Skip to main content

Data Retention (EC Directive) Regulations 2009

Volume 709: debated on Tuesday 24 March 2009

Motion to Approve

Moved By

That the draft regulations laid before the House on 11 February be approved.

Relevant Document: 7th report from the Joint Committee on Statutory Instruments.

My Lords, these regulations are made under Section 2(2) of the European Communities Act 1972. They will complete the transposition of the European data retention directive or, to give it its full name, the directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending directive 2002/58/EC. I hope noble Lords will allow me to refer to it simply as “the directive”.

The European directive was formally adopted on 15 March 2006, three years ago, and related to fixed-line, mobile and internet communications. It requires the retention of data about the communication, covering details such as who contacted whom and where and when the communication took place. It does not relate to the content of a communication, nor to what was said or written.

The directive was adopted after discussions at a European level involving the communications industry, law enforcement and member states. The need for this measure was demonstrated by the shared experiences across many jurisdictions detailing how important communications data have been to law enforcement.

Let me outline some examples of where these data have played an important part. In the Soham murders, they placed Ian Huntley at the scene of his most grievous crime; in the desecration of Gladys Hammond's grave by animal rights extremists in 2004, communications data helped lead detectives to make those important arrests; and Levi Bellfield, who was found guilty of the murder of two women in south-west London, was caught thanks in part to historic communications data.

I could continue with example after example. In the United Kingdom, communications data form an important part of prosecution evidence in 95 per cent of serious crime cases. The directive rightly refers to the experiences already gained in this country and elsewhere in Europe in exploiting communications. The police, security and intelligence agencies in the UK have been utilising communications data for some time. It is unfortunate that they have had to do so, but the role of communications data in the reducing crime is undeniable. On this point I have the agreement of the important human rights campaigners of Liberty, who agree that communications data records can prove a valuable crime detection and prevention tool.

The benefits that law enforcement derives from retained communications data are clear. The directive as implemented in the UK has already saved many innocent lives—that is not an exaggeration. The regulations relating to telephony have regularly been used to place murderers at the scenes of their crimes, to prevent murders and kidnaps taking place and to identify serious sexual offenders who may not have been caught, and who would certainly not otherwise have been caught as quickly. Internet-related communications data are just as vital. Other member states offered similar examples of how they used communications data to deal with national security and crime problems. Communications data provide one part of the solution, one important tool that law enforcement has relied upon to help protect us. This is why the directive on retaining data was passed across Europe.

Many of our European partners are ahead of us in transposing this directive. France, Germany, Italy and Denmark are just four of the 17 member states that have transposed this directive so far. This directive represents a positive step forward—European member states taking the lead on these important matters. Other countries outside Europe are looking at this directive and are seeking to implement similar legislation.

The directive reflects the international nature of crime, particularly organised crime. It is all too common for crime perpetrated in one country to have been commissioned in another. This directive aims to assist law enforcement by ensuring that wherever in Europe national or cross-border crimes are commissioned, communications data are retained to enable law enforcement to help prevent and detect crime and increase public safety.

Already, as a result of this directive, the communications industry is making changes. The European Telecommunications Standards Institute has produced a technical specification to help the communications industry in its dealings with law enforcement. This European standard has already reduced the cost and complexity of implementing the directive. I commend to the House this excellent example of co-operation.

I now draw attention to the confusion that occurred in the debate in the other place. The published impact assessment that accompanies these regulations states that it is not the Government’s intention to change how communications data are accessed. This is indeed the case, because we believe that the framework in which communications data are accessed is appropriate. The framework is set out in RIPA. However, separate from these regulations, as the Home Secretary announced in December, we are shortly going to hold a consultation exercise on the public authorities able to access communications data under RIPA. The consultation will list the public authorities and set out the rank at which they can authorise the acquisition of communications data and the statutory purposes for which they can use communications data. In due course, this consultation will result in a statutory instrument subject to the affirmative resolution procedure. There will therefore be an opportunity to revise the list of public authorities able to access communications data which is currently contained in the Regulation of Investigatory Powers (Communications Data) Order 2003 and other places.

However, let us be clear, as I am afraid that the other place got very confused about this. The subject of today’s debate is retention of communications data and not access to it. There will be other good opportunities to debate access to communications data under RIPA, both in the affirmative resolution referred to previously and in the ongoing IMP work. So, before turning to the regulations themselves, I pause briefly to mention the interception modernisation programme. There has been a good deal of interest in this programme from those within this House. I know; I have given many briefings to noble Lords and I stand ready to give more if asked for. In addition, I have bent over backwards to ensure that the Opposition get briefings from Ministers and officials. There has been a great deal of media speculation about the Government’s plans. There will shortly be a full consultation exercise on options relating to maintaining our communications data capability in the longer term as methods of transferring data change. But that is not today’s issue. For now, we are considering a very specific set of proposals relating to retention, contained in the draft regulations before the House.

The directive and the regulations apply only to communications data. As I have said, this is best described as the who, where and when of communications. It may include, for example, the time at which a communication is made or the location of a piece of mobile communications equipment. To explain this in old-fashioned terms, it is effectively the information on the outside of an envelope, which includes the name, address and postmark. It is not the content. The specific data covered by the directive is information that is generated or processed by communications providers for their own business purposes, such as billing, network management and prevention of fraud. Neither the directive nor the regulations apply to any of the contents of a communication. The key effect of the directive and these regulations is to make the retention of communications data by communications service providers mandatory. Note, however, that it does not apply to social networking sites.

Before turning to the details of the regulations, it may assist noble Lords if I explain a little about the history of data retention in the UK in the past few years. The voluntary basis for retaining communications data started in 2003 with the introduction of the voluntary code. This was replaced when the first part of the data retention directive made traditional fixed-line and mobile telephony retention mandatory in October 2007. We have worked with those fixed-line and mobile companies and they have a good understanding of their responsibilities and perform them well. The Government remain grateful for the industry’s continued co-operation.

That was when the first part of the transposition of the directive, relating to traditional telephony, was completed. Since then, law enforcement agencies have been working closely with industry to develop expertise in using internet-related data and to understand which types of internet-related data should be retained by which service providers to provide most help to the law enforcement and intelligence agencies. A great deal of work has also been done on how internet-related data should be stored in order to ensure that they can be accessed efficiently when necessary. We are now in a position to complete the transposition of the directive and make the retention of data relating to internet communications mandatory. Those business data contain information about the subscriber to the services, details of the bills the subscriber receives and information about how those services are used—in other words, traffic data.

In line with the requirements of the directive and with comments made by communications service providers during our consultation exercise, we are determined to minimise any possible duplication of data retention. To do this, we have decided to introduce a notice system so that service providers can be absolutely confident about what they are required to do under the regulations. The Government will issue notices to those providers required to retain data. They will also explain precisely which data sets they would like the service providers to retain. The Government will use the notice system to minimise the burdens imposed upon industry while ensuring that relevant communications data are retained.

The consultation exercise highlighted the complexity of this area. We have therefore undertaken to establish an implementation group which will oversee the implementation of the directive and regulations. It will include experts drawn from industry and from the law enforcement and intelligence agencies. It will provide guidance to communications service providers so that they understand precisely what is required of them. We will also continue to ensure that service providers are not penalised financially as a result of complying with the regulations. This is compatible with previous practice and is a fair way of ensuring both that data are retained effectively and that there is no distortion of the communications market. In light of the approach that I have outlined, I hope that noble Lords will agree that the regulations will provide a suitable basis for the transposition of the directive.

Before I conclude, I remind your Lordships of the importance of communications data. I suggested at the beginning of this speech that the co-operation of industry in respect of communications data has saved lives. This is correct. This final transposition of the directive, as agreed across Europe, will ensure that communications data from all major types of communications, most of which are already held by the communication service providers from billing, are retained consistently and made available efficiently if required. The laws and safeguards covering access to that material are the subject of another, maybe more than one, debate. For these reasons, I commend the draft regulations to the House.

Amendment to the Motion

Moved by

At end insert “but notes with regret the intrusions into privacy that would result from their implementation, in that the regulations substantially extend the range of communications data that must be collected to include information on personal e-mails and internet activity, and that the regulations allow hundreds of different public bodies access to information on personal e-mails and internet activity; and therefore calls upon the Government to withdraw the regulations, and to introduce primary legislation on the retention of communications data that will enable detailed parliamentary scrutiny of such proposals”

My Lords, I thank the Minister for introducing this statutory instrument. He outlined how it implements a requirement under EU law for service providers to collect and retain communications data relating to our internet access, e-mail and telephony. He also made the argument for the importance of these data in tackling the threats we face from terrorism and organised crime. I say straightaway that these Benches understand the need for communications data to be made available to the police, the security services and certain other agencies in the fight against serious crime and to protect our national security. There is nothing between us on this issue. Indeed, it is not that matter but other issues that lie between us. Despite what he has just said about the intention to amend RIPA, that remains a problem. We are not able to support an instrument where there is such uncertainty over what it will do, how it will work in practice and how it relates to the evolving set of policies and technical solutions under the interception modernisation programme. I shall explain why I have these reservations. It is for these reasons that we are calling on the Government to withdraw the instrument and bring forward primary legislation on communications data.

I want to look at three matters, each of which has significance. First, on the specifics of the statutory instrument before us, the instrument could very well be extended to cover a much wider range of communications than those outlined by the Minister. While it is claimed that the content of the internet communications will not be retained—the Minister underlined this—the truth is that it is very difficult with internet communications to separate the content from the who, what, where, when and how; that is to say, the transmission of data. Secondly, on the instrument’s relationship with RIPA, as it stands that Act has abusively wide scope which will certainly extend the use of communications data of this kind to many other different bodies for many reasons, some of them very trivial. Thirdly, setting all this in the context of the interception modernisation programme that the Minister mentioned, it is not at all clear to this side of the House how this regulation fits into this programme. We fear that we are moving on auto pilot to a stage where there is no longer a meaningful distinction between content and communications data, and one which may well involve a huge centralisation of data by the Government. Let me look at these specifics.

Reading the statutory instrument makes me very uneasy. The definitions that it uses are very broad, perhaps deliberately so. We are told that the service providers will retain only the data they “own”; in other words, data which they generate in the process of supplying their services to a customer, and not data generated by third parties or instant messaging. But “communications data” are defined as data generated and processed by service providers. And “internet e-mail” is defined as,

“any text, voice, sound or image message”.

Therefore, the problem does not end with the Minister telling us that social networking is to be excluded. Other categories of instant messaging would not necessarily be excluded in that way. These categories and definitions are very broad and they make me very uneasy.

It is not inconceivable that this definition of “internet e-mail” could cover third parties. Is it also not the case that service providers could be required to retain data relating to this third-party layer because they would process their communications? There is a real difficulty about what we are to understand by “process” and how far it really extends. We are very uneasy that that word could be interpreted as meaning a range of internet communications much wider than those discussed by the Minister. Will he clarify that?

We are also told that the guidance will specify what these definitions mean in practice. But this guidance will be written only after the regulations come into force. This is pretty strange. Does the Minister think this is good practice because it puts the horse before the cart and your Lordships' House is not in a position to be sure what it is being asked to agree to. Quite apart from the broad scope of the instrument, there are other practical and technical questions that need to be answered. Will service providers have to record every attempt to access an e-mail server, even if no e-mail is sent or received, and will they have to retain data in respect of spam e-mail? Some estimates say that 90 to 95 per cent of all e-mail traffic transmitted is spam. If so, what are the cost implications? If it is not to be included, how are ISPs to distinguish between proper e-mails and spam? Most importantly, it is claimed that the content of internet communications will not be collected. I come back to the point that the Minister made.

Regulation 4(5) states:

“No data revealing the content of a communication is to be retained in pursuance of these Regulations”.

But—and here is the problem—collecting “communications data” for phone calls is relatively straightforward. Technically, the details on who called whom, when and for how long are completely distinct from the content of that call. But for internet communications there is only one data stream, and this data stream includes both the fact of the communication and its content. How do you separate the two? Where do you draw the line? Can the Minister please clarify the Government's understanding of this? Take an e-mail as an example. The body of an e-mail is obviously content, but what about the subject? The subject is included in the e-mail header, which says when the e-mail was sent, to whom it was sent and who received it. Is this subject classed as communications data because it clearly gives content?

The Explanatory Memorandum says that an implementation group will be set up to examine practical issues of this kind. That is a very good thing, but what is the composition of the implementation group, when will it report, and when will its work be published? Again we feel that this is putting the cart before the horse. We need to have this report before we are asked to agree to this legislation.

We must know how these regulations are going to work in practice. The regulations themselves are, of course, only one half of the issue. Their significance is heightened when you examine who will potentially have access to the information proposed to be retained. The Minister mentioned the promise by the Home Secretary made relatively recently to review RIPA. Under the Act the number of people and bodies who have access to sensitive information is very extensive. It is not just the security and intelligence services and the police but all 474 local councils in England, every NHS trust and fire service, 139 prisons, the Environment Agency and even Royal Mail, and those are only some. In the view of these Benches, it will require an extraordinary narrowing of the number of bodies entitled to have access under RIPA for it to be a fit instrument for an authorisation process for access to information and data communications of this degree of sensitivity. We would wish to see the narrowing of the authorisation process before we were happy to agree that that could be the Act that enabled that authorisation to take place. We would like to see the amendment of RIPA taking place before we get to the processing of any Bill relating to data communications.

There is no guidance on how these regulations relate to the interception modernisation programme. I have already outlined how broad the definitions in this instrument are, that they could potentially cover third parties—that is a very important point—and how the distinction between communications data and content is difficult, if not impossible, to make in the internet protocols such as e-mail, web browsing and instant messaging. Is it the intention, in fact, to move to a stage where we will not be able to separate the two? Does this mean in practice that everything will be collected and held in a centralised database? Does this indeed open the door for data mining and deep packet inspection?

It is hard to avoid the suspicion that this instrument could very well establish a legal construct around which the IMP could be allowed to proceed without further primary legislation. It is telling that in another recent speech the Home Secretary said:

“The changes we need to make may require legislation. The safeguards we will want to put in place certainly will. And we may need legislation to test what a solution will look like”.

We on these Benches are not clear whether further primary legislation is intended by the Government and regarded as needed by the Government to achieve the aims of the interception modernisation programme. Therefore, we are not clear whether this provision would enable the extension of the collection of data for the purposes outlined to take place without any further legislation. Which are we facing? Are we faced by this provision, or are we going to be able to have primary legislation in due course? If so, it seems a good idea to put the whole of this into the primary legislation.

At the time of the Queen’s Speech, the Government said that they were going to bring forward primary legislation and at the same time the incorporation of the statutory instrument. Indeed, the Joint Committee on Human Rights has recommended that the Government’s powers should be set out in primary legislation. Now, we are asked instead to adopt the SI by itself, without knowing or understanding the relationship that this may have to primary legislation, whether there will be any primary legislation, and how much RIPA—the authorising access legislation—will be narrowed.

This is a very unsatisfactory state of affairs. I beg the Government to withdraw the regulations, which are not necessary, and to introduce at the earliest opportunity primary legislation on communications data, from which we will have clarity about what constitutes data and what constitutes content. The Government cannot expect us to support an instrument where there is such uncertainty over what it will do and how it will work in practice. The Government promised—I am sure it was a promise that was seriously meant—a well informed debate, characterised by openness, reason and reasonableness. The Home Secretary wants us to achieve consensus, and we would like to be able to join that. I hope that the Government will withdraw the regulations today and enable us to have a proper debate on primary legislation.

My Lords, I rise to support my noble friend’s amendment. In so doing, I declare my various interests in this field, as an unpaid adviser to the Enterprise Privacy Group, Privacy International and 80/20 Thinking.

I do not have all that much to add to my noble friend’s excellent and devastating critique, but I should like to reinforce one or two of the issues to which she referred and probe the Minister on a few more.

First, it is a source of regret to me that the Government’s justifications for their data retention policy—and, it has to be said, various other IT fields—seem to be riddled with intellectual and technological vacuity. I am sure that none of us disputes that traffic and communications data and their retention can be of immense help in the fight against terrorism and crime, as the Minister intimated in his introduction. Indeed, I and my party have been utterly consistent in stating that case; albeit I would add the mild caveat that it is all too easy to overstate their potential utility. As the Explanatory Memorandum says:

“Lawful access to communications data allows investigators to identify suspects and their ‘hidden’ means of communication, trace their criminal contacts, establish hierarchical relationships between conspirators, place them in specific locations at specific times, identify their banks and those engaged in laundering their criminal finances and assets both in the UK and abroad, and can confirm or disprove suspects’ alibis”.

In sum, a regime of data retention allows our law enforcement agencies and intelligence services to generate detailed whole-of-life profiles on individuals who may be engaged in terrorist or criminal activity. Indeed, as the Government have frequently and correctly argued, it is this aspect of data retention that gives it its critical significance as part of their investigative and preventive armoury. I have no difficulty with this whatever. However, if we apply this to a mandatory whole-of-population scheme, the corollary to this must be equally true; namely, that detailed whole-of-life profiles of every single citizen in a member state are made available to their respective Governments. In effect, the oft-repeated mantra that lies at the heart of the Government’s insistence that these proposals are proportionate and compliant with the ECHR—namely, that definitions of communications data,

“do not include the contents of communications”,—

is little more than a fig leaf. The stark reality is that, on the Government’s own admission, the communications data on their own are more than adequate to define the individual and the minutiae of his or her life. To all intents and purposes, the content of communications can, in a vast majority of cases, be inferred by resort to analysis.

In this context, it is worth noting a significant ruling earlier this month by the Administrative Court of Wiesbaden. Its opinion states that,

“data retention violates the fundamental right to privacy. It is not necessary in a democratic society. The individual does not provoke the interference but can be intimidated by the risks of abuse and the feeling of being under surveillance ... The directive [on data retention] does not respect the principle of proportionality guaranteed in Article 8 ECHR, which is why it is invalid”.

I accept that this probably does not have immediate relevance per se to our proceedings today. Nevertheless, and given that the German Working Group on Data Retention is awaiting a ruling from the European Court of Justice in respect of its suit against the German version of this directive, I wonder how sanguine the Government, and indeed the European Commission, are that these proposals are properly ECHR-compliant. After all, there is a very real possibility that the judgment, as and when it is made, will be consistent with that made in respect of the UK’s DNA database in December of last year.

My noble friend has referred to the wooliness and imprecision of the drafting, particularly in the context of properly articulating what classes of communications data are to be retained. For example, in Part 3 of the schedule dealing with,

“Internet Access, Internet E-Mail or Internet Telephony”,

there is no indication of which internet protocols and/or data fields may or may not have to be specifically logged by service providers. This is a crucially important point because, without clarity in this area, communications service providers will not have certainty as to the parameters of their retention obligation. This in turn will give rise to a number of serious issues with respect to their contractual obligations to their customers, particularly with respect to data protection policies, as well as leaving the individual citizen utterly in the dark as to how to mitigate any compromise of his private and personal communications that could be engendered by implementation of the mandatory scheme.

At a potentially much more sinister level, to which my noble friend referred, the regulations are silent on whether it is the Government’s intention that the directive should authorise the use of deep packet inspection technology to facilitate their data retention policies. I apologise for the techno-speak, but this, too, is critical, particularly in respect of the security and privacy of data, because DPI allows for interrogation and analysis of layers 2 to 7 of the OSI seven-layer model. Put simply, DPI devices can classify traffic and communications data on the basis of information extracted from the data part of the packet, thereby blurring the boundaries as to whether message content is being retained or not, rather than being confined to the header information alone.

It may be that I have too suspicious and cynical a mindset, but I am tempted to suppose that a principal reason for the Home Office being so lackadaisical in responding adequately to recent concerns about behavioural advertising and DPI may be based in its unstated ambition to make use of the technology itself for its IMP ambitions. Be that as it may, the point at issue today is whether there is also an aspiration that the technology should be available in the context of these regulations. I hope that the Minister will clarify that for me. In this context, he may be tempted to suggest that we should not worry about these issues of technical detail on the basis that they will be attended to and resolved by the implementation group. That may or may not be the case, but, to put it bluntly, neither Parliament nor this House should accept this sort of pig in a poke. I support my noble friend and I look forward to the Minister’s response.

My Lords, I support the amendment. The noble Baroness, Lady Neville-Jones, has asked all the right questions that needed to be asked. Before the Minister is tempted to say, “If we do not implement or transpose the directive now, we will face infraction proceedings”, I should remind the House where it came from. The directive was pushed through by the UK under the then Home Secretary, Charles Clarke. Its scope was regarded at the time as far too wide, with insufficient safeguards. My colleagues in the European Parliament voted against it in 2005 but, sadly, they were not supported.

The Home Office imagined the directive and has now, I must tell the Minister, brought it back in an unbelievably unsatisfactory form. Many questions about it were raised even before his jaw-dropping statement. I think I heard him say that access will not be as described in last Monday’s debate in the Commons on this very statutory instrument. I should be most surprised if that is what he said, and he will correct me if it is not. If the substance of last Monday’s debate or the Government’s interpretation of it have changed, the other place would be justified in having another look at the matter.

There are fundamental questions here and the noble Earl, Lord Northesk, has raised one of the most critical: whether the Government’s interpretation of RIPA is sufficient. As the House will recall, when I asked the Minister whether British Telecom’s illegal trials of Phorm to intercept web traffic to trial targeted advertising were within the law, he said it was not possible to say—neither the Home Office nor BERR could come to a decision on it and it would have to be tested in the courts. That is just one case. We cannot move ahead on this sort of statutory instrument when it is still so unclear whether RIPA is fit for purpose in the interception of web traffic to this extent.

The other difficulty is that, although the Minister said that content is not looked at, the Explanatory Notes give several examples of interception being used when the content is prayed in aid. A film clip is mentioned in one case. That clearly is content. The Minister has reassured us that data on Facebook, Bebo, MySpace and similar sites will not be retained, but that seems to fly in the face of what was said by the Minister’s honourable friend, Mr Coaker, when he addressed the point in Committee in the other place.

A large number of issues need to be answered in a far more satisfactory way. We agree with the noble Baroness, Lady Neville-Jones, that the force of primary legislation is needed to clear this up. That is not surprising given that RIPA was conceived before data-mining technology had become anything like as sophisticated as it is now. What needs to be delved into far more deeply in both Houses is whether the measure is fit for purpose. If it is, are those responsible for regulating it—the Home Office, Ofcom and so on—doing so sufficiently, and is the misuse of it adequately understood?

The Minister said that we are talking only about retention. We on these Benches understand the importance of retaining these data, for all the reasons that he gave, including tackling serious crime and terrorism. However, unless the public at large can be entirely confident that retention is one thing and that access is another, and unless they can be entirely confident about the exact definition of “data”, which is becoming less clear with each contribution this evening, then I think that Members of both Houses would be completely correct in having very serious doubts.

My Lords, I congratulate the noble Baroness, Lady Neville-Jones, on introducing her amendment, which has been supported by all speakers so far. I do not intend to mention the detail; that has already been dealt with extremely effectively by the three previous speakers. I want to go rather broader. The final sentence of the amendment calls upon the Government to,

“withdraw the Regulations, and to introduce primary legislation on the retention of communications”,

and so on. Does that mean amending the regulations or withdrawing them, and would that be acceptable to the real Government in this case—the unelected and unsackable Government in Brussels? As I understand it and as the Explanatory Memorandum makes pitifully clear, we would suffer infraction proceedings if we did not implement the requirements of the directive. Therefore, I am not absolutely certain how this amendment is going to play. However, we have been here many times before with the waste electrical and electronic equipment directive, the curd cheese regulations, the horse passports directive, the working time directive and so on. Noble Lords will remember that we debated and opposed many of those but in the end there was nothing that we could do because it was a requirement of membership of the European Union that we pass those directives into British law.

It is slightly depressing that the real truth is that this House and the other place are turning more and more into rather sad rubber stamps for the increasing torrent of EU legislation that is coming our way. This is just another example of it, is it not? None the less, I think that this evening’s debate has been very worth while, if only to tease out of the Minister whether this House is able to amend these regulations or whether it has the right to reject them. If it does not have the right to do that, is this whole thing not just an exercise in futility?

My Lords, like the noble Lord, Lord Willoughby de Broke, I welcome the amendment and the way in which it was moved, together with the detail given by the noble Baroness, the noble Earl, Lord Northesk, and the noble Baroness, Lady Miller. However, like the noble Lord, Lord Willoughby de Broke, I am concerned not so much with the technical aspects, which have been adequately explained, but with exactly what these regulations mean in straight, plain English. Are they the thin end of the wedge? What will come next? What is intended to be brought forward in the future? I have no doubt that we will be reassured that content will not apply in relation to these regulations, but of course a further order may very well bring in content.

People in this country are getting very concerned about the surveillance that they are under day in and day out, minute by minute and hour by hour. Indeed, in many respects they are getting very frightened about the amount of data that the Government hold about them. This is supposed to be a free society. Unfortunately, it no longer is a free society, and the powers that be—the Government in this country and the Governments in other countries—appear to believe that human beings are not individuals but the property of the state. That thinking has no place in a democratic society.

Therefore, I am worried, as are many other people, that piece by piece, order by order and Bill by Bill the people of this country are being robbed of their freedom, their independence and their privacy. That is why I am particularly concerned about these regulations. They give us the opportunity to examine exactly how the people of this country are being treated.

As I understand it, and no doubt the noble Lord will correct me if I am wrong, these regulations apply to individual countries. Presumably, the data collected will be used within this country, but I am not sure. Will they be accessible by the other 26 nations of the European Union without going through our Government? How many pieces of information will have to be stored during the course of a year? Is he satisfied that there is sufficient technical ability to be able to correctly access the information stored? We know that many mistakes are made. Indeed, details are lost and people's privacy is invaded even though that may not have been intended. How many other countries so far have enacted the legislation? Are we the last, the first or what?

Finally—I do not want to detain the House too long—I must say that the Minister would be well advised to take note of what has been said tonight and take back these regulations to have another look at them because of the serious reservations that have been voiced from all sides of the House this evening. That is the only hope, quite frankly, that we will get some proper legislation because, as the noble Lord, Lord Willoughby de Broke, said, once this goes through that is the end of the matter. It is only the Government, not this House or another place, who can push this aside. At least the Government have the opportunity to go back to the Commission and the Council and say, “We're having a lot of trouble with this in Parliament. Can we have another look at it and renegotiate it to make it more satisfactory and acceptable to both Houses of Parliament?”.

My Lords, it is significant that there is no dispute among us that there is a proper place for the retention of relevant data for the serious investigation of crime and the prevention of terrorism. The difficulty is that that is not dealt with as a separate area but potentially spreads into many other areas as well. We have to recognise that the well publicised loss of data by the Ministry of Defence, the Driver and Vehicle Licensing Authority and Her Majesty's Revenue and Customs has created a difficult background for general permissions for access to data. Therefore, there is a strong case for the whole issue of access to data to be enshrined in primary legislation and quite possibly that the use by the police and security forces should be dealt with as a separate issue from wider questions. The difficulty is that we are trying to deal with them all in the same set of propositions, potentially.

It would be good to have a commitment from the Minister to revisit the promise of primary legislation that was given in May 2008, although no Bill was announced in the Queen’s Speech. The regulations may have to be approved today for legal reasons, as has been explained, but there should be a commitment to primary legislation in the whole sphere and to the potential separation of the serious crime and terrorism aspects from other aspects.

My Lords, I also support the amendment. I underline a question asked by the noble Baroness, Lady Neville-Jones, although I am not sure that she made it as strongly as it should be made in her otherwise lengthy and brilliant exposition of the problem in front of us.

The Minister must admit that, in his introduction of this statutory instrument, he was trying to persuade us that it is needed for security reasons. When he comes to reply, I would be grateful if he said that that was not so, but I certainly understood him to say that. Therefore, how can it be reasonable that the regulations allow,

“hundreds of different public bodies access to information on personal emails and internet activity”?

He has to answer that because the two positions are clearly incompatible.

My Lords, I want to speak for a moment, and not simply to demonstrate that the Minister is not the only person to speak tonight who does not respectfully agree with the noble Baroness's amendment. I had something to do with this directive being passed but, much more importantly, to do with the way in which data are used in the prevention of crime and the conviction and punishment of crime and terrorism offences.

There are only three short points that I want to make. First, the Minister is right that retention of data of this sort can be critical to our security, the prevention of crime and the pursuit of crime, not only to catch people but sometimes to prove innocence. In the first Damilola Taylor trial, it was evidence of where a cell phone had been, a result of the retention of data, that established the innocence of those defendants. It does not work only the other way. Secondly, these regulations are about the retention of data, not access to them. Reading the regulations, that is plain. I heard the Minister say that there will be occasion to debate, perhaps not in primary legislation, access to information. That is important, but much of what noble Lords have said this evening is about access, not retention. Thirdly, it is clear that the data that these regulations mandate providers to retain are not the content of communications. The schedule clearly sets out what data are to be retained. They are not the content, and they are data only to the extent that they are generated or processed in the United Kingdom by the providers in the process of supplying the communication services concerned.

I understand the concerns about privacy but, with respect, I do not see that the regulations affect that. The noble Lord, Lord Pearson, referred a moment ago to the words in the amendment about these regulations allowing access to the data to,

“hundreds of different public bodies”,

The regulations are about the retention of data, which is critical. Once they have been retained, the question of access to the information is different.

My Lords, that is an important point. If through the use of RIPA and other channels the information gathered under the regulations can be made available to,

“hundreds of different public bodies”,

then the noble and learned Lord must justify what he said, as must the Minister, otherwise we are talking at cross purposes.

My Lords, I have no doubt that the Minister will. These regulations deal not with access but with retention.

My Lords, I thank all noble Lords who have spoken and made important contributions. I remain convinced that this is a necessary measure and that the way we are transposing it is proportionate to the challenges of law enforcement and the security threats we face. I do not regard it as unclear or woolly. I shall go into some of the points raised by various speakers. I completely agree with the noble Baroness, Lady Neville-Jones, that the guidance puts the horse before the cart, and that is just where horses should be. It is standard practice to release guidance after parliamentary approval because we would not want to presume it. In any event, the directive sets out the types of communications data that are to be retained.

We are obliged to ratify this now. We are working to a timescale set by the EU. Notwithstanding what the noble Baroness, Lady Miller, said, it has been set by the EU, and the EU has agreed it. The noble Lord, Lord Stoddart, asked how many countries have signed up to this. I mentioned in my opening speech that 17 nations have signed up to it already. In answer to other small things, spam is not retained. ISPs already deal with spam and are able to tell the difference between that and other data. The subject line in an e-mail is content, not comms data. The noble Baroness, Lady Neville-Jones, asked about the implementation group. It will start in two months’ time.

The regulations only bring additions to communications data that relate to internet e-mail, internet telephony and log-on history. The EU directive excludes data that relate to third-party services. Internet-related data must relate to the services provided by the communications provider and no data revealing the content of the communication can be retained under these regulations. An existing code of practice determines the difference between communications data and content and was approved by Parliament. It is worth remembering—a number of speakers have touched on this—that data will be held by CSPs and will be accessed only under RIPA. Most of these companies hold data for their own business processes. The regulations codify these data and put them in such a way that, if we ever need to use them, they are more accessible. We will hold them for 12 months, as set out in the regulations, rather than for the maximum of 24 months, which can be done. Most of these data will never be accessed. The noble Earl, Lord Northesk, referred to that.

My Lords, will the Minister clarify one point? He just said that one of the purposes of the directive is to enable the Government to codify retained data. I am sorry, but if you want to codify retained data, you must access it. Will he explain precisely what he means by “codifying” the retained data?

Yes, my Lords. Codifying the retained data means putting them into a format which, if they ever need to be used, makes sense and can be easily accessed. However, the debate today is not about access; it is about collecting data. I will come back to this point a little later.

The noble Baroness, Lady Miller, referred to what had gone on in the other place. Obviously my opening remarks were not clear. There was some debate in the other place about the published regulatory impact assessment that accompanied the regulations, because Members there understood, and they were quite right, that we are going to consult on RIPA. We are not, however, changing the framework at the moment. That was one of the things about which they were confused. They were also very confused about the difference between retention and access, which I fear is what has happened here, too. It is important to remember that we are talking today about retention.

My Lords, I am sorry to press the Minister on this, but that is the very point; we are not technical experts, so it is very hard to get this across. When we debated deep packet inspection, which in effect is picking out data from the system by technological means, the Minister said that the question whether that constituted access under RIPA would have to be tested in court. The noble and learned Lord, Lord Goldsmith, says that this is not about access, but I do not think that it is clear to the Government what access means any longer now that the technology has changed. If the Minister can explain why that is not the case and why he has said before in this House—it is on the record—that it would have to be tested in court, I will be satisfied.

My Lords, the noble Baroness is conflating two things. She referred to what had been discussed in the other place, to which I gave my first answer. She has now moved on to targeted online advertising. That is a different issue from the one that was mentioned in the other place. I did not say that targeted online advertising was mentioned in the other place, but I am very happy to speak about it.

My Lords, they are very different issues. The debate on targeted online advertising is ongoing, as I said before. It has been the subject of investigations by the police and the Crown Prosecution Service, and we are looking into it. As I said, I am very unhappy about it. This is the sort of snooping—the sort of area—that worries me more. People seem to think, “Goodness me, the Government are a dreadful bunch”, but I can tell noble Lords that what all sorts of other people can gain by looking at people’s e-mails is horrifying. I am quite able myself to get amazing amounts of data on people in a normal, open way, which is pretty frightening. People do not understand that, when they go into their e-mails and on to their little screens, they are telling more people in the world what they are writing than if they wrote a postcard and stuck it in the mail. That is the reality, but that is a side issue.

We are satisfied that the regulations, which implement an EU instrument on data retention, are expressly stated to comply with Article 8 of the ECHR and are therefore compatible with it. These regulations rightly include protections for privacy and security, and for industry. The Information Commissioner is the supervisory authority for data retained under these regulations, and companies taking forward data retention projects under these regulations will be required to undergo security audits to increase confidence that due regard is paid to the security of data.

We have spent much of this debate discussing points of access to communications data, which is important. But it is separate from the purpose of these regulations, which are to do with retention of data. While we might not all agree on who needs to access this communications data—indeed, we will have opportunities to debate that aspect of it—surely noble Lords agree as to the need for the retention of this data, so that those who we think should have access can have access to it in the future. If that is the case, and we are in agreement as to the need to keep this data—our European friends seem to think that that is the case—I see no need to pursue the amendment. The amendment calls for new primary legislation on the retention of communications data, on which there is a broad consensus.

The noble Lord, Lord Stoddart, mentioned that we are being observed more day by day and hour by hour, and that we are no longer a free society. I do not intend getting into that long debate, although I have to say that I disagree completely. In more than 40-odd years of travelling the world with the Navy, I have been in societies which are not free, and we are very far from that. I do not think that what the noble Lord said is correct.

Information is fundamental to the delivery of modern public services and to public protection. It helps to ensure that citizens receive the services to which they are entitled. Front-line staff have the information they need to do their jobs effectively. Joining up services is very important. A number of independent reports—for example, Bichard’s report on the Soham murders and that of the noble Lord, Lord Laming, into child protection—often say that there is a failure in shared information. We are abused then of that failure. We cannot turn the clocks back 30 years. We are in a society where data has to be used.

Turning to the amendment in more detail, the first part relates to expressions of regret. Clearly, all of us would rather be in a world where there was no necessity to think of collecting communications data—a world with no Soham murders, no murders of prostitutes in Ipswich or terrorist threats. I do not think that we need an amendment to reflect the regret we all feel. The second part of the amendment refers to access to communications data. I say again that that is not what this is about. Let us focus on what it deals with; that is, making it mandatory that the appropriate communications data are kept in the most efficient and usable manner by the communications service providers.

All Europe thinks that that makes sense—

My Lords, the Minister says that access will be discussed at a later date. Who will discuss it and who will decide it? Will it be discussed by this Parliament or will it be decided by the Council of Ministers in Europe?

My Lords, as a result of the consultation, it will be discussed in the other place and in this place in terms of amendments to RIPA. It will also be discussed in the context of IMP. Exactly what discussion will go on in Europe, I am not sure. But there might well be discussion.

My Lords, where will the decision be taken? We can discuss European matters here for as long as we like, but will the decision be taken here in this Parliament or in Brussels?

My Lords, the decision on access will be taken in this Parliament, but that decision is totally irrelevant if we do not keep the data. If we do not agree to keep this data, any discussion about access is irrelevant because they are not being kept. We have had a lot of debate about access and there have been some very interesting points. But this is about making sure that the data are kept. I think we all agree that we should have that data. We all know how valuable they are: 95 per cent of all serious cases rely on that data. Are we really suggesting that these data should not be kept? If we do not keep them, as I say, access to them becomes irrelevant, and that is the key reason why we need them. Therefore, I believe that the amendment is redundant. The directive is an important building block that will help the police and the security and intelligence agencies when they need access. Furthermore, we will have an opportunity to debate access. For those reasons, I ask the noble Baroness to withdraw her amendment.

My Lords, I was loath to intervene on the Minister during his winding-up remarks because he has had quite enough interventions. However, can he answer one straightforward question that I actually put to him in my speech: do these regulations either implicitly or explicitly authorise the use of DPI technology to retain communications data? It is a very straightforward question.

My Lords, I am always wary of straightforward questions and I am afraid that I will have to take advice on DPI technology. I think that I am fairly good on these things, but I am not aware of what it is. Perhaps I may respond to the noble Earl in writing.

My Lords, we have had an interesting discussion. The noble and learned Lord, Lord Goldsmith, said in the course of our debate that it is important to have access to this kind of data information for the purposes of national security and the pursuit of crime. I repeat what I said at the beginning of my earlier remarks: there is no difference between us; that is not the issue. The issue is the terms of this statutory instrument and its relationship with other legislation.

Thereafter we had the beguiling argument that this piece of legislation is not about access, it is only about retention. But it is linked to access legislation, and the access legislation as it stands is highly unsatisfactory. We are being asked to agree to this SI in the absence of having access legislation that is satisfactory. We do not know when we are going to have the opportunity to see that legislation amended. No timetable has been offered and we do not know the relationship between RIPA, and possibly a modified RIPA, and the SI. As things stand, we are being asked to agree to an SI linked to the present RIPA, and that is highly unsatisfactory.

Furthermore, I fear that the Minister has failed adequately to explain to your Lordships’ House how this statutory instrument will work in practice. He briskly dismissed a large number of important points raised in the debate, including deep packet inspection, which is relevant. I fear that it is necessary to know the answer to that question in order to be convincing to this House; it is not just a matter of mere technicality. The great difficulty with all this legislation is that there are matters of great political importance to the liberties of this nation which are disguised as ostensibly technical matters. It will not do that we are not the master of what the technology is giving us, and therefore unable to understand its political import. We must be able to have the debate on terms that enable us to tackle both. Although he was asked specifically, the Minister did not give an answer to the question about the relationship between this statutory instrument to the Interception Modernisation Programme, and when or whether we can expect any primary legislation. For an issue of this importance, this House and this Parliament need primary legislation.

For five and a half years I worked in the European Commission and I know something about its habits. As my noble friend Lord Northesk commented, this particular bit of legislation in its German version is now up for scrutiny for its compatibility with the ECHR. Against that background, I think it is unlikely that the Government will receive a letter of mise en demeure from the European Commission, which is the first stage of legal proceedings in infringement. I am not impressed by the notion that we have to pass this piece of legislation now in order to avoid infringement proceedings. Given the importance of the matters we are scrutinising, I repeat that I beg the Government to withdraw these regulations and produce at the earliest opportunity proper, primary legislation on communications data. For these reasons, I want to test the opinion of the House.

Motion agreed.