Investigatory Powers (Amendment) Bill [ Lords ] (First sitting) Debate
Full Debate: Read Full DebateDepartment: Home Office
Stuart C McDonald
Main Page: Stuart C McDonald (Scottish National Party - Cumbernauld, Kilsyth and Kirkintilloch East)Department Debates - View all Stuart C McDonald's debates with the Home Office
Investigatory Powers (Amendment) Bill [ Lords ] (First sitting)
Stuart C McDonald ExcerptsThursday 7th March 2024
(1 month, 3 weeks ago)
Public Bill CommitteesRead Full debate Investigatory Powers (Amendment) Act 2024 View all Investigatory Powers (Amendment) Act 2024 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 7 March 2024 - (7 Mar 2024)
Dan Jarvis (Barnsley Central) (Lab)
It is a pleasure to serve under your chairship, Mrs Cummins. I rise to speak very briefly to clause 1, and to thank the Minister for his opening remarks.
At the outset of our consideration, we should all take the opportunity to pay tribute to the exceptional men and women who have served in our law enforcement and security services. We owe them a deep debt of gratitude. Let me say that the Opposition support the Bill, which updates aspects of the Investigatory Powers Act 2016. It is imperative that legal frameworks are updated to ensure that our security and law enforcement services keep up with the challenges to communications technology in an increasingly challenging and complex landscape of threats to our safety and national security. None the less, the important provisions proposed in this Bill need to be scrutinised carefully. The shadow Home Secretary and I made it clear on Second Reading that we will work with the Government to improve it in places, following the example of the constructive cross-party work that was done in the other place.
Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)
It is good to see you in the Chair, Mrs Cummins.
I echo what the shadow Minister says. We are all here to assist the brave personnel in our security and intelligence services, but that does not mean that we will not closely scrutinise this legislation. We did not oppose the Bill on Second Reading. Some parts are good, but we have indicated our serious concerns about other parts because we think the powers go too far. They have not been shown to be necessary and proportionate; rather, they are more for the convenience of the security and intelligence services. How these powers are drafted also causes us concern, because they seem to allow behaviours beyond what we were told the powers were going to be used for. At other times, it is the nature of the oversight that is a concern, as the Bill introduces potentially intrusive powers.
I have one other brief point to make, which I indicated I would make at last night’s meeting of the Programming Sub-Committee. I had hoped that this morning we could perhaps have had some witnesses to guide us through this process. I think that would have been very helpful. It was very helpful in 2016, when we were looking at the original legislation, and I regret that we do not have such an opportunity this morning.
The provisions on bulk personal datasets and so-called low/no datasets are an area where we fear that the legislation is rather more a matter of inconvenience than something that has been shown to be a necessity. That will emerge in the debate about clause 2, which contains quite a lot of the detail about how the regime is supposed to work. Basically, we have been told that there will be a significant increase in the use of bulk personal datasets. We have been told that scrutiny is too slow, so we will either have to remove it or, perhaps more accurately, water it down in relation to these so-called low/no datasets. Fundamentally, I do not like that argument. The Minister will need to make a compelling case.
When we discuss clause 2, it would be useful if the Minister told us how many bulk datasets are retained and examined each year currently; how many datasets it is envisaged will be retained and examined after these powers come into force; what percentage of the datasets he thinks would be considered low/no datasets; how long authorisation processes take currently and why they take that length of time; and why cannot we improve or accelerate that process in some way, rather than having to water it down in the way that this Bill suggests. We will ask the Minister for that sort of evidence, because he is asking us to do away with parts of the oversight system that were put in place in 2016, and we want to understand how that oversight system is causing a problem at the moment. If he cannot explain that, we cannot support this new regime.
Mr Kevan Jones (North Durham) (Lab)
It is a pleasure to serve on this Committee with you in the Chair, Mrs Cummins.
My hon. Friend the Member for Barnsley Central said very clearly that there is general support for the Bill. The need for it is self-evident: things have moved on since the passage of the 2016 Act—indeed, they have moved on very quickly in terms of the amount of data there is, not only data that the security services have to deal with but data in general life.
Bringing the legislation up to date is important, but if we look at the Hansard reports of the debates in 2016, when the right hon. Member for South Holland and The Deepings took the original legislation through the House, we see that there was then, quite rightly, concern that the state acquiring bulk data was intrusive into people’s private lives.
Having read those Hansard reports a couple of days ago, I accept that some of the concerns expressed in 2016 were overblown, as are some of the concerns expressed about this Bill. Frankly, if the accusations regarding what our security services are able to do were true, they would be 10 times, if not 100 times bigger than the actual security services we have today. Nevertheless, it is important in a democracy to ensure that the security services act proportionately—I am confident that they do—and that there is the necessary oversight of their actions and how they deal with the data they have. It is not just parliamentarians who need reassurance in that regard, but the public. The public need reassurance about the data that the state is holding.
Examples have been given, but frankly, they are a bit silly, because things such as the electoral register, which you, Mrs Cummins, I and everybody else can access, fall under the existing regime. The expectation that the data will not be made public is ridiculous, and the same is true of some of the other examples that have been given. For instance, some datasets for machine learning are open on the internet for everybody to see. I do not have any problem with that and I do not think that anybody else does.
Oversight, which we will discuss later, is important. We are giving the security services the powers to determine what is low and what is no. Do I trust that they will have the protocols in place to ensure that that process is done fairly? Yes I do, but I have been on the Intelligence and Security Committee for the last seven years; I know exactly how the protocols work internally in those organisations. To reassure the general public, we need a definition of how this process will take place. I will not touch on that now, but later I will raise the question of how we will have independent oversight of that process.
Neither I nor anyone else is saying that we distrust how the security services will handle those datasets, but one thing the ISC has been very clear on is that if we are going to extend the security services’ powers, there needs to be a corresponding extension of oversight to balance that. I do not want to put in place oversight that prevents operational effectiveness; it would be silly to give the security services powers and then make it impossible or too onerous for them to operate in practice, but striking a balance is important in a democracy.
We broadly got that balance right in the 2016 Act. Looking at international comparisons, we are way ahead of many other democracies in how we deal with oversight of those potentially very delicate issues.
Dan Jarvis
May I reflect on my gentle amusement at hearing the Minister’s remarks about a former shadow Security Minister and his onward passage to becoming Leader of the Opposition? I know that these are matters on which he speaks with great authority.
We have already had very helpful contributions from two senior Intelligence and Security Committee members. Questions about the meaning of “low or no reasonable expectation of privacy” in relation to BPDs have been raised throughout the Bill’s progress in the other place and on Second Reading in this House, including by members of this Committee. The amendment seeks to probe the meaning of the phrase, but I should be clear at the outset that I do not intend to divide the Committee on this or any other amendment on which I intend to speak.
I will set out two scenarios. It would be genuinely helpful if the Minister could clarify the limits to the factors relating to the Data Protection Act 2018. The first scenario is where the data can be attributed to a leak that, although unintentional, resulted in the unconsented publication of personal information in the public domain. Would a leak of the personal details and working patterns of the staff of Members of this House—a number of hon. Members will remember the one that happened in March 2017—be subject to a low or no reasonable expectation of privacy?
The second scenario is the deliberate and unlawful publication of personal information into the public domain. If there were a hack resulting in the unlawful publication of personal information into the public domain, would that information also be subject to a low or no reasonable expectation of privacy? Data breaches of that nature occur regularly: the personal information of more than 2 million Duolingo users was compromised last year. A user’s mastery of French verb conjugation is unlikely to be of interest to anyone, with the possible exception of our friends over the channel, but other personal information could be. The Duolingo data was put up for sale on the dark web, so it might be regarded as third party BPDs. It is important that the Minister clarifies the meaning of “low or no reasonable expectation of privacy” in relation to those two scenarios.
Labour Members are not opposed to the concept of “low or no reasonable expectation of privacy” in relation to BPDs. We want to ensure that the police and security services are not unnecessarily limited in their intelligence gathering, but there need to be parameters for what is considered fair game. There must be clarity on important definitions relating to personal data. I hope that the Minister will respond in the constructive spirit in which the amendment was intended.
Stuart C. McDonald
Clause 2 will remove the need for further judicial authorisation for personal dataset retention and examination if the datasets are deemed to fit into the low or no category, for which there is already authorisation, or if there is urgency. Many personal datasets can be contained within one warrant, so we have lots of questions about how proposed new part 7A will work. Amendment 14 demands an explanation of how the regime fits alongside data protection standards and how it applies to leaked and hacked datasets, as opposed to those that are lawfully obtained.
Our amendment 21 simply seeks to push the Minister to give examples of personal datasets that would be considered to have a low or no reasonable expectation of privacy. I refer hon. Members to a letter from the Chair of the Joint Committee on Human Rights, my hon. and learned Friend the Member for Edinburgh South West (Joanna Cherry), which has been shared with us all:
“There is perhaps some ambiguity or confusion as to what data is envisaged to be caught by these provisions. For example, is it merely online encyclopaedias, Companies House registers or news articles; or would it also cover, for example, quite extensive discussions over the internet or mass voice or face images, as has been mentioned in evidence?”
That is the question that we are getting at here.
The whole concept of a reasonable expectation of privacy seems to have been borrowed from the US, where it has been criticised for permitting fairly intrusive surveillance at quite a considerable scale. To my mind, it difficult to grasp the concept or even understand how the test to be applied. It is bad not just for citizens in general, but for people who are having to make these decisions who are not absolutely clear whether or not they can consider a set of data to have a low or no expectation of privacy.
Would bulk datasets of CCTV images or Facebook posts be no/low? How can someone assess whether a bulk personal dataset falls into the category if they do not know all the information within it because they cannot see it until they have a warrant? If the dataset contains information about many thousands or millions of people, with different types of information about different people, how can there be one single level of expectation? People with a low expectation of complete privacy might reasonably have a high expectation that their data will not be retained and processed by the intelligence services.
Why is the sensitivity of the data not expressly mentioned in the Bill? That should surely be pivotal, particularly if the Government want to operate within our human rights obligations. There is no clarity in the Bill to reassure us that sensitive information such as health data would absolutely not be captured by these provisions. Why could that not be on the face of the Bill? Why is publication the important factor instead? Publication in the context of small Facebook groups, for example, does not mean that there are no expectations that security services would not hold that information.
Dan Jarvis
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Stuart C. McDonald
I beg to move amendment 22, in clause 2, page 4, leave out lines 27 to 30.
This amendment is consequential on Amendment 23.
The Chair
With this it will be convenient to discuss the following:
Amendment 23, in clause 2, page 5, leave out lines 1 to 14.
This amendment would remove proposed new section 226BA, thereby removing the ability to grant “category authorisations”.
Amendment 24, in clause 2, page 5, line 17, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 25, in clause 2, page 5, leave out lines 23 to 25.
This amendment is consequential on Amendment 23.
Amendment 26, in clause 2, page 5, line 34, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 27, in clause 2, page 5, line 39, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 28, in clause 2, page 7, line 3, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 29, in clause 2, page 7, line 27, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 30, in clause 2, page 8, leave out lines 6 to 15.
This amendment is consequential on Amendment 23.
Amendment 31, in clause 2, page 8, leave out lines 19 to 23.
This amendment is consequential on Amendment 23.
Amendment 32, in clause 2, page 8, line 37, leave out “or a category authorisation”.
This amendment is consequential on Amendment 23.
Amendment 33, in clause 2, page 8, line 41, leave out from “authorisation” to “they” on page 9, line 1.
This amendment is consequential on Amendment 23.
Amendment 34, in clause 2, page 9, leave out lines 14 to 16.
This amendment is consequential on Amendment 23.
Amendment 35, in clause 2, page 9, leave out from the beginning of line 38 to the end of line 13 on page 10.
This amendment is consequential on Amendment 23.
Amendment 36, in clause 2, page 11, leave out lines 17 to 29.
This amendment is consequential on Amendment 23.
Amendment 37, in clause 2, page 11, leave out lines 32 and 33.
This amendment is consequential on Amendment 23.
Stuart C. McDonald
First, unless I was distracted, I do not think I got a specific answer on the types of data mentioned in the amendment—for example a Facebook post, CCTV footage or anything else.
Tom Tugendhat
Those are covered under sensitive data areas; they would not be covered under bulk personal data. The hon. Gentleman also mentioned health data, and he is absolutely right that I did not answer that. I should be absolutely clear: it is hard to envision a case in which health data would be considered “low or no”, unless it was of very ancient historical standing, or there were other exceptional reasons.
Stuart C. McDonald
I am grateful for that. Could the Minister perhaps follow up on that in writing? That is useful to have on the record.
This discussion is mainly about amendment 23; the other amendments are all consequential. Basically, the amendments would remove the concept of category authorisations from the Bill. Again, I take the same approach as the shadow Minister; I will not be pushing any of these amendments to a vote, but they are designed to probe and allow for debate on some of the important concepts in the Bill.
It is this clause, and the notion of category authorisations, that leads to the restricted judicial oversight of the “low or no” categories that are being retained. It would be useful for the Minister to give us an example here of what a category authorisation might look like. I am not on the ISC, so it is hard for me to understand exactly how broadly they might be drafted. I absolutely appreciate that there are operational reasons why the Government might have to be careful about the examples they give. However, to provide some reassurance, I am sure it would be possible to put on record what one of these authorisations might look like, just so we know how broadly they will be drafted, or indeed how focused they will be.
The Minister spoke a little about oversight at the end of his previous contribution, but it is the oversight of category authorisations that causes me some concern. The tests for a category authorisation set out in proposed new section 226BA of the Investigatory Powers Act 2016 are simply that it must be classed as “low or no” and that the decision has been approved by a judicial commissioner. There are none of the other tests that are set out for the individual authorisation, such as it being necessary for the
“exercise of any function of the intelligence service,”
that it
“is proportionate to what is sought to be achieved,”
or that there are various arrangements in place.
It seems to me that the degree of oversight at the stage of granting a category authorisation is far more restricted. That has a knock-on consequence: when the judicial commissioner comes to review the granting of a category authorisation, they are only then considering whether it applies to a “low or no” group of datasets. The judicial commissioner, even on the low-level judicial review criteria, does not look at whether the category authorisation will be necessary or proportionate, or any of the other tests for the other authorisation.
Sir John Hayes
I do not want to do the Minister’s job for him, because I am sure he will say this anyway, but when an application is made by an agency for the acquisition and retention of bulk personal datasets, a specific case needs to be made in the warrant application, and a particular case has to be made where that application applies to exceptional material. That case is considered through the double-lock mechanism by both the judicial commissioner and the Minister. That case needs to specify the reason that it is necessary for operational purposes.
Stuart C. McDonald
It is useful to have that explanation. I understand that is the existing process, as the 2016 Act applies just now. However, my simple question concerns the fact that that does not seem to be what is set out here.
Tom Tugendhat
I will just answer that directly, as the hon. Gentleman seems to be running away with this issue slightly. The test set out in proposed new section 226A still applies to all datasets. It is not removed; it goes through the whole thing.
Stuart C. McDonald
That is useful to know. I will pray in aid the fact that we did not have any witnesses; anything I say that is daft, and anywhere that I do not understand how the Bill operates, I will blame on the lack of witnesses.
That is useful to know. I will go away and look at that and make sure that that all makes sense to me. That just leaves me with my earlier request: can we have some examples of what a category authorisation looks like? I can imagine that they could be incredibly broadly drafted, but they could also be very narrow. It would be useful to get a better understanding of how they will operate.
My final point is that the Government’s case appears to centre quite largely on using the material for machine learning. We have heard about language, online encyclopaedias and whatever else. If nothing else, why not use this streamlined process on that category of information and keep the existing processes in place for everything else?
Tom Tugendhat
I welcome the spirit in which the hon. Gentleman approaches this issue. He is asking important questions, and I do not challenge at all the validity of the way he has approached the issue; in fact, I should put on record that I am grateful for the way the whole House, and this Committee in particular, have approached it. It is important that any questions that any Member has, particularly the questions honourably and reasonably raised by the hon. Gentleman, are addressed.
The hon. Gentleman’s question on category authorisation is important, because the individual authorisation authorises the retention or retention and examination of a bulk personal dataset, to which part 7A applies. In other words, for every individual dataset there will be an individual authorisation. The normal rule is that each individual authorisation must be approved in advance by a traditional commissioner, as my right hon. Friend the Member for South Holland and The Deepings quite rightly addressed.
A category authorisation does not itself authorise the retention or retention and examination of a dataset; rather, the category itself is the means by which the normal rule of prior judicial approval may be disapplied in respect of the individual authorisation of datasets that fall within the description approved by the category authorisation. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East knows, that allows for the internal authorisation of an individual dataset that falls within an existing category. By definition, those categories are narrow enough to be identifiable but large enough to be useful. The reality is that that must be done on a case-by-case basis, but under the watchful eye of not just the unit within the intelligence service that requests it, but a senior officer in that service and a judicial commissioner.
That oversight means that we have an effective way of ensuring that we are able to use bulk personal data as categorised in different areas in a speedy fashion to enable the detection and prevention of harm, but with the oversight regime that the hon. Gentleman quite rightly expects of any apparatus of the state. The intelligence services in particular, for reasons of operational necessity, operate in the shadows, and therefore require an extra guarantee of reliance.
Stuart C. McDonald
I will go away and consider what the Minister said. Our basic issue here is that a process is in place whereby every single individual dataset must be approved and have the approval and authorisation of a judicial commissioner. Under this scheme, if there is a category authorisation and then an individual authorisation under it, there will not necessarily be any involvement from a judicial commissioner. That is the bit that we have an issue with.
Tom Tugendhat
May I come back straightaway on that? To be clear, category authorisations are reviewed by IPCO at the very latest a year—12 months—after the authorisation, but they could actually be reviewed at any point. I am afraid the idea that a category authorisation stands forever just because it has been allowed is not accurate—I know that is not what the hon. Gentleman is suggesting. The judicial commissioner would have oversight of the wider category authorisation, and the IPCO review means that the whole thing is checked at the very latest every 12 months, and probably more frequently than that.
Stuart C. McDonald
Again, I get all that, and I do not think that we are really at cross-purposes. However, we are talking about 12 months of access to datasets without necessarily having them before a judicial commissioner.
I do not think that anyone disputes that this is a slightly weaker form of oversight, which is because the services want to access this material at scale and regard the existing oversight mechanisms as cumbersome, slow and whatever else. We still ask the question of whether there is another way to do that that would still involve judicial commissioners but happen much more randomly and at scale. However, we will go away and consider that. I repeat my request—I know it is not easy—for some examples to reassure members of the public on how exactly this will work. That would be useful. In the meantime, I do not intend to push the amendment to a vote. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Dan Jarvis
I beg to move amendment 15, in clause 2, page 5, line 14, at end insert—
“(4) The head of an intelligence service, or a person acting on their behalf, must notify the Investigatory Powers Commissioner as soon as is reasonably practical after a decision has been taken to include a bulk personal dataset within a category authorisation in effect under this section.”
This amendment would require that the Investigatory Powers Commissioner is notified when a new bulk personal dataset is added by an intelligence agency to an existing category authorisation.
The Chair
I remind members of the public to please turn their electronic devices to silent as well.
Stuart C. McDonald
I will be very brief, because I fully support what the shadow Minister and the right hon. Member for North Durham have said. If we are going to go down the route of somewhat watering down the oversight of certain bulk personal datasets, we need greater transparency and accountability. Our amendment 38 has very similar motivations. It requires complete transparency with the ISC by listing all the bulk personal datasets that would be retained under a category authorisation in the report the Bill requires to be sent to the ISC. It answers the question of how we are supposed to know how these new powers will be and are being used unless we have one of these methods of transparency.
Tom Tugendhat
If I may, I will come to the last point first. The information going to the ISC on this basis would be, as far as possible, the same as that going to the Secretary of State. Obviously, the operational data may not be included, depending on the relevant operational case. I hope that will reassure this Committee and, indeed, the ISC that the intention is to make sure that the ISC is as fully informed as possible.
On the point made by the right hon. Member for North Durham, he will know that the Bill, in many ways, has been a joint project between the Government and the ISC. I have spent many hours with members of the ISC, including the Chair, my right hon. Friend the Member for New Forest East (Sir Julian Lewis), and with various members of the Committee. Their input has been exceptionally important to me and has been included in many areas of drafting on this.
Turning to amendment 15, the right hon. Member for North Durham and the hon. Member for Barnsley Central, in many ways, have both been the Occam’s razor of the Bill process, not just here, but in other areas. They have been rightly keen that we should not include powers or requirements that would otherwise constrain or block processes or confuse the law. I understand the argument that hon. Members are making about a one-line email, but the reason that I am not convinced—though I am very happy to have the conversation suggested—is that the reality is that it is possible for IPCO to investigate at any point, and it must investigate at 12 months. Therefore, if we ask for a legal requirement on the services, that would force an extra legal duty into the various elements and it will be an extra change.
Stuart C. McDonald
I fully understand the questions that have been proposed by the shadow Minister, and it will be interesting to hear the answers that he gets.
On clause 5, it makes sense to ensure that access to third-party bulk personal datasets is subject to the general Investigative Powers Act scheme and oversight regime, including the double lock. Of course, we had extensive debates back in 2016 on whether that double lock was strong enough. My party argued that the judicial review standard was not tough enough and that we should be asking judicial commissioners to look at the positions again on their merits. But we lost that battle, and we are where we are.
Some of these datasets will include hugely personal information on internet searches and shopping history. These profiles can build up a pretty intrusive picture of how we go about our lives, and sometimes not very accurately. We are also talking expressly about personal datasets, which could include health data. That is on the face of the Bill. Does the Minister envisage that such access will be used only to make inquiries on subjects of particular interest, or will it be used for broader trawls of information?
As set out in the letter from the Chair of the Joint Committee on Human Rights, there is also concern about how this provision will apply to datasets that have been obtained unlawfully. Should there be additional safeguards on the use of illegally obtained data? What is the Government’s thinking on that?