for the Minister is why the wording is so different, and whether he can assure us that it is not meant to be interpreted any more broadly than the existing exception in the codes of practice.
The remaining amendments set out our more fundamental concerns with the Bill. In particular, there are three areas where we question the strength of the oversight regime: in relation to bulk personal datasets, internet connection records, and Government notices to companies under clause 21. We regard advanced judicial oversight as important and reassuring not just for members of the public but for those who are exercising the powers. Clause 2 on bulk personal datasets is the first example of where we believe that oversight is being unnecessarily watered down. We are told that the system of advanced judicial authorisation is causing delays and stifling operational flexibility, but to us the answer is to fix those logjams in the oversight system, not to water that system of oversight down. The case for a lighter-touch system of category authorisations has not been made to our satisfaction. That is why we tabled amendment 7, which would take out clause 2.
At the very minimum, why not strengthen the ex post facto oversight beyond annual reviews and reports? Amendment 11 highlights one way to do that, so that the judicial commissioners are reviewing whether what is being done under category authorisations is lawful, cancelling authorisations where that is not found to be the case, and ensuring therefore that we have a clear picture of how the new powers are being used. I noted with interest what the Minister said about the role of IPCO, which we absolutely regard as helpful. However, it would be insufficient, and certainly less robust than our proposal in amendment 11.
Sir Jeremy Wright
As the hon. Gentleman set out, amendment 11 would strengthen the hand of the judicial commissioner, and I have some sympathy with that. My concern is that his proposed new subsection (4) says:
“The Judicial Commissioner, on reviewing any notifications received under subsection (2), must cancel the category authorisation if the Commissioner considers that section 226A no longer applies to any dataset that falls within the category of datasets”.
I wonder why he thinks that the wrongful inclusion of one individual dataset in the category would invalidate the category as a whole, because that seems to me to be the effect of what that part of his amendment would do.
Stuart C. McDonald
I am grateful to the right hon. and learned Member for that intervention. He possibly makes a fair point. If I recall correctly, the wording of that proposed new subsection was borrowed from another part of the Bill. I might be wrong about that; I need to go away and have a look. I suppose the argument would simply be that if a category authorisation is to any extent being abused, it is right that the category authorisation is cancelled, and if somebody wants to come back with something similar, they can do so. However, I am not without sympathy to his point. I take it in the spirit in which it was intended, and will reflect upon it.
Let me move on from the question of oversight in relation to bulk personal datasets to the issue of “no” or “low” expectations of privacy in relation to such datasets, and how that test will operate in practice. Throughout the passage of the Bill, we have been repeatedly given some very easy examples of so-called “low/no” bulk personal datasets. For example, we have spoken about phone books, academic papers, public and official records, and other data that many people would have access to routinely. It was helpful that, in relation to what is now our amendment 9, the Minister said in Committee that Facebook posts and CCTV pictures would be considered sensitive and would not be caught by these provisions. It is very helpful to have that on the record.
None the less, it would to be useful to have greater precision in the Bill. Amendment 8 would take out reference to “low” expectations of privacy altogether, so that only “no” expectations would be covered by the new provisions. To us, “low” is such a difficult question to adjudicate—low expectations in particular. That is especially the case when we are dealing with datasets of potentially huge numbers of very different people with very different reasons for having very different expectations of privacy, particularly in how that would relate to different organisations. We cannot think of a single dataset example provided during the passage of the Bill that would not be adequately covered by “no reasonable expectation of privacy”. If that is the case, if that is really all the Bill will be used for, why not just accept the amendment? It would be useful to have an understanding of what “low” expectation of privacy is designed to cover.
Amendment 15 brings us to internet connection records. In 2016, the Government emphasised the very targeted nature of the ICR powers, but here we are being asked to incrementally expand those powers so that they are slightly less targeted. To us, that means that the independent assessment of proportionality and necessity is pivotal, so we think that it should be subject to advance judicial oversight. Even the explanatory notes accept that there are difficulties in formulating sufficiently targeted queries, noting that
“such queries are highly susceptible to imprecise construction”
and that “additional safeguards” are required.
For us, the required additional safeguard is judicial oversight. We were led to believe that the powers would be used only exceptionally, so it is hard to see how a judicial authorisation requirement would cause any significant problem. The Government argue that there may be times when warrants are needed on an emergency basis, but that could be dealt with by having emergency processes or very limited exceptions—it is not an argument against a general rule of advance judicial oversight.
I turn to the impact on technology companies of the Bill’s various provisions relating to notices—although the right hon. and learned Member for Kenilworth and Southam probably made more sensible and eloquent points than those I am about to make. The written evidence that the Bill Committee received shows that tech companies, academics and human rights and privacy campaigners are still a million miles away from the Government in their understanding of how the provisions will work and of the impact that they will have on products and services. Apple wrote to the Committee that these provisions
“would dramatically disrupt the global market for security technologies, putting users in the UK and around the world at greater risk.”
It is frustrating and disappointing that we did not have the opportunity to explore those differences in detail through witness testimony. The Minister did his best to reassure us, and he made some important arguments about extraterritoriality and conflicts of laws, but given the serious concerns that have been raised, it is worth again asking the Minister to explain why those witnesses are wrong and he is correct. In particular, the Government’s explanation that the new pre-notification requirement in clause 21 is
“not intended as an approval mechanism”
has not dampened concerns. Apple argued in evidence to the Committee that
“Once a company is compelled to provide notice of a new security technology to the SoS, the SoS can immediately seek a Technical Capability Notice to block the technology.”
Other provisions in the Bill around maintaining the status quo during notice review periods work in tandem with these provisions to deliver what Apple and others see as a de facto block on adoption of new technology—that is the risk that they are highlighting, and it is what the Minister must address in his speech. It is why we have tabled amendments to take out some of those provisions. It is also why we have tabled amendment 19: an alternative that would introduce advance judicial oversight and, hopefully, a degree of reassurance that the new notification notice regime under clause 21 will not deliver the unintended effects that many fear.
Finally, I put on the record our support for the amendments tabled by members of the Intelligence and Security Committee, whose work on the Bill has been as helpful as ever—I congratulate them on their one-and-a-half victories so far. As is often the case when it comes to Bills of this type, we also put on record our support for several of the amendments tabled by the right hon. Member for Haltemprice and Howden (Sir David Davis), some of which are similar to amendments that we tabled in Committee, while others are similar to amendments that we supported during the passage of other Bills, including the National Security Act 2023. In particular, new clause 3, which is designed to place an absolute prohibition on the UK sharing intelligence with foreign Governments where there is a real risk of torture or cruel, inhuman or degrading treatment, is long overdue and would close a serious gap in the law. For us, that is self-evidently the right thing to do.
Sir John Hayes
As you will know, Madam Deputy Speaker, and as other Members have made reference to, I was the Minister who took the original Bill, which this Bill amends, through the House—indeed, it became the Investigatory Powers Act 2016.
The purpose of that legislation was both to draw together a number of the capabilities of the agencies necessary for them to keep us safe, and to put in place a series of mechanisms to ensure that there was proper scrutiny and accountability for those powers. We introduced the principle of a double lock, whereby both politicians and judicial commissioners were necessary to authorise some of those very powers. They matter because of the threats we face. Those threats are, as has been said by a number of contributors, metamorphosising. They were bound to do so, and we anticipated that when the original Act was considered in this place.
I accept the argument used by the shadow Minister, the hon. Member for Barnsley Central (Dan Jarvis), that that does not end here tonight. Those threats will continue to change, and it will be necessary to update the legislation to reflect those changes, for our security services and police need two things to do the job that we expect them to do on our behalf: capacity—namely, skills and resources—and capability, which includes legislative powers.
Stuart C. McDonald
I, too, thank all colleagues who have taken part in the proceedings today, in Committee stage and before, especially members of the ISC whose expertise really does benefit our scrutiny processes. I also thank all the various organisations that have provided written evidence and briefings, both in support of, and in opposition to, the Bill. Finally, may I also thank the Committee staff and the Clerks of the House for helping us through what has in some ways been quite a technical Bill?
The Investigatory Powers Act 2016 set out a detailed framework for use of investigatory powers. The existence of such a legislative framework was welcome, as were some aspects of the framework itself. We worked hard to try to improve that framework, but, ultimately, believed that it fell short of what was required and so we voted against that Bill on Third Reading. We are in much the same place today. We get the motivations for this Bill; they are understood and we are sympathetic with some of what the Bill seeks to achieve. However, we are not convinced that all the powers are shown to have been necessary and proportionate and that there are not other ways to get to where those seeking the new powers need to be.
At the same time, with more extensive powers and more extensive use of those powers, there should come greater oversight. In our view, the Bill heads us in the opposite direction, watering down or failing to put into place necessary advanced judicial oversight. Such oversight, we believe, is of benefit in providing reassurance not only to members of the public concerned with implications for their private lives, but to the very people who need to navigate these powers—members of our security and intelligence services and other public bodies. Instead, they are left to make difficult almost impossible judgments as to their lawful use, necessity and proportionality. Therefore, we do not take this step lightly, but for those reasons we will be voting against Third Reading tonight.