Report (2nd Day)
Clause 58: Power to grant authorisations
96: Clause 58, page 46, line 40, leave out “to disclose it” and insert “or capable of obtaining it—
(i) to obtain the data (if not already in possession of it), and(ii) to disclose the data (whether already in the person’s possession or subsequently obtained by that person)”
My Lords, I shall speak also to the other government amendments with which this is grouped.
This group contains the government amendments in relation to the acquisition of communications data under Part 3 of the Bill. Starting with Amendments 96 to 100, a designated senior officer may believe that a communications service provider has the communications data he or she requires and grants an authorisation or issues a notice to that provider for disclosure of the data. However, in such a case the provider may not actually have the data but is able to obtain it. The Bill already provides for an authorisation or notice in respect of such data. These amendments simply make it clear that a second authorisation or notice for the same data and for the same purposes is not required in these circumstances. I trust the House will agree that these are sensible amendments, ensuring that neither the public authority nor the communications service provider is unnecessarily burdened.
Amendments 101 to 103 update Schedule 4 in two ways. The first is through minor and technical amendments to the description of the minimum rank for authorising communications data requests within the Competition and Markets Authority and the Police Investigations and Review Commissioner in Scotland. These amendments correct an error and reflect an organisational restructure in the respective organisations. Secondly, they add the Department for Communities in Northern Ireland to the list of public authorities which may acquire communications data for the purpose of preventing or detecting crime or preventing disorder. Communications data are of course a vital tool in investigations to detect, prosecute and prevent benefit fraud, providing vital investigative leads that would not otherwise come to light. These amendments ensure that the Department for Communities in Northern Ireland has the same powers as its English counterpart, the Department for Work and Pensions. They will allow it to continue to investigate crimes, such as organised attacks on the benefits system.
On Amendments 104 to 106 and 109 to 114, the collaboration agreement provisions in this part of the Bill are intended to ensure that, where necessary and appropriate, one public authority can make use of another public authority’s authorising and single point of contact expertise. They will bolster the strength of the regime by allowing for the sharing and use of best practice and experience. These minor and technical amendments will ensure that public authorities can enter into collaboration agreements and benefit from them without any unintended consequences. For example, they would ensure that two public authorities could collaborate with each other, even though the purposes for which they can each acquire communications data are different. They would also ensure that restrictions, such as the requirement for local authorities to seek magistrate approval for their requests for communications data, operate properly under collaboration agreements.
Similarly, the amendments make clear that single points of contact in a public authority can themselves obtain the communications data from communications service providers on behalf of the authorising officer in the collaborating public authority, as well as provide their advisory function. The single point of contact already performs this role in respect of requests authorised within the same public authority, and this amendment was needed to ensure that nothing in the collaboration provisions casts doubt on their ability to perform that role. I hope the House will agree these amendments to improve the regime.
Finally, on Amendment 259, it has always been the case under RIPA that a public authority can request data that may reasonably be obtained by a communications service provider as well as data which it holds. This fact has been reflected in the telecommunication definitions in the Bill, which make clear that communications data includes data which are, are to be or are capable of being held or obtained by a telecommunications operator. This amendment does no more than ensure that the definition of communications data in the postal context is consistent in this respect. I beg to move.
Amendment 96 agreed.
Amendments 97 to 100
97: Clause 58, page 46, line 42, leave out paragraph (c)
98: Clause 58, page 47, line 5, leave out “to disclose the data” and insert “or capable of obtaining it—
(a) to obtain the data (if not already in possession of it), and(b) to disclose the data (whether already in the operator’s possession or subsequently obtained by the operator)”
99: Clause 58, page 47, line 8, leave out sub-paragraph (ii)
100: Clause 58, page 47, line 28, leave out “, (c)”
Amendments 97 to 100 agreed.
100ZA: Clause 58, page 48, line 9, at end insert—
“( ) An authorisation may be considered necessary on the grounds falling within subsection (7)(b) or (f) only where there is a reasonable suspicion that a serious criminal offence has been or is likely to be committed and it is reasonably believed that the communications data sought will be relevant to the criminal investigation.”
My Lords, with this amendment I make a further attempt to introduce into the Bill a requirement on the authorities to demonstrate reasonable suspicion of a serious crime and a nexus between the communications data that are sought and the crime suspected before a targeted surveillance warrant can be authorised.
As I pointed out previously when speaking to Amendment 20, one of the greatest problems with the Bill is the lack of a requirement for reasonable suspicion in order for surveillance powers to be authorised for the purpose of preventing and detecting a crime. At the moment, intrusive powers can be authorised to prevent and detect serious crime, but this general purpose is left wide open to very broad interpretation, and therefore to abuse, without requiring the authorising authority to verify the existence of reasonable suspicion of criminality. A requirement of reasonable suspicion when the purpose of preventing and detecting serious crime is invoked would prevent the potential abusive surveillance of law-abiding citizens, which we have seen in the past, without unduly limiting the legitimate use of surveillance powers.
The threshold of reasonable suspicion has long been an important safeguard for both citizens and law enforcers against the risk of the arbitrary use of police powers. The “necessary and proportionate” standard invokes an important assessment of the extent of the intrusion but does not necessitate a threshold of suspicion. Although would one expect that in practice targets of surveillance would meet this very modest burden of proof, in my view it is a great mistake not to include the threshold of reasonable suspicion in the Bill, and it leaves these powers ripe for abuse. Therefore, I make no apology for returning to this issue once again.
The amendment simply requires, first, a threshold of reasonable suspicion that a serious crime has been planned or committed and, secondly, a factual basis for believing that the targeted communications data will contain information relevant to the criminal investigation. This would reassure the public that intrusive targeted surveillance could be used only where there was reasonable suspicion of a serious crime. To that end, I hope the Government will accept the amendment. I beg to move.
This amendment relates to Clause 58, which some people, although not the noble Baroness, Lady Jones, have referred to in the context of a recent opinion by the ECJ Advocate-General in the case involving Tom Watson MP. We do not support the amendment but I want to make it clear that the fact that we are opposed to it does not mean that we have decided that the clause as it stands meets the opinion of the ECJ Advocate-General in the case now before the European Court of Justice involving Tom Watson MP and relating to retaining and accessing communications data, should that opinion be reflected in the judgment of the court when it is delivered. I want to make that statement as there may be those who, for some reason or another, have come to the conclusion that the fact that we have not tabled any amendments to Clause 58 means that we believe that the clause will cover the position of the Tom Watson case if the judgment of the court proves in line with that of the opinion of the ECJ Advocate-General.
My Lords, I applaud any attempt to make the definitions precise but there comes a point when there is a negative consequence. I am slightly worried that the wording of the amendment—certainly as drafted—could inhibit the activities of law enforcement in establishing a pattern in the development of criminal behaviour and activity, particularly in the area of organised crime, if it were to be interpreted as strictly as its wording invites. Although the intention of the amendment is good, I am not yet persuaded that it can safely be included without an undesirable inhibition of a particularly important area of activity at the moment—namely, establishing whether groups with well-suspected criminal intent might be planning something worse.
My Lords, the noble Lord, Lord Rosser, has set perhaps the hardest task for the Minister today in asking him to comment on what was perhaps not a coded speech but simply one inviting speculation.
Turning to the amendment itself, as on the first day of Report we are sympathetic to where the noble Baroness is coming from. Indeed, I think we had an amendment on “reasonable suspicion” at an earlier stage. However, perhaps again I should phrase what I have to say as a request for confirmation, as my noble friend Lord Paddick did last week. Reasonable suspicion is encompassed by the necessity and proportionality test. The way the noble Baroness has expressed it is that there is a moderate-sized hurdle to be got over and then a higher hurdle to be surmounted, by having “reasonable suspicion” and then the necessity and proportionality test. To keep up the athletic metaphor, you will not get over the higher hurdle even if you get over the lower one, so it seems to us that you might as well just have the higher hurdle. Perhaps we can be given some more assurances about how the different criteria will bite.
My Lords, I listened carefully to the noble Baroness, Lady Jones of Moulsecoomb, and I am grateful for the case she has put. However, I cannot agree with it, and I will explain why that is.
As the noble Baroness explained, this amendment seeks to provide that certain communications data authorisations can be approved only where there is a reasonable suspicion that a serious criminal offence has been, or is likely to be, committed. In short, the amendment would undermine the ability of law enforcement and other public authorities to catch criminals and to keep the public safe. I will now set out why I believe that is so.
I shall start with the requirement for reasonable suspicion. As we discussed and agreed in this House last week, the necessity and proportionality test is established and well understood. It is difficult, therefore, to see what benefit would be derived from inserting a different test. Indeed, in order to approve an authorisation for communications data for the purpose of preventing or detecting crime, a sufficiently compelling case will always be required—a speculative authorisation would never be approved. Therefore, I suggest that the amendment responds to a concern that is fundamentally misplaced.
Turning to the serious crime threshold that this amendment would insert, assuming that the noble Baroness intends the threshold to be equal to that currently used to authorise the interception of communications, I believe once again that the amendment is inappropriate and damaging. Taking effective action against serious criminals often requires the investigation of, if I may use the phrase, lower-level individuals for activities that are not considered serious crimes in order to build a case against higher-ranked criminals. It may also include the investigation of minor offences where stopping an offender at this point may prevent an escalation of their criminal activities, such as in stalking and grooming cases.
It might be helpful if I expand on that. Placing this additional restriction on the acquisition of communications data would disrupt police investigations of online grooming and linked crimes, such as the sending of sexual communications to a child. This is because where such activity does not meet the high threshold proposed, which will often be the case if the child is over the age of 13, it may be impossible to identify perpetrators who may go on to be involved in child sexual exploitation. As such activities increasingly take place online, law enforcement agencies will rely heavily on communications data and the new power in relation to internet connection records in order to investigate this.
The amendment would also reduce the ability to investigate online fraud, which affects everyday internet users who shop or bank online, but which could, depending on the value of the fraud, fall below the serious crime threshold proposed here. Equally, the Department for Work and Pensions, for instance, investigates false tax credit claims which can result in the collective overpayment of millions of pounds of taxpayers’ money, but these false claims may not individually reach the threshold of serious crime. Communications data are currently used to investigate such activity.
I also believe that these amendments are unnecessary given the strict safeguards that already apply to the use of communications data. Data can be accessed only on a case-by-case basis and only where judged necessary and proportionate by a senior officer of a rank specified by Parliament and who is independent of the investigation. Strong judicial oversight will also be provided by the Investigatory Powers Commissioner.
I was grateful to the noble Lord, Lord Rosser, for qualifying his party’s position on this part of the Bill. We maintain that our existing regime and the proposals in the Investigatory Powers Bill are compliant with EU law, but whatever the final judgment, given the importance of communications data to preventing and detecting crime and safeguarding national security, we will ensure that plans are in place so that the police and others can continue to acquire such data in a way that is consistent with our obligation. I hope that that is helpful.
The Minister appears to be saying that the Government’s position is the same as ours, and that you cannot express a view on whether the law as it stands, as reflected in the Bill, meets the judgment of the European Court of Justice until we have seen and read what that judgment is.
Indeed, but until we have seen and read what that judgment is, our view is that the Bill is compliant.
In view of the very significant impact that would flow from this amendment, I invite the noble Baroness to withdraw it.
I thank all noble Lords who have given me some support: it is something that I feel very strongly about. I thank the noble Earl for his full reply. Needless to say, I am not convinced because all of the issues that he talked about are in fact potentially serious crimes, so the threshold would be satisfied.
If the noble Earl had spoken to some of the people who had been blacklisted, for example, and whose lives were basically destroyed because of illegal surveillance and co-operation by the police with various organisations, it is possible that he would have been influenced in the same way that I have been. However, in view of the noble Earl’s answer, I beg leave to withdraw the amendment.
Amendment 100ZA withdrawn.
100A: Clause 58, page 48, line 13, at end insert—
“( ) Communications data obtained for any of the purposes listed in subsection (1)(b)(ii) may not be used or disclosed other than for those purposes and must be destroyed as soon as possible after the data has been used for the purposes for which the data has been obtained.”
My Lords, I move this amendment in my name and that of my noble friend Lord Paddick. The issue of destruction of material was raised by the Government last week in respect of legal professional privilege. In that case, the Minister proposed and the House agreed that when an item subject to legal privilege is intercepted and obtained, the Investigatory Powers Commissioner can impose conditions as to its disclosure or direct destruction. We proposed a further safeguard about destruction, which the Minister is considering—he said that he would like to return to it at Third Reading—but which he thought was essentially a good idea, and we recognise the Government’s approach as something that we want to build on.
Amendment 100A is in the same area. There are destruction requirements elsewhere in the Bill. Clause 58(1) deals with what is necessary and proportionate for a targeted authorisation for obtaining data. It is necessary in one of the cases set out in subsection (1)(b),
“for the purposes of testing, maintaining or developing equipment systems or other capabilities relating to the availability or obtaining of communications data”.
The amendment would provide that data obtained for any of these purposes may be used only for such purposes. The Minister may say that that must be so and critically that,
“it must be destroyed as soon as possible after the … purposes”,
have been fulfilled. We believe that it must be the case that data obtained for testing systems should be subject to such a safeguard because, by definition, they are not required for a specific investigation and are therefore not necessary in the interests of national security or any of the other purposes set out in Clause 58(7). If data are required for a specific investigation, then those other provisions will kick in.
The destruction requirement that we are seeking is confined to the very narrow situation of the testing of systems. I hope that the Minister will agree to this, but if not that he will at least explain how data obtained in that situation are to be destroyed so that they do not hang around, as it were—which is probably not a technical phrase. I beg to move.
My Lords, I hope that I can reassure the noble Baroness. Amendment 100A is unnecessary since the use, retention and destruction of all personal data held by public authorities, including communications data, are already regulated by the Data Protection Act 1998. That means that, once communications data have been obtained, there must be a lawful purpose for their use and ongoing retention, and they must be destroyed when they are no longer held for a lawful purpose. I would draw the attention of noble Lords to Chapter 11 of the Communications Data DRAFT Code of Practice, which sets out detailed requirements, consistent with the Data Protection Act, on public authorities about the use, disclosure, protection and destruction of the communications data they hold.
In addition, the amendment would unnecessarily, and in some cases very damagingly, require a public authority to destroy communications data it had obtained once they had been used for the purpose for which they were acquired, but other legitimate and important purposes for holding data may still exist. For example, a public authority is obliged by law to retain material it holds that has been used in evidence to support a conviction in case of appeal or to overturn a potential miscarriage of justice. It is also obliged to retain any material that is potentially exculpatory, even if it considers that it no longer requires the data for the original purpose for which it was acquired. This amendment would cut across those important tenets of our criminal justice system and I cannot imagine that that is what the noble Baroness wants to see.
I hope that, in combination, what I have been able to explain will reassure her sufficiently to enable her to withdraw the amendment.
I should obviously have included something like the words “except as otherwise required by law”. I am grateful for that explanation and I am sympathetic to the Government trying to get everything into the Bill, but here we find yet another example of another piece of legislation that we need to look at. However, it is helpful to have the explanation, and I beg leave to withdraw the amendment.
Amendment 100A withdrawn.
Clause 59: Restrictions in relation to internet connection records
100B: Clause 59, page 49, line 23, leave out “6” and insert “12”
My Lords, when the Bill was going through the House of Commons, the Government made a commitment to introduce a clear and appropriate threshold for accessing internet connection records. The concern was that access should not be available in connection with non-serious crime. The threshold for serious crime that the Government came up with in Committee appeared workable and appropriate.
But last April, the then Home Secretary told the then shadow Home Secretary that restricting internet connection records to serious crime would hamper the ability of the police to investigate online stalking and harassment; disrupt police investigations of online grooming or the sending of sexual communications to a child; reduce the ability to investigate online fraud; hinder the ability to identify and disrupt the sale and distribution of illegal material online, including illegal weapons, counterfeit medicines or illegal drugs; and prevent the police progressing investigations where there may be a threat to life but where it is unclear whether a crime is involved—for example, locating a missing or suicidal child—because many of these activities would not meet the serious crime threshold.
While we welcome the fact that specific offences such as stalking and harassment have been addressed and can lead to access to internet connection records, we have continuing concerns around the definition of “other relevant crime”, which is too broad and could still lead to the use of internet connection records in relation to crimes that would not be regarded as serious.
Currently the Bill defines “other relevant crime”, with some caveats, as,
“an offence for which an individual … is capable of being sentenced to imprisonment for a term of 6 months or more”.
The Government have recently stated that this threshold rules out the use of internet connection records for a large number of minor crimes, including those which are not subject to a custodial sentence and those which are subject to only a one-month or a three-month custodial sentence. The Government have also indicated a number of offences in respect of which the use of internet connection records would be excluded if the threshold in respect of “other relevant crime” was increased from six months to a sentence that is capable of attracting a custodial sentence of 12 months or more. Those offences which would then be excluded include motoring offences such as joyriding, driving while disqualified and failure to stop or report an accident; an offence of criminal damage under £5,000; some sections of the Public Order Act which do not amount to violence; and certain immigration offences and some offences relating to the supply of intoxicating substances or controlled drugs.
Our amendment would increase the qualifying term of imprisonment from six months to 12 months or more. This would exclude the kind of offences to which the Government have referred. One accepts that such offences can have significant consequences, but we do not regard them as serious in the context of the purpose for which access to internet connection records is required—and nor do we think that raising the threshold to 12 months’ imprisonment in respect of other relevant offences makes it difficult to pursue matters related to the kind of offences to which the previous Home Secretary drew attention and to which I referred earlier.
I hope that the Government will feel able to give a helpful response to this amendment, which seeks to address concerns that access to internet connection records could be used in inappropriate circumstances for which the Bill is not intended—notwithstanding the fact that any such access to internet connection records must meet the necessity and proportionality requirement, which some might argue should exclude much low-level offending. I beg to move.
The noble Lord made a very persuasive case for this amendment and I do not think that he will be surprised to be supported by these Benches, given our concerns about internet connection records—so any further constraint on them is something that we would welcome. But he went into far more detail than that and we support him.
My Lords, the Government have consistently recognised that care must be applied to the acquisition of internet connection records and, importantly, that they should not be acquired for trivial purposes. That is why we brought forward amendments in Committee to put in place a number of restrictions to provide reassurance that the powers to acquire internet connection records would only ever be used proportionately. These amendments included a threshold which would mean internet connection records could only be used to investigate certain crimes which could attract a sentence of at least six months’ imprisonment.
This amendment raises the threshold for offences which are sufficiently serious that an offender can be sentenced to at least 12 months’ imprisonment, rather than six. The amendment rightly leaves unchanged the important exceptions in the Bill to the crime threshold. The House has recognised the need to ensure that internet connection records can be obtained for the investigation of certain specified types of crime—for example, those relating to cyberbullying and harassment, and those relating to a breach of a person’s privacy—which, for whatever reason, carry a lower sentencing limit.
We recognise that this amendment will provide further reassurance and ensure public trust in the use of these vital powers, whose value and importance have been widely recognised and acknowledged. In these circumstances, we are therefore content to accept the amendment.
Amendment 100B agreed.
100C: Clause 64, leave out Clause 64
My Lords, I shall also speak to Amendments 100D and 100E in my name and that of my noble friend Lady Hamwee. The effect of these amendments would be to remove the request filter from the Bill. No doubt, the name “request filter” has been chosen for its potential to be beneficial in terms of limiting intrusion into privacy, while at the same time I believe it conceals its true nature and the considerable downsides that such a thing would have. I am struggling to find a word that describes something that does not exist and which the Home Office is unable to describe except in terms of its proposed positive outcomes. When I visited both the law enforcement and security agencies in preparation for the Bill they could throw no more light on the detail of this proposal or give any reassurance as to its security. What we know is that it is something akin to a Google search engine, a system built and possibly operated by the private sector on behalf of the Home Secretary. The request filter will act as the go-between between law enforcement and security agencies and the communications providers.
We have had lots of debates in the course of the Bill on the trustworthiness of the police and the security services. Perhaps it would not be too unkind to say that the security services have come out on top, with law enforcement agencies trailing slightly. When we consider the Government’s failure to implement such measures already in legislation, such as the Privacy and Civil Liberties Board and the Leveson recommendations, one might not be too severely criticised for putting the Government a poor third in this line-up of trustworthiness. The request filter would give the Government, in the guise of the Home Office, unfettered access to communications data, including internet connection records. Of course, having unfettered access would also mean that, if security were to be breached, it would provide criminals and hostile foreign Governments with similar unfettered access to private and confidential information of every subscriber to UK communications and internet services.
At present, as noble Lords will be aware, almost every request for communications data—of course, that does not include internet connection records, because these are not part, yet, of communications data—is made by investigators to a single point of contact in their own organisation. The SPOC, as they are known, assesses the validity of the request and, if satisfied, passes it to the communications provider, which again assesses whether it is a valid claim. There is, in effect, a double lock: an independent and specially trained SPOC and an independent and specially trained person in the communications company, both of whom can block unnecessary and disproportionate requests.
As far as anyone can understand such a vague concept as the request filter, it appears that it would be linked into the communication providers’ databases and be able to search and retrieve data with no independent check. The Government may say that the people operating the request filter will be the independent check, but they will be Home Office officials or staff of a private company working on behalf of the Secretary of State. Not many of us, and certainly very few members of the public, would rest assured that their sensitive personal information was in the hands of politicians or those acting on their behalf.
Although details are not contained in the Bill— or anywhere else, really—section 9 of the draft communications data code of practice states:
“The request filter will be operated on behalf of the Secretary of State by the Home Office. In practice the service will be provided by one or more third parties under contract”.
“One or more third parties” does not provide any more reassurance that the data will be kept safe or that the filter will be operated on an ethical basis. We know of numerous cases—some in the security services; many more in the police service—where databases have been misused and unauthorised searches undertaken, despite the rigorous scrutiny and auditing these systems are under. To create another virtual database, through which government officials and those acting on their behalf can carry out limitless searches of commercial company databases containing sensitive personal information, should make us all pause to think, “What sort of monster are we creating here?”. Unlike the current situation, if the Government get their way this communications data will include every website everyone in the UK has visited in the previous 12 months—presumably, after the system has been operating for 12 months, and then it will be 12 months of data on a rolling basis thereafter.
How many in this House—perhaps excluding the Ministers opposite—honestly believe that the Government should be given unfettered access to highly sensitive personal information? This is not the first time the Home Office has tried to introduce such a filter. It first made an appearance in the draft Communications Data Bill in 2012. The Joint Committee of both Houses that looked at that Bill concluded that the request filter,
“can be equated to a federated database”.
I had some difficulty convincing the noble and learned Lord about a virtual database, so perhaps he will accept the description of the Joint Committee on the 2012 Bill.
Of course, collateral intrusion can be reduced by use of the filter; indeed, the Minister referred to an example in Committee. That example, where a murder suspect is believed to have been responsible for three deaths at three different crime scenes and the police want to know whether the same mobile phone was present at each crime scene, is a valid one in terms of limiting collateral intrusion. Currently, the police would have to ask for every mobile phone registered in each location at the relevant time, and look themselves for any common numbers. The request filter could simply return only the numbers that were in all three locations at the relevant time, but there are two issues with this argument. First, is it really such an intrusion into people’s privacy that someone’s mobile phone number is found to have been operating in the vicinity of a murder scene, and when it is present at only one of those scenes, the record is immediately destroyed? Secondly, while it might save the police a couple of minutes because they would not have to compare three lists of numbers to find those common to each list, by downloading such information on to a spreadsheet, it would only take a few seconds to identify the phone number or numbers of interest.
Contrary to the view that the filter would reduce collateral intrusion, the London internet exchange LINX described the request filter as,
“the functional equivalent of building communications data profiles on every user, which will contain everything within the definition of communications data, including time and geolocation data”.
That may not be the intention but it would certainly be a possibility, and an alarming one at that. The temptation not to use such a valuable—but grievously damaging to privacy—resource would be irresistible.
The Government will again reassure the House that that is not the intention and that it will not be used in this way. However, it is only a few years ago that the Government revealed that the security services had been recording the details of every landline telephone call made in the UK and that they had been doing so for decades. The kind of search that could be undertaken using this request filter—I think of the case cited by the noble Baroness, Lady Jones of Moulsecoomb, although she is not in her place—might be to list all the people whose mobile phones were registered at Trafalgar Square on the date and time of a political rally and who have accessed a list of radical websites. The subscriber information could then be obtained and the identities of those individuals secured.
It is not only the security of the request filter that poses a threat to sensitive personal information. As James Blessing, the chair of the Internet Service Providers’ Association and chief technology officer of Keycom, explained to the Joint Committee on this Bill:
“In theory, the filter is being described as a way of restricting the information recovered. That means that an automated system must be doing the requesting of the data capture from the service provider and then presenting them to an individual. That means we have to allow third-party access to our systems, which is a potential risk”.
The Joint Committee on the previous Bill had serious misgivings and the Joint Committee on this Bill said:
“The proposals are very similar to those in Clauses 14 to 16 of the Draft Communications Data Bill 2012, which also proposed a Request Filter. The key change from the earlier Bill is that the Secretary of State must now consult the Investigatory Powers Commissioner about the principles on the basis of which the Secretary of State shall establish the filter”;
that is: the substance has not changed.
This is an extremely powerful concept—I cannot call it any more than that—which is open to misuse by the Government, third-party operators and those criminals and hostile foreign powers which will inevitably be keen to get their hands on it, or them, depending on how many people run it. The Government say:
“The request filter is available to all public authorities to assist in obtaining the communications data that they are permitted to use, subject to individual authorisations”.
This is not restricted, as with most other intrusive powers, to only the security services or cases of serious crime. Even the Food Standards Agency could access it. Of course, if there was a fully worked-up proposal with a proper operational case for such provision, and with clear reassurances about how it would operate and how data would be safeguarded, noble Lords could make an informed decision on whether a request filter was necessary and proportionate, but there is not, and so we cannot. It is simply a vague idea of something that might be useful, for which a one-sided and I believe misleading case has been put forward by the Government. I beg to move.
My Lords, I regret that I cannot support my noble friends’ attempts to remove these clauses from the Bill. I say with great respect to them that it is a misconceived attempt and displays a misunderstanding of what the authorities do, have done and can do. In my judgment, for what it is worth, the removal of these clauses would reduce the capacity of the authorities legitimately to interdict what could be extremely serious crime and catch those guilty of it.
We have heard terms such as “limitless”, “monster” and “unfettered”. At the risk of repeating what has been said earlier on Report, it is grossly exaggerated to suggest that unfettered, monstrous or limitless power is being given to the authorities. There can never have been a Bill on subjects such as these that has had so many fetters on the authorities and that has placed so many limits on what they can do. Indeed, if it has created a monster at all, it is a monster of regulation, not of unregulated activity.
I saw a briefing on these amendments earlier today. They are founded on the proposition that the authorities—the police and the security services—have the time to go on fishing expeditions. If that is what is being said, I can think of at least two kinds of fishing expedition. One is the sort of fishing expedition where you stick a worm on the end of a line and dangle it into water not believing that there is anything in there, and the other involves casting a sprat to catch a mackerel. If there is a fishing expedition here, it is the kind in which the authorities would know that there is very likely to be a mackerel beneath the water into which they cast their well-fattened sprat.
These amendments would inhibit current practice in the courts and in investigations. I can think of two murder cases in which I appeared as leading counsel—one as a prosecutor, the other as a defender—in which a conviction resulted from exactly the kind of activity being permitted in the Bill. In each case, it is certainly possible—I do not want to exaggerate—that there would have been no conviction if not for the availability of this kind of activity. At the time of each of those cases, the activity was nothing like as well-controlled or scrutinised as is proposed in the Bill. The sort of activity that I am describing can and has been used to catch murderers, paedophiles and money launderers as well as terrorists. It is a necessary tool of a responsible state.
The issue is whether the Bill allows this information to be obtained in a responsible way by the state. I believe the Government have gone a very long way to ensure that everybody can be confident that in future such material will be obtained by a responsible state and that these clauses are a necessary part of that activity.
My Lords, I rise to speak to Amendments 100C, 100D and 100E which have been very ably explained by my noble friend Lord Paddick.
When vague and non-specific legislation comes before us, it is perhaps because its authors are unable to be more precise because they have not thought it through or because they choose to not share the details with us. Whichever reason applies in the case of the request filter, there is no doubt that Clauses 64, 65 and 66 are notable more for what they do not say than for what they do. Despite the best efforts of both the Joint Committees on which I had the privilege of sitting—the one on this Bill and the one that examined the draft Communications Data Bill in 2012, in which the request filter first appeared—we are none the wiser about the request filter architecture, how it will work, who will develop it and who will operate it.
We have only to look at an obscure section in an elderly piece of legislation—the Telecommunications Act 1984—to see how overbroad drafting can lead to unintended consequences. Years ago, Section 94 of that Act was used by the Home Office secretly to create a brand new, highly intrusive power—namely, bulk acquisition of communications data—which the Government, to their credit, are now bringing in from the cold in this Bill. For a long time, however, the existence and use of this power carried on without the approval, or even the knowledge, of Parliament. Quite by chance, just a few hours ago, the Investigatory Powers Tribunal ruled that this very powerful secret power of bulk acquisition of communications data, which was created out of that vague section in the Telecommunications Act 1984, has been used illegally by the intelligence and security services for 10 years. We must guard against carelessly passing clauses so vague as to be open to misuse.
As for the concept behind the request filter, it is described by the Home Office as a safeguard, designed to reduce the collateral intrusion produced in searching for small, specific information in a large dataset. Although this is true, the request filter would also allow automated complex searches across retained data from all telecommunications operators. This has the potential for population profiling and composite fishing trips. It is bulk data surveillance without the bulk label, and without any judicial authorisation whatever. The Food Standards Agency, for example, as has already been mentioned, will be able to authorise itself to cross reference your internet history with your mobile phone location and landline phone calls, and search and compare millions of other people’s records too.
The Government like to reassure those who are very concerned about the bulk collection of every citizen’s personal data that the vast majority of them will never be used. But the request filter shoots down in flames the entire notion of passive retained records that will lie unexamined. Totally innocent people’s communications history will be repeatedly used and processed by the request filter. Furthermore, that private data, and the request filter itself, will be vulnerable to attack and theft by bad actors of all kinds. The request filter in the wrong hands would be a devastating security risk for individuals and for large organisations, including government.
Before the Minister seeks to reassure the House that such illicit access to the request filter technology would be impossible, I would point out that just 12 days ago a gentleman by the name of Harold Thomas Martin III was charged with theft of US government property and hoarding it at his house for 10 years. Mr Martin is a contractor with a very high security clearance working for the National Security Agency, which is the equivalent in the States of GCHQ. The government property in question includes top-secret hacking tools used by the NSA to infiltrate computers, networks and phones worldwide, which were recently published on the internet and are now available to hackers worldwide. A similar breach of security is very possible in the case of the request filter and is made much more likely by the attractiveness of the data for criminal or espionage purposes.
In summary, the request filter in the Bill is so vague and unspecified as to be a blank cheque for officials to fill in later if they wish. There are virtually no controls over how it would be used and who can use it. It will create a federated database about every citizen in the UK, and its existence will attract probably successful attempts to gain control of it by all sorts of people who would do us harm. Clauses 64, 65 and 66, which create the request filter, should be left out of the Bill. If the Government wish to make a case for this power, they should come back to Parliament in the future when it is a properly designed and specified power with proper controls on its use and a proper operational case to support it.
My Lords, I hesitate to enter the debate on the Bill at this stage because I have not been involved until now, but as I listened, I compared this in my mind with what occurred in Northern Ireland over 40 years of terrorism. I cannot support this amendment for the very reasons given by the noble Lord, Lord Carlile.
During the Troubles in Northern Ireland, when nothing was on the internet because it did not exist, every bit of information was in hard copy or personal contact. We in the security forces had the right to look at every single bit of information on a person, in their car or indeed in their home if we entered it for a specific reason. That information was held for a very long time. It is amazing how much of it, how many little bits of information, one day tied up with something else and became of extreme interest. Noble Lords who are aware of what happened in Northern Ireland, especially the noble Lord, Lord King, will support the fact that in many cases people’s lives—including in part, I have to say, my own—were protected by snippets of information that at the time were of no particular value and were simply filed away, because they led to associations between people or to intelligence that people were passing to each other. Anyone who has been near to a bomb in Northern Ireland will understand that it is worth while attempting to save people’s lives by the best method.
I have followed the Bill from the point of view of the restrictions on holding information. I do not support the tightness of that; our problems went on for 40 years but the problems that this country is facing at the moment are relatively short-lived. We must create the right security environment by allowing people to get information, which is no longer held in hard copy, on cigarette packets or bits of paper in their homes but is now on the internet. People involved in terrorism or civil crime, including paedophilia, are going to areas either that we cannot get to or where we are wilfully restricting our access to what amounts to very important intelligence.
I apologise again for entering proceedings at this stage, but I could not support such an amendment that would yet again restrict our Security Service and police from gaining and keeping intelligence that one day might be vital to any one of your Lordships. I know these matters seem a long way away when they are outside, in different cities or different parts of the country. If noble Lords lived in Northern Ireland, they would understand how important it is that some sort of connection is kept with leads about what is going on. That information is not in hard copy but up there in the cloud, and while we stay down here we are not going to get it.
My Lords, I oppose the amendment, purely from a position of practicality. I have an interest as chief executive of TalkTalk, one of the communications service providers. If we are to legislate to create a tool to be used, it needs to be effective. My business involves consuming large amounts of data and trying to analyse them, and you cannot do that without a filter. There are other elements of the Bill on which we can debate whether we have the appropriate legal checks and balances, and I defer to the many noble and learned Lords in this House who are debating them, but surely it cannot make sense to withdraw completely the tool that would make those checks and balances effective.
My Lords, I support Amendments 100C, 100D and 100E. I am not at all naive about the threats that are faced by this country and the need to provide the tools to the security forces to deal with them. However, as the Independent Reviewer of Terrorism Legislation has made clear, the fact that powers might be useful is not in itself a justification for granting such powers; they must be proportionate, properly scrutinised and properly constrained. I agree with my noble friend Lord Paddick that the phrase “request filter” has a benign ring to it that is perhaps lulling some of us into a false understanding of what it is really about.
As my noble friend recalled, when we discussed this matter previously, the noble and learned Lord, Lord Keen, disputed the idea that the request filter would create a virtual database. He seemed to suggest that it cannot be described as a database simply on the grounds that the data will not be held by the Government. The data accessed by the request filter will be held by commercial entities, not by the Government, that is true, but it will be held on the instruction of the Government in the form that the Government determine, and it will be accessible by agencies of the Government by a means that the Government will determine. I make no claim to be an etymologist, but that seems to me pretty much the definition of a virtual database.
The House may wonder why the Government are going to such an effort to make this distinction between a database and a request filter, when it seems self-evident that they are effectively one and the same. The reason is simple: because they do not want people to realise that they are in the process of legislating into existence the power to create a vast virtual database of information on every person in this country.
As my noble friend mentioned, the Joint Committee on the draft Communications Data Bill stated at paragraph 113 of its report, which dealt with the request filter:
“The difference is that instead of one database there are many and they are privately owned. Although they are privately owned the Government can stipulate what should be held on them, for how long, and in what format it should be supplied. The differences therefore are not as great as the Home Office suggests”.
As my noble friend said, it concluded that,
“the Request Filter can be equated to a federated database”—
a database which will be accessible not only to the security services in the tireless work that they do on our behalf to keep us safe from terrorism, law enforcement authorities in their vital work tackling serious crime, or the police in dealing with crime in general. As my noble friends have said and the Government have confirmed, this vast, federated database will be available to all public authorities to assist in obtaining the communications data that they are permitted to use, subject to individual authorisation.
I do not think that the public have any idea of the sweeping powers that we are contemplating granting to the Secretary of State to establish this vast virtual database. I imagine that they will be horrified when they do, just as they were by proposals of previous Governments to create national databases, before this Government cleverly came up with a new name for it that sounds so eminently and hypnotically reasonable, but is as far from describing what it actually is as it is possible to conceive.
I hope that this House will not allow itself to be misled by the Government’s creative use of the English language, but, rather, aware of the practical reality of what is being proposed, will support the amendments in the names of my noble friends.
My Lords, we do not share the major concerns expressed in support of the amendment, in view of the Bill’s provisions. As I understand it, neither did the committees which considered the Bill, including the Joint Scrutiny Committee on the draft Bill. There are also downsides which would arise from the amendment, to which reference has already been made.
In Committee, we asked the Government to clarify that the general provisions in relation to privacy in Clause 2 affected every power in the Bill, in the light of the letter written by the noble Earl, Lord Howe, to me on 14 July stating that the new overarching privacy clause set out the privacy obligations which constrain the use of the powers in the Bill—which therefore must include necessity, proportionality and the protection of privacy. In their response, the Government confirmed that that was the case. For those reasons, we will oppose the amendment.
My Lords, I feel that I have to begin by saying to the noble Lord, Lord Paddick, that he has got this one wrong—indeed, very wrong. I am grateful to the noble Lord, Lord Carlile, the noble Viscount, Lord Brookeborough, my noble friend Lady Harding and the noble Lord, Lord Rosser, for the contributions that they have made.
The amendments seek to remove Clauses 64, 65 and 66 from the Bill, which provide that the Secretary of State may establish, maintain and operate filtering arrangements for communications data—colloquially referred to as the “request filter”—and detail the appropriate safeguards and restrictions around its use. Throughout the passage of the Bill we have repeatedly highlighted the many misconceptions and misrepresentations around the filtering arrangements, and we have demonstrated how the provisions in fact provide an important safeguard in the acquisition of communications data. It is therefore perplexing that the noble Lord, Lord Paddick, has given notice that he remains opposed to the clauses providing for the filtering arrangements to stand part of the Bill. It may therefore be helpful if I set out again what the filtering arrangements will actually do and not do.
Public authorities currently need to receive all the communications data disclosed by communications service providers in response to specific requests. In certain circumstances this amounts to more data—sometimes much more data—than are relevant to their investigation, and they will then need to determine which specific pieces of communications data are relevant. Perhaps I could illustrate with an example. The police may need to make a complex query, such as asking multiple communications service providers for data to identify an unknown person who is suspected of having committed a crime, such as armed robbery, at three different places at different times. Currently, public authorities might approach communications service providers for location data to identify all the mobile phones used in those three locations at the relevant times to determine whether a particular phone and a particular individual is linked to the three offences. This means that the public authority may acquire a significant amount of data relating to people who are not of interest but who just happened to be in the location at the time of the robbery.
The significance of the request filter is that, when a police force makes such a request, they will see only the data that they need to. Any irrelevant data about people who are not suspects will be deleted and not made available to the public authority. That is why I maintain that the filter acts as a vital safeguard, protecting privacy by ensuring that the police see only the data they need to. These amendments would remove that important safeguard—so it is perplexing, as I say, that the noble Lord wishes to do this.
To further reassure the House, I remind noble Lords of what the Joint Scrutiny Committee on the draft Bill stated about the filtering arrangements. It stated:
“We welcome the Government’s proposal to build and operate a Request Filter to reduce the amount of potentially intrusive data that is made available to applicants”.
The Joint Committee believed that the requirement upon law enforcement to state the operational purpose of accessing data through the filter and the oversight of the Investigatory Powers Commissioner will ensure the appropriate use of the filter.
The noble Lord, Lord Paddick, said that the Bill provided for unfettered access to private and confidential information. But access is not unfettered—and nor does the Bill permit fishing expeditions, as the noble Lord, Lord Carlile, rightly emphasised. The filtering arrangements can operate only in response to a specific, necessary and proportionate authorisation for the acquisition of communications data. That request must already have gone through all the existing communications data safeguards, such as authorisation by a designated senior officer of a rank specified by Parliament, who must be independent of the investigation.
I noted with some dismay the aspersions cast by the noble Lord on the likely integrity of those individuals actually retrieving the data—including, to my surprise, the integrity of the police. I am pretty shocked by the language that he used. The noble Lord also described the filter as a “database”. A database has to contain data. The filter will not hold any communications data. Once a request has been processed by the filter, any data—that is to say, all data—will be discarded. I hope that that does clear some of the fog.
The request filter will act as an important safeguard. It will ensure that police officers and others will see only the information they really need to in those cases where it is used. Accordingly, I respectfully request that the noble Lord, Lord Paddick, withdraws his amendment.
I thank the Minister for his remarks, and other noble Lords who have contributed. I acknowledge the great experience of my noble friend Lord Carlile of Berriew both as a lawyer and as a former Independent Reviewer of Terrorism Legislation. However, it is clearly untrue for him to say that, in his judgment, excluding the request filter from the Bill would reduce the capacity of the authorities to investigate cases. The request filter does not exist at the moment, so it cannot possibly reduce the capacity. It may restrict the capacity of the agencies in the future, but it will certainly not reduce it, because the authorities do not have a request filter at the moment. The “monster” that I alluded to is nothing other than the mechanism—the request filter—that these clauses and this amendment are all about.
My noble friend described two murder cases where convictions could not have happened were it not for the sort of data that we are talking about here. Those two convictions were obtained in the absence of a request filter, because the filter does not exist. So it is clearly nonsense for my noble friend to say that excluding the request filter from the Bill was likely to have impacted on convictions that relied on something that does not even exist at the moment.
I acknowledge the experience of the noble Viscount, Lord Brookeborough, in Northern Ireland. As the Minister said, this is not a database. It is not intelligence information that is gathered and stored. It is a mechanism—a piece of kit, if you will—that reaches out into databases held by private companies, such as the internet service provider led by the noble Baroness, Lady Harding of Winscombe, retrieves data and brings it back. As the noble Earl said, it is not about a real database but a virtual or federated one. In other words, the tool will effectively act as a database rather than being an actual one. I am sorry that, in the number of times that I have used this expression—at Second Reading, in Committee and now on Report—I have not been able to get my message across about the difference between a virtual database and a real one. But I think that it is time I stopped flogging that horse.
The noble Lord, Lord Rosser, is reassured that Clause 2, the overarching privacy clause, applies to every power in the Bill. This is not a power: it is a piece of kit, a search engine. The Government have said nothing in their response to this amendment to reassure us that Clause 2 applies to this, because it is not actually a power. The Minister used the example which I spoke to, almost exactly, when I moved the amendment. To use his word, it is “perplexing” that the noble Earl did not hear my objections to that as a good example.
The unfettered access that I am talking about is not unfettered access to data by the police and the security services, and I never suggested that it was—but there will be unfettered access by those who operate the request filter because the request filter will have direct access to the databases operated by the communications providers. So I am not saying that there would be unfettered access to data by the police and security services; what I am saying is that government officials, or those acting on behalf of the Secretary of State, would have unfettered access to these databases were the request filter to come into existence. So I, too, am perplexed that the Government have not responded positively to this amendment and I wish to test the opinion of the House.
17 October 2016
Division on Amendment 100C
Amendment 100C disagreed.View Details
Clause 65: Use of filtering arrangements in pursuance of an authorisation
Amendment 100D not moved.
Clause 66: Duties in connection with operation of filtering arrangements
Amendment 100E not moved.
Schedule 4: Relevant public authorities and designated senior officers
Amendments 101 to 103
101: Schedule 4, page 222, line 16, leave out “and” and insert “or”
102: Schedule 4, page 222, line 19, at end insert—
“Department for Communities in Northern Ireland Deputy Principal All (b)”
“Department for Communities in Northern Ireland
103: Schedule 4, page 223, line 10, leave out “Investigations” and insert “Operations”
Amendments 101 to 103 agreed.
Clause 71: Requirement to be party to collaboration agreement
Amendments 104 and 105
104: Clause 71, page 57, line 1, leave out first “a” and insert “the”
105: Clause 71, page 57, line 2, after “agreement” insert “with the result that officers of the local authority are permitted to be granted authorisations by a designated senior officer of a subscribing authority”
Amendments 104 and 105 agreed.
Clause 73: Use of a single point of contact
106: Clause 73, page 58, line 44, at end insert—
“( ) Nothing in this section prevents a person acting as a single point of contact from also applying for, or being granted, an authorisation or, in the case of a designated senior officer, granting an authorisation.”
Amendment 106 agreed.
Amendment 107 not moved.
Clause 74: Commissioner approval for authorisations to identify or confirm journalistic sources
108: Clause 74, page 59, line 35, leave out subsection (8)
Amendment 108 agreed.
Clause 75: Collaboration agreements
109: Clause 75, page 60, line 25, at end insert—
“( ) this Part has effect as if the designated senior officer of the supplying authority had the power to grant an authorisation to officers of the subscribing authority, and had other functions in relation to the authorisation, which were the same as (and subject to no greater or lesser restrictions than) the power and other functions which the designated senior officer of the subscribing authority who would otherwise have dealt with the authorisation would have had, and( ) section 72(1) applies to the authorisation as if it were granted by a designated senior officer of the subscribing authority.”
Amendment 109 agreed.
Clause 77: Police collaboration agreements
Amendments 110 to 114
110: Clause 77, page 61, line 24, after “agreement” insert “for the purposes of a collaborating police force’s functions under this Part”
111: Clause 77, page 61, line 27, leave out “a” and insert “the”
112: Clause 77, page 61, line 29, leave out second “a” and insert “the”
113: Clause 77, page 61, line 30, leave out “a” and insert “the”
114: Clause 77, page 61, line 46, at end insert—
“(c) this Part has effect as if the designated senior officer of force 1 had the power to grant an authorisation to officers of the collaborating police force, and had other functions in relation to the authorisation, which were the same as (and subject to no greater or lesser restrictions than) the power and other functions which the designated senior officer of the collaborating police force who would otherwise have dealt with the authorisation would have had.”
Amendments 110 to 114 agreed.
Clause 84: Powers to require retention of certain data
115: Clause 84, page 66, line 5, after “notice”)” insert “and subject as follows,”
My Lords in moving this amendment I will speak to the other amendment in this group. They provide for the introduction of judicial approval for data retention notices given under Part 4 of the Bill. This is an important new safeguard. It means that such notices given, authorised or varied by the Secretary of State, including those requiring the retention of internet connection records, will in future also require the approval of a judicial commissioner.
The Secretary of State must already consider whether it is necessary and proportionate to issue a data retention notice to a telecommunications operator. This amendment would mean in future that the decision to give a notice would be reviewed by a Judicial Commissioner, in line with the authorisation procedures for other powers in the Bill. I hope that the House will welcome this additional safeguard and, accordingly, I beg to move.
My Lords, we take this opportunity to thank the Government for listening to us, to the service providers and, in this case, also to the human rights monitors—everyone is in agreement. We are happy to support the amendments.
Amendment 115 agreed.
Amendments 116 and 117
116: Clause 84, page 66, line 6, after “if” insert “—
117: Clause 84, page 66, line 9, at end insert “, and
(b) the decision to give the notice has been approved by a Judicial Commissioner.”
Amendments 116 and 117 agreed.
Amendment 117A not moved.
117B: Clause 84, page 66, line 18, at end insert—
“( ) A retention notice may not require a telecommunications operator to retain or disclose third party data unless the operator retains it for its own business purposes.( ) In this section “third party data” means communications data processed by the operator for the purposes of routing communications within an electronic communications network.”
My Lords, Amendment 117B is grouped with government Amendments 118 and 130. It aims at the same thing, but I think that the Government’s aim is better than ours in Amendment 117B. The amendments are about the retention of third-party data, so in order to move the business on we are very happy to support the government amendments in this group. I beg to move.
My Lords, I do not understand why the noble Baroness wishes to insist on Amendment 117B.
Sorry, I am getting a great deal of advice from around the Chamber, and it is all immensely helpful.
Perhaps I may explain the purpose of government Amendments 118 and 130. As I said in Committee, we have been making good progress on drafting a clause that could put into the Bill the Government’s clear commitment that we will not require a telecommunications operator to retain third-party data.
It is important to be clear exactly what we are referring to as third-party data. Where one telecommunications operator is able to see the communications data in relation to applications or services running over its network but where it does not use or retain that data for any purpose, then it is regarded as third-party data. For example, if you use an internet access provider such as a home broadband provider to use the internet to log into a separate email provider in order to send an email, the broadband service might be able to see your access communications data in relation to the email service. If that information was not used or retained for any purpose by the broadband provider, the data would be considered to be third-party data.
I am pleased to say that we have now produced a clause that prohibits the retention of third-party data. We have tested this drafting with operational partners and with those telecommunications operators likely to be affected by the legislation and we are confident that it delivers the desired effect. That being so, the Bill essentially replicates the current position in RIPA, which is that data that already exist and could save a life or convict a criminal and so on can be accessed, but we are not insisting that data should be retained.
In these circumstances and in light of the opening observations by the noble Baroness, I commend government Amendments 118 and 130 in the event that we proceed.
I am sorry to have confused the noble and learned Lord. I was simply trying to explain that we are seeking to achieve the same thing, but that the Government have done better than we have. I beg leave to withdraw the amendment.
Amendment 117B withdrawn.
118: Clause 84, page 66, line 29, at end insert—
“(3A) A retention notice must not require an operator who controls or provides a telecommunication system (“the system operator”) to retain data which—(a) relates to the use of a telecommunications service provided by another telecommunications operator in relation to that system,(b) is (or is capable of being) processed by the system operator as a result of being comprised in, included as part of, attached to or logically associated with a communication transmitted by means of the system as a result of the use mentioned in paragraph (a),(c) is not needed by the system operator for the functioning of the system in relation to that communication, and(d) is not retained or used by the system operator for any other lawful purpose,and which it is reasonably practicable to separate from other data which is subject to the notice.”
Amendment 118 agreed.
118A: Clause 84, page 67, line 26, leave out “therefore includes, in particular,” and insert “does not include”
My Lords, the effect of Amendment 118A, tabled in my name and that of my noble friend Lady Hamwee, would be to remove internet connection records from any notice requiring the retention of communications data by telecommunications operators.
It is important to look back over the history of internet connection records. The initial argument put forward by the Government and law enforcement agencies was that, with so many communications now being via the internet rather than via fixed line or cellular communication, it was essential to keep a record of every attempt to access the internet by everyone in the UK in the past 12 months, so that the same data that are currently available from an itemised phone bill—the who called who from where and when—would also be available if someone used the internet to communicate instead. If that is what ICRs were, and if ICRs provided that information, we might be more relaxed about them, but the parallel with itemised phone bills is clearly false. After the Joint Committee’s scrutiny of the Bill, the Government acknowledged that they wanted more than just the itemised phone bill data. They wanted to be able to see, for example, whether a suspected terrorist had accessed a travel agent’s website or a paedophile a particular file-sharing website.
Noble Lords will be relieved to hear that I do not intend to go over every objection to internet connection records—we would be here until the early hours if I did. Let us look just at itemised phone bill data. My internet connection records will show that about 10 different apps on my mobile phone that I can use to communicate with other people, including my Facebook app, my WhatsApp and iMessenger apps—which are end-to-end encrypted messaging apps—my Facebook Messenger app and my Twitter app, are all connected to the internet all the time. There will be no ICR data that tell law enforcement agencies where I was at a particular time, whom I was communicating with or whether I was communicating with anyone at all while these apps were connected to the internet.
If I was communicating with someone, the ICR data would contain no information about when I was communicating. Even if I was a simple soul and communicated using only WhatsApp, law enforcement would not be able to go to WhatsApp and say, “On this day and at this time, he was using WhatsApp. Who was he communicating with?” That is because the app is connected to the internet all the time and they would not be able to narrow it down to a particular date and time from the ICR data. They would have to ask for all my communications data over an extended period—an enormous volume of data that WhatsApp might consider a disproportionate request, save in the most serious cases.
Knowing someone’s internet connection records is just the start of the problems facing law enforcement agencies. I have another app on my phone. It is a virtual private network app. This app allows me to traffic all my connections to the internet through one secure server. If I engage it, my internet connection records will not show anything other than connection to the VPN server. Choose a VPN service provider whose server is in a non-co-operative foreign country and law enforcement will not be able to find out what connections have been made through the VPN server.
My point is that ICRs do not give law enforcement agencies the equivalent of itemised phone bill data. The agencies would have to go to each communications platform operator, most of whom are in the United States of America, and ask them for more information. They might not be inclined to give up those data except in very serious cases. If one simply used a VPN, law enforcement would not know to which operator to go to ask for more data. Even if it did, it would have to ask for vast quantities of data that would be difficult to process—and, in any event, the overseas operator would be likely to say that the request was disproportionate and refuse to hand over the data.
Noble Lords will notice that I keep emphasising law enforcement and serious cases. In cases of serious crime, including child sexual exploitation, GCHQ can assist law enforcement agencies. In a case affecting national security, agents representing MI5 have told me, face to face, that they do not need or want internet connection records; agents representing MI6 have told me face to face that they do not need or want internet connection record; and agents representing GCHQ have told me face to face that they do not need or want internet connection records.
If we strip away criminals who will soon get wise and use VPNs, if we strip away crimes that are not considered by US operators to be serious enough to hand over the data and if we strip away crimes that are so serious that GCHQ’s help can be sought—GCHQ can secure the necessary data without the need to store ICRs—we are left with very little. For that very little gain, everyone in the UK’s web histories will be stored for 12 months at enormous cost, and with enormous potential for intrusion into privacy and enormous risk of vast quantities of sensitive personal information being hacked into by criminals and hostile foreign Governments. The only valid conclusion anyone can come to in such circumstances is that the storage for 12 months of everyone’s ICRs is both unnecessary and disproportionate.
Some people will say, “That’s all well and good, but GCHQ cannot produce intelligence that can be given in evidence in court. Law enforcement needs evidence”. Some intelligence produced by GCHQ can be given in court, has been given in court and will continue to be given in court—intercept evidence being the exception, along with intelligence that might risk national security—but by no means all. We have no objection to internet connection records being retained and examined from the moment intelligence shows that there is a reasonable cause to suspect the subject of being involved in serious crime or terrorism, to make sure that the evidence that is needed for court is available. That would be proportionate.
I understand that many noble Lords do not understand, and feel that they do not need to understand, the technical detail; they would rather rely on the pre-legislative scrutiny, as the Minister did in response to our amendment on this issue in Committee. I remind the House that the Joint Committee said this about ICRs:
“While we recognise that ICRs could prove a desirable tool for law enforcement agencies, the Government must address the significant concerns outlined by our witnesses if their inclusion within the Bill is to command the necessary support”.
To those noble Lords relying on pre-legislative scrutiny, I would highlight that,
“could prove a desirable tool for law enforcement agencies”,
is not the level of proof we should be requiring here. “ICRs have proved to be essential to defeat serious crime and secure national security” is what we should be looking for.
The Joint Committee said that,
“the Government must address the significant concerns outlined by our witnesses”.
The Government have not addressed those concerns. I do not believe that detailed arguments that clearly demonstrate the futility of such a provision should simply be swept aside by saying, “Well, you may not understand this stuff, and I certainly don’t, but I think that you should abide by the pre-legislative scrutiny. Others have looked at it, they say it is okay, so it should be okay with you”. I am asking fundamental questions that raise serious doubts about the practicality of what is being proposed here—and unless the Minister can answer them we will not support this provision.
Fear not, though; noble Lords are not alone. When I asked a former GCHQ chief whether ICRs would work in practice, he said, “I don’t know but that shouldn’t stop us trying”. That simply is not good enough. There are numerous other technical issues that I could raise about ICRs giving false positives that show ICRs to websites that the individual is completely unaware his computer is accessing, for example. Or I could cite the experience of Denmark, where attempts to introduce such measures have failed. I could ask why no other European Union or Five Eyes country has such a facility. I could raise the fact that David Anderson’s conclusion was that such provisions would be ruled unconstitutional in both Canada and the United States of America. This is a classic case of, “This looks like a good idea”, where the consequences have not been properly thought through. I beg to move.
My Lords, I am sure that the entire House is grateful to the noble Lord, Lord Paddick, for giving us a comprehensive list of ways in which we can try to keep our communications secret and away from prying eyes. I am sure that every Member of the House is grateful for that tutorial, but the noble Lord does rather elide the question of those people who perhaps have not had the benefit of his tutorial. I realise that the whole world of terrorism and organised crime is listening with intent to every word that he says on these matters, but there will be such. He gave a specific example, saying that communications data in the past would have demonstrated that X had contact at a travel agent. When I book train tickets, I usually do not use WhatsApp or a VPN—I simply go online and connect to the relevant train company. So if somebody wanted to find out whether I had been booking a train ticket, my internet connection record would provide that information. I therefore do not quite understand the argument that, because there are ways that you can avoid the state knowing what you have done if you are really determined, you should therefore prevent it knowing what you have done if you are not really determined.
My understanding is that not all terrorists and not all organised criminals are terribly good with this stuff—that they make mistakes—so the horrifying consequences that the noble Lord describes therefore might not actually occur, and instead, a lot of very nasty people will be caught, because they do not have the noble Lord’s encyclopaedic grasp of ways of keeping communications secret.
Amendment 118A seeks to prevent the creation and collection of internet connection records. My noble friend Lord Paddick has explained why ICRs are of little security value, and that they would be very difficult and expensive to collect and make use of. The only democracy to try was Denmark, which gave up after years of fruitless effort. It tried again at the beginning of this year with a project almost identical to the one planned by the Home Office, but quickly abandoned it when independent auditors confirmed that it would be prohibitively expensive.
I wish to draw the House’s attention to two other serious drawbacks that would arise from creating and storing internet connection records. The first is the serious impact on the privacy of every user of the internet in this country. We must remember that internet connection records do not currently exist, and until quite recently—say, 25 years ago—all the electronic data that would have to be collected together to create ICRs did not exist, either. In those days, our private interactions with those close to us left no trace. A conversation over lunch, a cash purchase at a shop, a visit to a library to do some research, attendance at a political meeting, a romantic assignation—all left no record of having happened. They were ephemeral. What happened between your four walls was between you and your God.
Fast forward to today, and we find that all the interactions I have just mentioned now leave an electronic trail behind them. A combination of credit card records, location services on our phones, our emails and text messages and records of every website we visit will give the whole game away—including the identity of whom we met at our assignation. If internet connection records are created and kept by our service provider, all these electronic trails will be available to hundreds of public authorities, not just the police and security services, on demand and simply by self-authorisation.
The Government have given this data the name “internet connection records”, which is technically accurate, but what they really are is private activity records: a log of everything we do and when and where we do it. The problem is not that the surveillance can occur at all, but that it happens indiscriminately to all of us, all the time. My second topic is the ironic fact that ICRs will actually reduce our security, rather than improve it, because of the virtual certainty of thefts of some of that private and personal data about every internet user in the country. If you do not believe me, consider just a few of the thousands—and I mean thousands—of recent data thefts from high-security establishments. I mentioned in Committee that SWIFT, the fulcrum of the global financial payments system, has had $81 million stolen from it by hackers. Last week, it emerged that it has been penetrated a second time. A gang of five eastern Europeans is believed to be behind the theft of 3 billion sets of customer data worldwide from many of the world’s leading tech companies, including the data of 500 million Yahoo! customers. As I mentioned earlier, powerful hacking tools belonging to the NSA, the American equivalent of GCHQ, suddenly appeared on the internet in August having been stolen from it, and two Israelis and an American stole 100 million people’s records from 12 US financial institutions. Those are just a few examples—as I say, there are many more—of thefts from sites which, dare I say it, were seemingly far more secure than those of UK service providers.
Internet connection records, or private activity records, will be stolen and the consequences will range from embarrassment to blackmail and fraud for the unfortunate victims. In the case of people in positions of responsibility, including government officials, the consequences could be catastrophic. Far from making us safer, ICRs would compromise our security and, as I have explained, seriously intrude on our citizens’ privacy. We should have nothing to do with them.
My Lords, I rise to speak against this amendment. As the chief executive of a telecoms company, I clearly cannot profess a lack of understanding of the technology. I am a little confused by noble Lords’ concern that internet connection records can be got round and are not perfect because telephony is exactly the same. If I make a telephone call and am really smart, I know how to make sure that you do not know what number or where in the world I am calling from. Without needing to be that smart, I can buy a temporary SIM card and throw the phone away as soon as I have made the call. Organised crime and nation states have been able to use plenty of ways to obfuscate the existing ability for us to track telephony. That does not mean we think it a bad idea to be able to track people’s telephone calls.
I argue that exactly the same is true of internet connection records and their use by law enforcement agencies. It would not be perfect; no piece of technology ever is. It needs very careful scrutiny, which the Bill has had in both Houses. But I want to live in not just a civilised physical world but a civilised digital world, and when all our law enforcement agencies say that their ability to hunt down criminals is seriously hampered by the world moving to the digital space, we should take that very seriously and make sure that we arm them with the best possible tools. I believe that access to internet connection records is practically possible and desirable to create a civilised digital world.
Briefly, this brings up the principle of what society is prepared to sacrifice—in this case, a little privacy—to get what it needs to fight criminals and terrorism. I am sorry to go back to Northern Ireland but everybody was stopped daily and their lives were infringed on the whole time there. But they were happy enough because the fight, which was against terrorism in our case, was succeeding. By the end, 95% of all incidents planned by the IRA never took place because of intelligence activity. We know that it is intrusive to do this but if we had stopped stopping cars, when 99.9% of those cars held the innocent and the unassociated, it would have enabled those we were up against to operate freely across everything. The very fact that people were prepared to sacrifice some of their freedom meant that it was more difficult for those who wanted to kill, maim and commit crimes. If we do not push them out of normal day-to-day activity into the more complicated part, we will never succeed in fighting them.
My Lords, I will not detain the House too long and certainly do not want to repeat all the eloquent arguments that my noble friend Lord Paddick has outlined on this matter. I want to say two things about the previous two interventions. The utility issue—the fact that people may be prepared to give up their liberties—does not necessarily come into play here. I do not think that the vast majority of people have any idea whatever of what the Government are planning. I do not think they have any idea that regardless of whether they are regarded as innocent, suspect or anything else, every single person’s website visits will be held on databases on the instruction of the Government. Nobody is aware of that. They are not making a decision about whether they are prepared to accept that infringement, and I think they will be horrified when they understand it.
A number of noble Lords have said that the fact that the law can be evaded is not a reason not to have a law. If a law can easily be evaded and that law requires a massive invasion of the privacy of people throughout this country, that has to be weighed in the balance. It has to be taken very seriously.
We have to be clear about what is proposed. The Government intend to take the power to compel the creation of databases of every single website that every single person in this country visits over a 12-month period. That is a huge amount of data, and it puts a vast amount of power in the hands of the Government. More to the point, it is a vast amount of power in the hands of whoever might manage to hack those databases. This is not some vague threat made up or exaggerated by opponents of these ICR powers to make a point. It is a real and present danger and a massive threat to the privacy and security of every single person in this country. We are all aware of the spate of state-sponsored and other hacking that has been taking place in the United States and elsewhere around the world. Every day, systems come under serious attack and none is entirely immune. If the US Pentagon can be hacked, then who on the Government Front Bench can say hand on heart that this vast new store of information that the Government are demanding be created cannot be hacked?
When I talk to people around the country about the powers that the Government are proposing to take in relation to ICRs they are almost universally shocked. They do not have any faith that such data will be held securely, and they cannot understand why the Government would put at risk their privacy and security unless holding such information was critical to the prosecution of the most serious crimes. As my noble friend Lord Paddick has pointed out, the security and intelligence agencies have consistently been clear that they do not need ICRs. There are very simple ways to evade the collection of ICRs, so those committing serious crimes are unlikely to be troubled. The strongest case cited for these powers is in relation to identifying and prosecuting paedophiles, and there is no doubt we should listen and consider this case very carefully because the protection of children from such people must be regarded as an absolute priority for every one of us. However, as my noble friend Lord Paddick has pointed out, in those serious crimes, including child exploitation, GCHQ can assist law enforcement and there is a joint unit for those purposes. Perhaps more to the point, the sort of people involved in the criminal activities we are discussing would easily be able to avoid their ICRs being captured.
The power the Government are claiming is extraordinary. It is a power that none of the other “Five Eyes” countries has. Indeed, to my knowledge, no even nominally democratic Government in the world have it. It is such an extraordinary power that my noble friend Lord Carlile, who is unfortunately no longer in his place and who is no slouch on counter- terrorism measures, wrote an article in the Mail on Sunday on 26 May 2013:
“I, Lord Reid, Lord West and others of like mind have never favoured the recording of every website visited by every internet user, though we have been accused of that ambition”.
Granting the Government a power to order the retention of the details of every website visited by every person in the country over a 12-month period will give us, at best, only false comfort. It may make some of us feel more secure, but it will not make us more secure. In fact, it will put at risk the security and privacy of every person in this country. I support the amendment in the names of my noble friends.
My Lords, I was a member of the Joint Committee conducting pre-legislative scrutiny of the Bill, along with the noble Lord, Lord Strasburger—I am not sure whether anyone else in the Chamber was. I remember a discussion which was genuinely open and uncertain about the practicality of this above all. The issue of privacy has been raised very powerfully by the noble Lord, Lord Oates, and others from the Liberal Democrat Benches. We thought at the end of the day that the whole Bill was about reaching a balance, with a degree of compromise over issues of privacy alongside the really quite robust safeguards which are in the Bill, such as the role of the judicial commissioners, as all set out in Clause 86. Our real issue was over practicality and cost. When the Minister comes to respond, it would be helpful if we could have a bit more guidance as to what this is going to cost. The cost will not fall on the companies; it will fall upon the Government, who will have to fund it.
However, we were persuaded that under Clause 84, the retention notice may be more specific than has been suggested in the speech from the Liberal Democrat Benches. It is not necessarily every connection to every website: the provision could be targeted to particular websites, for example, which is all set out in Clause 84. We should also emphasise that these records would not be of the content of what was happening: it would be where you had made contact, not the content of the connection as such. That is an important factor which has not been mentioned in the contributions.
That said, a representative from Denmark came and explained to us why the Danes had given up on this, simply on the grounds of cost and practicality. It is the practicalities that I would like to hear about most from the Minister when he speaks, alongside of course acknowledgement of the points that have been made by others in the debate.
My Lords, I did not intend to speak on this amendment, which I strongly support, so I will be brief. Even I understand the need to balance civil liberties and national security, but comparing this with stopping a few cars simply does not hold water and is not a comparison that we can make—and, personally, I am totally in favour of stopping cars, so that is not an issue.
It is almost as if the Government went to the intelligence and security services and said, “What do you want? What can you imagine wanting to keep us safe?”, and they came up with a huge list. It is like asking children what they want for Christmas: they want a huge list of things and it is not always good to give them everything they want. In this instance, it is certainly not good to give the intelligence services what they want. Indeed, they do not even want some of what the Government are offering them, so the Government have actually gone one step further and offered them more, which to me is totally counterintuitive.
There is also the issue of practicality. When you have this much information coming through, it is incredibly difficult to pick out the vital points and the important things. This could be counterproductive and make us less safe as a nation than we are already. I feel very strongly about this amendment and deeply regret that there is not more support in the House.
The effect of this amendment, as has been said, would be to leave out internet connection records from the definition of “relevant communications data” in Clause 84, which covers powers to require the retention of certain data. The Bill has had extensive pre-legislative scrutiny, including by a Joint Committee of both Houses, and we supported it at Third Reading in the Commons subject to, among other things, amendments being made which addressed the issue of access to internet connection records not being used in relation to minor crimes. Our amendment on the definition of “other relevant crime”, which raised the threshold from six months to 12 months, has been accepted by the Government. We will be opposing an amendment that now appears to weaken the effectiveness of the provisions relating to internet connection records, at least under Part 4 of the Bill, specifically Clause 84.
My Lords, the amendment would prevent the Government being able to require telecommunications operators to retain internet connection records. The noble Lord, Lord Paddick, tabled exactly the same amendment in Committee, and he will not be surprised to know that the Government still cannot support such an amendment. As the noble Lord, Lord Harris of Haringey, and the noble Baroness, Lady Harding, observed, these provisions may not give rise to a perfect system of record recovery but it is preferable to a dark hall where criminals move unseen and with impunity.
The noble Lord, Lord Paddick, talks of observations from the Security Service and the Secret Intelligence Service, but be it noted that it is not for them that these records are so essential; it is for the police forces and the enforcement agencies in respect of crime. I have spoken at length to the National Crime Agency, which has underlined to me the critical nature of these records now that telecommunications data are so often routed through the internet, not by means of normal telephony.
Earlier today this House recognised the importance of the use of internet connection records, subject to strict safeguards, as noted by the noble Lord, Lord Rosser. I do not think this House will want to prevent internet connection records being retained with the result that they are not available for any form of criminal investigation. Indeed, we have just discussed the government amendment to require judicial approval before a data retention notice can be given, which, as I said at the time, puts in place a significant new safeguard before a telecommunications operator can be required to retain the data.
There has been considerable debate on this topic, not just today but as the Bill has progressed through Parliament. However, in relation to this amendment, I should perhaps reiterate why internet connection records are so essential for law enforcement. As communications increasingly take place via the internet, information that used to be routinely available to law enforcement from telephone-based communications data is increasingly unavailable—for example, the identity of an individual suspected of sharing indecent images, or people with whom a missing person was last in contact. Internet connection records are essential because they will ensure that the type of communications data that were previously available to law enforcement will remain available in future, not perfectly but generally. It will help to ensure that terrorists and criminals cannot evade detection simply because they choose to communicate online.
The noble Lord, Lord Paddick, observed that there may be applications or social media apps on a device that maintain a persistent connection to a service. That is true, but even in such cases the relevant ICR will signpost the service access by the device, enabling a public authority to make further inquiries with the service provider, which is identified through the ICR. ICRs will allow law enforcement to approach online service providers to acquire communications data where it is known that a specific device has accessed their service. So it is not the case that simply because you have open or permanent connections, the use of ICRs is rendered useless; that is simply not accepted.
The alternatives available to the security and intelligence services are not available to the police, and certainly cannot be adduced in a court of law. The police can acquire communications data only on a case-by-case basis where necessary and proportionate, and where they have made strong operational cases as to why they need to retain these records. Equally, the intelligence agencies may acquire data only for their own statutory purposes, which are far narrower than the criminal types investigated by the police. It is also the case, as I mentioned before, that intercept material from the agencies may not be used as evidence in court, a position that has been upheld by numerous independent inquiries over the years, most recently by a panel of the Privy Council in 2014.
Giving evidence to the Public Bill Committee, the noble Lord, Lord Reid, and Charles Clarke, previous Home Secretaries, were asked whether ICRs were a key part of updating legislation to the current world, and they both definitely agreed. Indeed, one could go further. The noble Lord, Lord Paddick, alluded to the observations of the Joint Committee on the draft Bill. Let us look at its conclusion:
“on balance, there is a case for Internet Connection Records as an important tool for law enforcement”.
The Government recognise the sensitive nature of internet connection records, which is exactly why we had our earlier debate concerning the safeguards that must surround their recovery. The point has already been made that those records will not give access to the content, it is the record of connection that will be recovered.
I appreciate that the noble Lord, Lord Paddick, still has concerns about internet connection records, and I fear that nothing I say will convince him otherwise, but I again reassure him that we have all the right safeguards in place. Data can be retained only when necessary and proportionate and following authorisation and approval by the Secretary of State and a judicial commissioner. We have mechanisms in place to ensure that data are held securely, including audit by the Information Commissioner. Once the data are retained, they can be accessed only on a case-by-case basis, and only when judged necessary and proportionate by a senior officer at a rank specified by Parliament who is independent of any investigation being carried out. Strong judicial oversight will be provided by the Investigatory Powers Commissioner and, thanks to the changes made by this House, internet connection records cannot be acquired for minor offences, an amendment we discussed earlier.
In summary, internet connection records are a vital power. As to their cost, I believe that the figure given at a previous stage was £174 million over a period of 10 years. That is a not inconsiderable sum, but a manageable figure in the context of what we face with police powers. Accordingly, I invite the noble Lord to withdraw the amendment.
My Lords, I am grateful to noble Lords who have contributed to this debate. Leaving his heavy sarcasm to one side, I must tell the noble Lord, Lord Harris of Haringey, that it is very easy to find out how to evade these measures. A simple Google search will tell a seven year-old all about VPNs; I am not giving away any trade secrets. He talked about terrorists and nasty people. If those nasty people are involved in serious crime or terrorism, the police and the National Crime Agency can enlist the help of GCHQ. Therefore, internet connection records will not be required.
I say to the noble Baroness, Lady Harding of Winscombe, that, yes, it is not a perfect system, but she is wrong to say that the security agencies say that it is people moving to communication via the internet that is making us less secure. Encryption is the real problem making us less secure. Why, otherwise, would GCHQ and the other security agencies say that they do not need internet connection records?
The noble Viscount, Lord Brookeborough, mentioned the vital question: is it reasonable, is it proportionate and where should the balance lie? However, as the right reverend Prelate the Bishop of Chester pointed out, there are other real questions which the noble and learned Lord failed to address about whether ICRs would in practice deliver what the law enforcement agencies want. My noble friend Lord Oates re-emphasised that this is a massive intrusion into privacy; that is why we oppose it. As he pointed out, in a child exploitation case, there is a joint operations unit between GCHQ and the National Crime Agency to deal with the issue.
Where I part company with the right reverend Prelate is on the suggestion that ICRs could be more targeted. There is nothing in the Bill to suggest that they will. On the content of websites, if someone accesses a domestic violence, gender reassignment or marriage guidance website, it is immediately apparent what they are looking into and it is a massive intrusion into privacy even if the record is only of the website they are looking at.
The noble and learned Lord has spoken to the National Crime Agency at length. I have been twice to the National Crime Agency, so I have spoken to it at length twice, and I still, as a former senior police officer, failed to be convinced.
I spent 30 years in the Metropolitan Police Service and ended up as a senior officer at Scotland Yard. If I thought that the balance here was right between invasion of privacy and the benefits that accrue to law enforcement, I would not be expressing these views.
I am a lousy politician. I cannot stand here and say things that I do not believe just because they are my party’s policy. I am opposing this because I genuinely oppose the disproportionate invasion of privacy that ICRs represent. That is why I wish to test the opinion of the House.
17 October 2016
Division on Amendment 118A
Amendment 118A disagreed.View Details
119: After Clause 85, insert the following new Clause—
“Approval of retention notices by Judicial Commissioners
(1) In deciding whether to approve a decision to give a retention notice, a Judicial Commissioner must review the Secretary of State’s conclusions as to whether the requirement to be imposed by the notice to retain relevant communications data is necessary and proportionate for one or more of the purposes falling within paragraphs (a) to (j) of section 58(7).(2) In doing so, the Judicial Commissioner must—(a) apply the same principles as would be applied by a court on an application for judicial review, and(b) consider the matters referred to in subsection (1) with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).(3) Where a Judicial Commissioner refuses to approve a decision to give a retention notice, the Judicial Commissioner must give the Secretary of State written reasons for the refusal.(4) Where a Judicial Commissioner, other than the Investigatory Powers Commissioner, refuses to approve a decision to give a retention notice, the Secretary of State may ask the Investigatory Powers Commissioner to decide whether to approve the decision to give the notice.”
Amendment 119 agreed.
Clause 86: Review by the Secretary of State
Amendments 120 and 121
120: Clause 86, page 68, line 14, leave out “the Investigatory Powers” and insert “a Judicial”
121: Clause 86, page 68, line 31, at end insert—
“(10A) But the Secretary of State may vary the notice, or give a notice under subsection (10)(b) confirming its effect, only if the Secretary of State’s decision to do so has been approved by the Investigatory Powers Commissioner.”
Amendments 120 and 121 agreed.
122: After Clause 86, insert the following new Clause—
“Approval of retention notices following review under section 86
(1) In deciding whether to approve a decision to vary a retention notice as mentioned in section 86(10)(a), or to give a notice under section 86(10)(b) confirming the effect of a retention notice, the Investigatory Powers Commissioner must review the Secretary of State’s conclusions as to whether the requirement to be imposed by the notice as varied or confirmed to retain relevant communications data is necessary and proportionate for one or more of the purposes falling within paragraphs (a) to (j) of section 58(7).(2) In doing so, the Investigatory Powers Commissioner must—(a) apply the same principles as would be applied by a court on an application for judicial review, and(b) consider the matters referred to in subsection (1) with a sufficient degree of care as to ensure that the Investigatory Powers Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).(3) Where the Investigatory Powers Commissioner refuses to approve a decision to vary a retention notice as mentioned in section 86(10)(a), or to give a notice under section 86(10)(b) confirming the effect of a retention notice, the Investigatory Powers Commissioner must give the Secretary of State written reasons for the refusal.”
Amendment 122 agreed.
Clause 89: Variation or revocation of notices
Amendments 123 to 129
123: Clause 89, page 69, line 26, after “unless” insert “—
124: Clause 89, page 69, line 28, leave out from “58(7)” to end of line 29 and insert “, and
(b) subject to subsection (5A), the decision to vary the notice has been approved by a Judicial Commissioner.”
125: Clause 89, page 69, line 34, at end insert—
“(5A) Subsection (4)(b) does not apply to a variation to which section 86(10A) applies.”
126: Clause 89, page 69, line 38, after “84(3)” insert “, (3A)”
127: Clause 89, page 69, line 42, at end insert “(and, accordingly, the references to the notice in section 85(1)(a) to (e) are to be read as references to the variation).”
128: Clause 89, page 69, line 42, at end insert—
“(8A) Section (Approval of retention notices by Judicial Commissioners) applies in relation to a decision to vary to which subsection (4)(b) above applies as it applies in relation to a decision to give a retention notice (and, accordingly, the reference in subsection (1) of that section to the requirement to be imposed by the notice is to be read as a reference to the requirement to be imposed by the variation).”
129: Clause 89, page 70, line 3, at end insert—
“(9A) Section (Approval of retention notices following review under section 86) applies in relation to a decision under section 86(10) to vary or confirm a variation as it applies in relation to a decision to vary or confirm a retention notice (and, accordingly, the reference in subsection (1) of that section to the requirement to be imposed by the notice as varied or confirmed is to be read as a reference to the requirement to be imposed by the variation as varied or confirmed).”
Amendments 123 to 129 agreed.
Clause 91: Application of Part 4 to postal operators and postal services
130: Clause 91, page 71, line 14, at end insert—
“(de) for section 83(3A) there were substituted—“(3A) A retention notice must not require an operator who provides a postal service (“the network operator”) to retain data which—(a) relates to the use of a postal service provided by another postal operator in relation to the postal service of the network operator,(b) is (or is capable of being) processed by the network operator as a result of being comprised in, included as part of, attached to or logically associated with a communication transmitted by means of the postal service of the network operator as a result of the use mentioned in paragraph (a),(c) is not needed by the network operator for the functioning of the network operator’s postal service in relation to that communication, and(d) is not retained or used by the network operator for any other lawful purpose,and which it is reasonably practicable to separate from other data which is subject to the notice.””
Amendment 130 agreed.
Amendment 131 had been withdrawn from the Marshalled List.