Skip to main content

Electronic Communications

Volume 584: debated on Tuesday 22 July 2014

I beg to move,

That the draft Data Retention Regulations 2014, which were laid before this House on 21 July, be approved.

The Data Retention and Investigatory Powers Act 2014, which passed into law last week, was a necessary response to a European Court of Justice judgment that called into question the legal basis on which we require communications service providers in the UK to retain communications data. The judgment was handed down in April this year, not August as the explanatory memorandum accompanying the regulations incorrectly states—an administrative error for which I apologise to the House.

Communications data—the who, where, when and how of a communication, but not its content—are crucial for fighting crime, protecting children and combating terrorism. Indeed, Members will have seen the recent reporting on the National Crime Agency’s child abuse investigation, which led to more than 600 arrests and the protection of more than 400 children. The NCA has confirmed that much of the operation would have been impossible without access to communications data. Where an investigation starts with an internet communication, as in online child sexual exploitation cases, for example, communications data will often be the only investigative lead. The loss of such data would have been potentially devastating and would have impacted seriously on the ability of the police, law enforcement agencies and security and intelligence agencies to investigate crime, uncover terrorist links, protect children, solve kidnappings and find vulnerable people in danger. I am therefore extremely grateful for the support shown in both Houses for the passage of the Act. I put on the record my thanks to right hon. and hon. Members—and in particular to the Opposition—for the constructive way in which they engaged in the debates.

However, as was made clear last week, secondary legislation is required to cover the detail of the operation of the data retention regime and to ensure that the appropriate processes and safeguards can be applied to the retention of such data. That approach mirrors the existing position, in which the detailed data retention regime is set out in secondary legislation. That has worked well for a number of years. It is to those regulations that our attention must now turn.

Members will be aware that a provisional draft of the regulations was published before the legislation was introduced. The regulations before the House today are substantially the same as those which have been available for scrutiny and examination. I am grateful to the Joint Committee on Statutory Instruments for considering and reporting on them. I put on record my thanks to the hon. Member for Leeds East (Mr Mudie), the Chairman of that Committee, for arranging an exceptional meeting to consider the regulations.

Before turning to the content of the regulations, let me deal with the discussion that took place during the passage of the Act about the speed at which the legislation was being passed. Without revisiting those debates today, I will briefly explain why we consider it necessary for the regulations to be passed before the summer recess.

To ensure a strong legal basis for continued retention by service providers, we need to get the regulations in place before the House rises. The regulations ensure that the data to be retained are subject to appropriate safeguards, and the communications service providers concerned will welcome the certainty that the regulations bring.

The Act gives the Secretary of State the power to issue a data retention notice to a communications service provider, if he or she considers the retention to be necessary and proportionate. The regulations made under the Data Retention and Investigatory Powers Act 2014 revoke and replace the 2009 data retention regulations. In large part the regulations replicate the obligations placed on providers under the 2009 regulations. In particular, they set out the types of data that can be retained. As was made clear during the debates on the Act, the list goes no further than the existing regulations. Crucially, the regulations set out the nature of the controls that must be placed on the data, both to ensure that they are adequately protected while they are being retained and to ensure that they are appropriately deleted at the end of that period.

The regulations also ensure that service providers are not penalised financially as a result of complying with a notice or the regulations. That is in line with previous practice and is a fair way of ensuring that the data are retained effectively and that there is no distortion of the communications market, given that obligations may be placed selectively. The regulations contain transitional provisions for the continued effectiveness of a notice under the 2009 regulations, until a new notice is given under the new regulations. We will work closely with providers in the coming months as they make the transition to the new regime.

As I highlighted to the House, the regulations contain additional safeguards. They differ from the 2009 regulations only in the context of those additional safeguards. They provide for data to be retained for a maximum of 12 months and allow the notice to specify that different types of data may be retained for shorter periods, where appropriate. If it is not proportionate to retain certain data for a full 12 months, a lower period can be chosen. The 2009 regulations provided for a blanket 12 months, although the directive on which they were based allowed for periods between six and 24 months.

The regulations also provide for a number of issues which must be considered before a retention notice is issued. I wish to assure the House that my right hon. Friend the Home Secretary and I take our responsibilities seriously, scrutinising in detail any case for imposing a data retention notice to ensure that it is necessary and proportionate. It is with equal care and attention that we will approach our obligation to keep such notices under review.

The Home Office has always worked closely with communications service providers prior to serving a data retention notice, and the regulations enshrine this existing best practice in law by requiring the Secretary of State to take reasonable steps to consult the provider affected. As I have previously explained, the regulations will ensure that the data are subject to appropriate safeguards and controls. Those who followed the scrutiny of the draft Communications Data Bill, including some Members in the House this afternoon, will be aware that there was some uncertainty as to the extent to which the Information Commissioner would oversee the integrity and deletion of retained data, as well as their security. The regulations therefore clarify that the Information Commissioner will oversee all elements of the protection and security of the data. We have discussed this with the commissioner and will provide him with the necessary additional resources to carry out this vital role.

Finally, the regulations amend the Regulation of Investigatory Powers Act 2000 to enable the creation of a data retention code of practice. That will allow us to provide further guidance to communications service providers on how to implement their obligations under a mandatory data retention notice and the regulations.

The House may wonder why certain other changes that we agreed to make are not given effect in the regulations. Separately, we will also update the data acquisition code of practice under RIPA to make it clearer that the officer authorising access to the data should be independent of the operation, and to ensure that consideration is given to the level of intrusion where there may be concerns relating to professions that handle privileged information. I know that that has been of concern to hon. Members on both sides of the House.

The House will have the opportunity in due course to review and comment on both draft codes of practice. In addition, we have announced that a number of public authorities will lose their access to communications data under RIPA and we will bring forward secondary legislation in the autumn in this regard. Hon. Members who followed the discussions about the draft Communications Data Bill will be aware that communications service providers are also able to retain communications data on a voluntary basis under a code of practice made under the Anti-terrorism, Crime and Security Act 2001. The regulations apply the same security safeguards and access restrictions to data retained under that code.

As right hon. and hon. Members know, the Data Retention and Investigatory Powers Act will be repealed on 31 December 2016. Any notices made under the Act and the regulations will similarly fall away. The Government have begun the process of a wider review of investigatory powers and it is right that there should be a full and proper debate on the threats, capabilities and, of course, safeguards that govern the use of such powers. I am sure the House will agree that that should include a wider public debate on the issues.

I am sure the Minister will agree that for that public debate and a review to take place, we need good statistics and information. One of the few things that seems to be missing from the previous regulations and the new ones is a section about statistics. Will he confirm that there will be the same or stronger requirements on public communications providers to keep good statistics on such data and how they are used? How will those will be provided to the Government, who will then publish them?

I am grateful to my hon. Friend for highlighting this aspect. As he knows, in the debates last week we underlined the need for greater transparency and reporting of information about the use of the powers under the Act. I can assure him that we will take that forward. He will be aware, too, of the requirement on the interception of communications commissioner to report on a six-monthly basis—I know that was of concern—to assure the House and the public about the use of the powers under the new Act. Therefore, I expect that providers of information and communications service providers retaining that information would provide data to facilitate transparency and to ensure that the public are informed about the use of the powers under the Act.

As has been made absolutely clear over the past week, this legislation merely preserves the status quo. The Act passed last week and the regulations before the House today do not extend or create any new powers or obligations on communications companies that go beyond those that already exist; they simply ensure that the communications data that have been retained by the communications service providers will continue to be available to ensure that the police, the law enforcement agencies and the security and intelligence agencies have the capabilities they need to protect the public and keep us safe. I commend the regulations to the House.

I very much support the process that the Government have brought forward today. The Opposition will support the regulations before the House this afternoon. As the Minister has said, they are made under the Data Retention and Investigatory Powers Act 2014, which we debated last Tuesday, although it seems a long time ago. It was certainly an interesting debate.

The Minister has outlined clearly why the regulations are needed. Last week we supported him in taking the Act through the House, because we recognise, as he does, that retaining records and data is vital in fighting crime, whether tackling serious organised crime, dealing with child abuse or helping to prevent terrorism. We also welcome the safeguards we discussed last week in relation to access to those data. As he explained, the regulations put in place broadly what is already in place, and they therefore have our support.

In offering our support, I wish to raise two issues that the Minister might like to respond to in any winding-up speech he cares to make. First, there was limited consultation on the regulations. As outlined in the explanatory memorandum, the 2009 regulations had a 12-week public consultation. Due to the pressing nature of the legislation we passed last week, the regulations before us had nothing that could be called a full consultation. Therefore, can the Minister confirm that the six-monthly review by the Information Commissioner of how the legislation is working will include the regulations so that providers and other individuals have an opportunity to put on the record any concerns they have about their operation and so that those concerns can be examined?

The interception of communications commissioner is required to make a six-monthly review, and my expectation is that that would certainly cover the use of those powers. We need to consider the interrelationship with the Information Commissioner, because it is a separate regulator that looks at the retention of those data. Obviously, we will consider any interrelationship and any discussions that might need to take place between the two regulators to give an assurance to the public about the use of those data.

I am grateful to the Minister for that response. My main point is that the legislation’s sunset clause means that it will cease to have effect in December 2016. The regulations are being made by the House today, but I want to ensure that they are examined on a regular basis, given that there was no proper consultation because the Act had to be rushed through last week.

Secondly—I raised this matter privately with the Minister’s office earlier today—the initial regulations specified 8 August 2014 as the date on which the European Court of Justice declared the data retention direction 2006/24/EC invalid. The date was in fact 8 April. I just want to be clear that the Minister has relayed that matter to the Joint Committee on Statutory Instruments so that there is no doubt about what we are discussing today and the way it has been framed.

I am grateful to the right hon. Gentleman for contacting my office earlier today to highlight that point, to which he will have heard me make specific reference in my opening remarks. A further draft of the explanatory memorandum is certainly in the process of being relayed, if that has not already been done, as he rightly indicated. We are clear that that has no bearing on this afternoon’s debate.

I just thought that it was worth placing that on the record, as I would not wish there to be any confusion, given the nature of the debate we are having today.

I am happy to support the regulations, given the potential for review and the safeguards we have put in place with regard to the Act. I look forward to formal reviews, as secured by the legislation. Given the assurances the Minister has given today, he will have our support for the regulations.

I will speak to the regulations only briefly. I think that there are a couple of points worth making. It is interesting to compare the debate we are having now with the one in 2009. Back then, no time at all was given to discuss the regulations, which were moved without debate by the hon. Member for Kingston upon Hull North (Diana Johnson). Some Members who have expressed concern about these regulations voted in favour of the previous ones, even though they covered rather more. There was a debate in a Committee that lasted for 62 minutes, and it is very interesting to see how roles have changed. The hon. Member for Gedling (Vernon Coaker), who was then the Minister, said that they did not go far enough and that we needed to collect much more information from communications providers—he mentioned Facebook, but we can date the debate by his references to Bebo and Myspace as the other key providers. He was essentially calling for the Communications Data Bill—the snooper’s charter—that part of the Government, or at least the Home Secretary, wanted to see.

In 2009 there was also a very nice speech from the hon. Gentleman who is currently the Minister. He took a very strong stance that RIPA should be used only to combat serious crime and for the protection of national security. I do not know whether he has told the Home Secretary that that is the Conservative position, because it seems to have changed somewhat—we have moved on very slightly. We also heard my right hon. Friend the Member for Carshalton and Wallington (Tom Brake) saying, “Yes, communications data are important, but we need some more safeguards.” In fact, the safeguards he itemised have largely been delivered in these new regulations, so I am glad that we have made progress.

There is concern, as expressed in the debate we had last week and by the public, about the idea that more information could be collected. For example, there is a concern that this could open the door to the collection of web logs and many other elements. It is worth having a look at the schedule to these regulations, which lists all the things that can be collected, and comparing it with the previous regulations. They are exactly the same—not a single word in the current regulations was not in the regulations introduced five years ago. On that basis, it is fairly clear that there are no new powers and that no new information—web logs, for example—can be collected.

However, there have been a number of other changes. The Minister highlighted the fact that we have taken the opportunity to move from saying that all data must be collected for 12 months to saying that it must be collected for up to 12 months. I very much welcome that, because I think that there are a lot of data that can be of great use the next day, the next week or perhaps the next month, but which are not needed for the full 12 months. We also have—I do not think that the Minister referred to this—a higher standard of data integrity and security required. The wording has been changed from requiring data to be stored in a way that is as good as it had been stored to requiring the best that is available, so the requirement for data integrity and security is actually tighter. Of course, the Secretary of State is required to keep that under review.

The one thing that there is not enough of—this is why I am pressing the Minister—is the idea of transparency. I want him to ensure throughout that as much information as possible is available. He and I have discussed how long the data can be kept for and how much of it is used in the 11th month available and so forth. That information must be available for all usages throughout the year so that we can make the right decisions. Wherever we draw the line, there will be some information on the other side of it. We want to make an informed and rational decision. I hope that he will ensure that all the notices make sure that those data are collected, as the interception of communications commissioner has also called for.

These regulations represent a step forward from the previous regulations. They collect no new information, but they tighten it very slightly. I hope that the House will pass them so that we can continue to collect the data that protect our security, with that slight extra tweak on civil liberties.

I would like to vote against these regulations but will not, because I do not wish to eat into the time for the summer recess debate, which I also want to participate in—there is self-interest in that as well. I just want to raise again the issue of professional secrecy. The Minister said in his introduction that that would be dealt with. In last week’s debate, it was to be dealt with in codes of practice and guidance, but now it will be built into the decision-making process. The concerns raised relate to the legal profession and to journalism. I would welcome the opportunity, as secretary of the all-party group on the National Union of Journalists, to meet the relevant officials to talk through how the protections will be implemented and what advice they might be able to give to ensure that there is no incursion on the rights of journalists to report accurately and truthfully.

I see that, in paragraph 6.1 of the explanatory memorandum, the Minister has signed off the usual caveat:

“In my view the provisions of the Data Retention Regulations 2014 are compatible with the Convention rights.”

Bearing in mind that a similar statement was struck down last time in relation to the directive, will he take the exceptional step of publishing the legal opinion on which he based his judgment? I have a sneaking suspicion that this one might be challenged as well.

I am grateful for the support for the regulations offered by my hon. Friend the Member for Cambridge (Dr Huppert) and the right hon. Member for Delyn (Mr Hanson). I understand the concerns that the hon. Member for Hayes and Harlington (John McDonnell) flagged up last week during our debates on the Act. He has highlighted issues relating to different categories of what I might describe as either protected or special groups of individuals in relation to the powers under RIPA. It would be the intent to obtain data from a communications data provider that would principally be at issue in such a context, and that would appear to fit within the code of practice relating to acquisition and disclosure. We therefore intend to bring forward amendments to that code as part of the arrangements. However, I recognise that the hon. Gentleman has flagged up those issues, and I will perhaps write to him—

Equally, I will see whether it is possible to facilitate a meeting with my officials so that they can hear more directly any concerns that might be raised.

I can tell the right hon. Member for Delyn that the interception of communications commissioner will look at the operation of the new legislation, which includes the regulations made under it, as part of his six-monthly review. I hope that that clarifies that point and gives him further assurance.

I also want to make it clear that I stand by the statement in the explanatory memorandum about compliance with the European convention on human rights. That is the purpose behind the Act and the regulations, reflecting the judgment. That is why we have made these changes to secure the legal base—

The hon. Gentleman asks about the legal advice. He will know that it is not the practice of the Government to share or publish our legal advice, but I stand by the statement that has been made. I welcome the support of the House this afternoon, and the regulations will come into effect.

Question put and agreed to.


That the draft Data Retention Regulations 2014, which were laid before this House on 21 July, be approved.