Skip to main content

Public Bill Committees

Debated on Tuesday 3 May 2016

Investigatory Powers Bill (Fifteenth sitting)

The Committee consisted of the following Members:

Chairs: Albert Owen, †Nadine Dorries

† Atkins, Victoria (Louth and Horncastle) (Con)

† Buckland, Robert (Solicitor General)

† Burns, Sir Simon (Chelmsford) (Con)

† Cherry, Joanna (Edinburgh South West) (SNP)

† Davies, Byron (Gower) (Con)

† Fernandes, Suella (Fareham) (Con)

† Frazer, Lucy (South East Cambridgeshire) (Con)

† Hayes, Mr John (Minister for Security)

† Hayman, Sue (Workington) (Lab)

† Kinnock, Stephen (Aberavon) (Lab)

† Kirby, Simon (Brighton, Kemptown) (Con)

Kyle, Peter (Hove) (Lab)

† Matheson, Christian (City of Chester) (Lab)

† Newlands, Gavin (Paisley and Renfrewshire North) (SNP)

† Starmer, Keir (Holborn and St Pancras) (Lab)

† Stephenson, Andrew (Pendle) (Con)

† Stevens, Jo (Cardiff Central) (Lab)

† Warman, Matt (Boston and Skegness) (Con)

Glenn McKee, Fergus Reid, Committee Clerks

† attended the Committee

Public Bill Committee

Tuesday 3 May 2016

(Afternoon)

[Nadine Dorries in the Chair]

Investigatory Powers Bill

Before we begin, this sitting is officially due to finish at 5.30 pm, but we will continue until 6.30 pm, at which point there will be a break. The Committee will reconvene at 7 o’clock with Mr Owen in the Chair.

Clause 212

Combination of warrants and authorisations

Question proposed, That the clause stand part of the Bill.

The clause introduces schedule 8. I seek an assurance for the record from the Minister, but if it is not convenient to deal with this point now, it can be dealt with in some other way. Schedule 8 deals with the supplementary provisions for combined warrants. Having been through it, I think its effect is that any of the conditions necessary for any single warrant will apply notwithstanding that there is a combined warrant—in other words, none of the safeguards is lost by virtue of the combination—and the duration of the shortest warrant will apply. I am pretty sure that that is the intention, but it would be helpful to have that to confirmed for the record, so that we are clear that none of the safeguards is lost when warrants are combined.

With brevity that I know you will welcome, Ms Dorries, I can say that that is certainly so.

Question put and agreed to.

Clause 212 accordingly ordered to stand part of the Bill.

Schedule 8 agreed to.

Clause 213

Payments towards certain compliance costs

I beg to move amendment 844, in clause 213, page 165, line 26, leave out subsection (6) and insert—

“(6) The appropriate contribution shall represent the full amount of the relevant costs, subject to any audit process under subsection (4)”.

This amendment would ensure that the Government meets 100% of the compliance costs and that there is full cost recovery for Communication Service Providers (CSPs) implementing the legislation.

It is a pleasure to serve under your chairmanship, Ms Dorries. The amendment speaks for itself, I think. The clause deals with payments towards certain compliance costs and subsection (1) deals with appropriate contributions. As the Committee will know, there has been real concern about what the cost of compliance will be for those called upon to comply and what contribution they will receive toward their relevant costs. The clause allows for “an appropriate contribution”. The amendment would ensure that the Government met 100% of the compliance costs and there was full cost recovery for communication service providers implementing the legislation..

There is concern among providers about what they will be expected to do by way of compliance and what the cost will be. It may be convenient for the Minister to deal with the estimated costs, because £170 million was mentioned at one stage but I am not sure that that is a final figure as far as the Government are concerned.

The amendment is designed to ensure that the Government’s commitment to cost recovery for providers is explicitly provided for in the Bill. The hon. and learned Gentleman is right to raise this issue again, reflecting what we heard during the witness session when we debated the issue in part. In his evidence, Mark Hughes said he was aware that

“Under the proposals in the Bill—the Home Secretary has made reference to it—we would recover our costs from the Home Office, as we have done under existing legislation.”

He went on to say that

“the proposed regime is more sensible as long as it is clear that we will recover 100% of our costs.”––[Official Report, Investigatory Powers Public Bill Committee, 24 March 2016; c. 45-46, Q126.]

And I am clear, quoting the Home Secretary, that

“100% of the compliance costs will be met by the Government.”—[Official Report, 15 March 2016; Vol. 607, c. 821.]

The hon. and learned Gentleman asks what that means in practice. The £174 million he mentioned is not a cap, but an estimate. It is dealt with in the impact assessment, and there is no cap in the impact assessment. We will meet costs such as they arise. We are determined to make sure that the Bill works and is not inhibited by any doubts about the cost of its implementation. Clearly, future Governments will inherit this legislation. It is worth emphasising that the current policy has not changed since the passage of the Regulation of Investigatory Powers Act 2000, so it has survived three Governments of different colours or combinations of colours—we used to be more rainbow-like than we are now, which is actually quite welcome, by the way. We are clear that 100% means what it says.

Above and beyond that—the hon. and leaned Gentleman did not ask for this, but I will add it—we need to be clear that the providers are consulted on any changes to the cost model and that they will be able to seek review of any variation to the notice that affects the level of their contribution. To sum up: we have an estimate, not a cap; a determination that 100% means 100%; a willingness to have a proper input into this; and an assurance—which I think is what the hon. and leaned Gentleman really seeks—that the Government will cover the costs so that the Bill does what it should.

What a great reassurance it is to see you in the Chair, Ms Dorries. I will be very brief. I welcome the contributions of my hon. and learned Friend the Member for Holborn and St Pancras and the Minister for Security. As Committee members know, I have been banging on about this issue—

—rather tediously. The Minister says, “Yes,” but I have to point out that he said it before I said “rather tediously”. I welcome the Minister’s assurance as I have been concerned about communications service provider security since Second Reading. Will the Government consider providing security advice and testing for the smaller communications service providers, in addition to the financial contribution that they are making?

I will make only two points in reply to the hon. Gentleman. First, when he describes it as “banging on”, he understates his contribution. I see it more as informed, eloquent and sensible inquiry. Secondly, he is absolutely right that the small providers need to be fully involved at all stages. It may be fair to say that the bigger providers have the mechanisms to implement the requirements for data retention more straightforwardly, so we need to ensure that that does not mean that small providers are in any way disadvantaged. I acknowledge that point, and he is right to make it elegantly. He should never apologise—at least to me—for banging on about anything.

I am grateful to the Minister for setting out that assurance for the record. That will reassure those who are concerned about this issue. In those circumstances, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 213 ordered to stand part of the Bill.

Clauses 214 and 215 ordered to stand part of the Bill.

Clause 216

National security notices

I beg to move amendment 853, in clause 216, page 166, line 36, after “State”, insert

“following approval by a Judicial Commissioner”.

With this it will be convenient to discuss the following:

Amendment 854, in clause 216, page 166, line 41, after “State”, insert “and a Judicial Commissioner”.

Amendments 853 and 854 would require judicial authorisation for national security notices. This would also extend the “double lock” standard that is set in other parts of the Bill.

Amendment 845, in clause 217, page 167, leave out lines 20 and 21 and insert—

“(1) The Secretary of State may, following approval by a Judicial Commissioner that the notice is justified, practicable, necessary and proportionate, give a relevant operator a notice (a ‘technical capability notice’)”.

This amendment would require judicial authorisation for Clause 217 and bring the clause in line with other provisions within the bill that require judicial authorisation.

Amendment 855, in clause 217, page 167, line 20, after “State”, insert

“following approval by a Judicial Commissioner”.

This amendment would require judicial authorisation for technical capability notices. This would also extend the “double lock” standard that is set in other parts of the Bill.

Amendment 852, in clause 220, page 171, leave out lines 1 and 2 and insert—

“(9) The Secretary of State may, after considering the conclusions of the Board and the Commissioner, and with approval of a Judicial Commissioner—”

This amendment would require judicial authorisation for these clauses and bring them in line with other parts of the bill.

Amendment 859, in clause 220, page 171, line 4, at end insert—

“(9A) Any variation made under subsection (9) must be approved by a Judicial Commissioner.”

This amendment would require judicial authorisation for the variation and revocation of national security and technical capability notices. This would also extend the “double lock” standard that is set in other parts of the Bill.

The amendments go in pairs: amendments 853 and 854 are to clause 216, amendments 845 and 855 to clause 217 and amendments 852 and 859 to clause 220. They all have the same purpose and intent: to subject the powers in the clauses to the double-lock mechanism—in other words, to involve the judicial commissioners in those powers.

Clause 216 is concerned with national security notices. Subsections (1) and (2) make the power to issue such notices subject only to the test that they be

“necessary in the interests of national security”

and “proportionate”. There is no specific reference to any operational purposes; it is a very broad power. Once a notice is issued, subsection (3) takes effect:

“A national security notice may…require the operator to whom it is given—

(a) to carry out any conduct, including the provision of services or facilities, for the purpose of—

(i) facilitating anything done by an intelligence service under any enactment other than this Act, or

(ii) dealing with an emergency (within the meaning of…the Civil Contingencies Act 2004);

(b) to provide services or facilities for the purpose of assisting an intelligence service to carry out its functions more securely or more effectively.”

The Secretary of State issues a notice; once that notice is issued, the requirement on the operator is very broad. To be fair, subsection (4) makes it clear that a national security notice cannot be used to sideline or cut across a warrant or authorisation that is required under the Act, but the clause does make a very wide-ranging power available to the Secretary of State and it seems subject to pretty well no check, balance or safeguard.

The amendments would subject the procedure to the double-lock mechanism, to ensure that such a notice would go before a judicial commissioner, who would consider whether it was in the interests of national security and proportionate under subsections (1) and (2). The Joint Committee raised concerns about this issue when it looked at the draft Bill, and in particular how the lack of a definition of national security means that the power granted by the clause is very wide indeed.

Does the hon. and learned Gentleman agree that, in the absence of a definition of national security, it is difficult to foresee the kinds of activity or intrusion that obligations under the clause could entail? Is it not therefore providing a blank cheque power to the Government?

I agree. This is one of the rare occasions on which the Bill does not set out the procedure for what happens before the Secretary of State considers the exercise of her function. In other areas, we have seen particular requirements for what must be set out in the application and in the warrant—there is a bit more detail. Here, the notice procedure does not include any details of the formalities of the Secretary of State’s consideration or what must be set out in a notice; nor does the Bill provide any safeguard through the judicial commissioners, so not having a definition of national security means that the power is extremely wide and unchecked.

My amendments go only to the process and not to the substance of clause 216, but if they were made, at least a separate pair of eyes would look at the notice and consider whether the test of necessity and proportionality was met. That in itself would be an important safeguard in keeping with the model that runs through the Bill.

It is a pleasure to serve again under your chairmanship, Ms Dorries. I have listened carefully to what the hon. and learned Gentleman and others have said about their concerns regarding the provisions, but may I reassure him and put to bed the notion that somehow this is a back door or a blank cheque to allow the authorities to do what they like when it comes to interference with the privacy of individuals? Far from it. I will explain as far as I can the purpose of the type of warrantry, particularly the national security notice, that we are talking about, and indeed the technical proficiency provisions as well.

An example of the type of support that might be required would be the provision of services or facilities to help the intelligence agencies in safeguarding the security of their personnel and operations. A notice might typically require a communications service provider to provide services to support secure communications by the security and intelligence agencies—for example, by arranging for a communication to travel via a particular route in order to improve security. A notice may additionally require the confidential provision of services to the security and intelligence agencies within the communications service providers, such as by maintaining a pool of trusted staff for the management and maintenance of sensitive communications services. I hope that gives the hon. and learned Gentleman some insight into what we are talking about here.

I am grateful for that indication, but I am not sure why that is an argument for not subjecting what could be a wide-ranging power to the double-lock mechanism, which has been the preferred safeguard for such powers in the Bill.

There are clear reasons for not going down that route. We are talking about the preparatory stage as opposed to the stage of interference with privacy. If the Government’s position was that there was a loophole—a gateway—to allow such interference, the hon. and learned Gentleman’s argument would have real strength, but that is far from the case. This is all about the preparatory stages—the necessary stages that need to be taken by communications service providers before we get to the application for what we all accept is an intrusion.

I am afraid I cannot share with hon. Members their analysis that we need a “now and forever” definition of national security in law. There is a good reason why national security is not defined in statute. Any attempt to define it in the Bill runs a real risk of restricting the ability of this country to respond to constantly evolving and unpredictable threats. It is vital that legislation does not, however unintentionally, constrain the ability of our security and intelligence agencies to protect this country. The examples are all around us: who would have imagined a few years ago cyber-attacks of the nature and on the scale that now threaten us? My concern is that if we try to rigidly define what we mean by national security, we run the risk of defeating the means by which we can keep this country safe.

I hear what the Solicitor General says about the measure only facilitating preparatory steps, but under the terms of clause 218(8) we will never know whether the notices exist or their contents, so we will not be able to know whether we are dealing with preparatory steps or whether they could go beyond that.

I have gone as far as I can to explain the types of scenarios that the national security notices would be used for. In essence, they deal with the nuts and bolts rather than the intrusion. If somehow there was a gateway into intrusion, the hon. and learned Lady would be absolutely right, but I assure her that there is not, so the worries that she and other people and organisations have about a blank cheque, while understandable, are unfounded. I can assure her in Committee and I am happy to continue to make the assurance that the function of this type of notice is not intrusion.

Indeed, we have oversight because national security notices will be overseen by the Investigatory Powers Commissioner. The commissioner will have a duty to report at least once a year on what he or she has found and to make recommendations on where improvements can be made. The commissioner will also have the power to report on an ad hoc basis on any issue that he or she considers appropriate.

I am listening carefully to the Solicitor General. He says that the notices are not a gateway for preparatory steps to become steps that invade privacy, but where in the Bill is the provision that prevents that happening? The only restriction is subsection (4), which does not achieve that end.

With respect, I do not think that is necessary because any agency that sought to use this type of notice in order to get around the double-lock provisions in the Bill would soon come a cropper with the commissioner. That important oversight means that organisations are not operating in a vacuum; they will be held to account if they try to misuse these notices in the way that the hon. and learned Gentleman and others fear.

As I have said, we have the powers of review by the IPC. We also have the provision, pursuant to clause 220(5)(b) and (7), that the Secretary of State must consult the commissioner if a notice is reviewed, and the commissioner will then consider the proportionality of the matter before reporting conclusions to the Secretary of State. We have the checks and balances that the hon. and learned Gentleman rightly wants within the mechanism.

On amendments 853 and 854, I would say this: the role of the Secretary of State in issuing national security notices rightly reflects the responsibility of the Executive in protecting our national security; conversely, the role of the judicial commissioner in approving the issuing of warrants under the Bill reflects the particular and proper sensitivity regarding interference with private communications. We have got the double lock in place to ensure that, before the fact, a senior judge has to be satisfied that any interference with privacy is justified. The Bill explicitly prohibits—this is an important point—the issuing of national security notices for the primary purpose of obtaining private information, and the double lock then applies to the use of the most sensitive powers. We need to focus on the need for the double lock in relation to applications that result in the acquisition of private information. These types of notices do not permit the authorities to do that, so the amendments are unnecessary.

Amendments 845 and 855 deal with technical capability notices. Clause 217 builds on the current power provided for under the Regulation of Investigatory Powers Act 2000, where a company can be obliged to maintain a permanent interception capability in order to ensure that when a warrant is served, a company has the infrastructure in place to give effect to it securely and quickly. Again, any warrant served will have been reviewed by a judicial commissioner; he or she will play an important part in overseeing the operation of technical capability notices and any appeal that may be lodged against them. The commissioner will also be consulted about the making of regulations that will provide more detail about the operation of these types of notices, and those regulations will be put before Parliament for approval. Plenty of the checks and balances that the hon. and learned Member for Holborn and St Pancras, others interested in Bill and I would expect and want to see are here.

I am not persuaded of the need for amendments 852 and 859, because clause 220 already sets out the role of the IPC in the process of review and the actions that the Secretary of State must take in that process. The IPC will be integral to any review, because the Secretary of State must consult the commissioner, who will then consider whether the notice is proportionate. Inevitably, considerable weight will be afforded to the advice of the commissioner. The role of the commissioner provides an opportunity for the person on whom the notice has been served and for the Secretary of State to present evidence. The conclusions of the commissioner will be reported to the Secretary of State and to the person who has made the reference. After consideration of the conclusions, the Secretary of State may decide to confirm the effect of the notice, to change or vary it, or to withdraw it. Until that decision is made, there is no requirement for the person who has referred the notice to comply with the specific obligations under review.

In a nutshell, there are plenty of adequate safeguards to alleviate the concerns expressed by the hon. and learned Gentleman. I urge him to withdraw his amendments.

I listened carefully to the Solicitor General, and I am grateful to him for setting out how he envisages the notices operating. The difficulty is that there is a mismatch between what he says is their intended operation, and the safeguards in the clause. For me, subsection (4) does not do what he contends it does.

I am also concerned about clause 217. We will get on to that in more detail in a moment, but it is a wide-ranging clause on the maintenance of technical capability, which again ought to be subject to the double lock.

I apologise to the Committee, but on this occasion I will press the amendments in the group to a vote. In the past, in relation to a number of clauses, I have tested the Committee on the first one, but on this occasion I am not sure that I can do that. I think this will be the only occasion on which I will test the patience of the Committee, but clauses 216 and 217 are conceptually different and do not seem to be run as a group. I am afraid that I will press for a vote—as I say, I will not make a habit of it, and I have not done so before.

Question put, That the amendment be made.

Amendment proposed: 854, in clause 216, page 166, line 41, after “State”, insert “and a Judicial Commissioner”. —(Keir Starmer.)

Amendments 853 and 854 would require judicial authorisation for national security notices. This would also extend the “double lock” standard that is set in other parts of the Bill.

Question put, That the amendment be made.

Question put, That the clause stand part of the Bill.

Clause 216 ordered to stand part of the Bill.

Clause 217

Maintenance of technical capability

Amendment proposed: 845, in clause 217, page 167, leave out lines 20 and 21 and insert—

“(1) The Secretary of State may, following approval by a Judicial Commissioner that the notice is justified, practicable, necessary and proportionate, give a relevant operator a notice (a “technical capability notice”)”

This amendment would require judicial authorisation for Clause 217 and bring the clause in line with other provisions within the bill that require judicial authorisation.(Keir Starmer.)

Question put, That the amendment be made.

Amendment proposed: 855, in clause 217, page 167, line 20, after “State”, insert “following approval by a Judicial Commissioner”.

This amendment would require judicial authorisation for technical capability notices. This would also extend the “double lock” standard that is set in other parts of the Bill.(Keir Starmer.)

I beg to move amendment 846, in clause 217, page 168, line 8, at end insert—

‘(4A) A notice may not impose upon the relevant operator any obligations relating to the removal of electronic protection applied by or on behalf of that operator to any communications or data unless the relevant operator or a person acting on its behalf retains the technical ability to remove the electronic protection from such communications or data.”

This amendment would provide clarity and legal certainty for industry that the Government will not require back doors to be installed into products and services, is not seeking to weaken or restrict the use of encryption and that companies cannot be required to remove encryption if they do not have the means to do so at their disposal.

With this it will be convenient to discuss the following:

Amendment 847, in clause 217, page 168, line 16, at end insert—

“(e) persons generally held to be representing users and privacy interests in order to assess the impact of any such Regulations on users.”

This amendment would ensure that privacy protections form an overarching part of the Bill and apply across the full range of investigatory powers afforded to the security services.

Amendment 848, in clause 217, page 168, line 24, leave out subsection (8) and insert—

“(8) A technical capability notice may only be given to persons outside the United Kingdom (and may require things to be done, or not to be done, outside the United Kingdom) where it would not cause the person to act contrary to any laws or restrictions under the law of the country or territory where it is established, for the provision of services.”

This amendment would remove all provisions within the Bill that have extraterritorial reach and undermine the long term objective of creating a long term, international framework for law enforcement to gain access to data held overseas and resolves conflict of laws situations that may otherwise arise by providing the Secretary of State with the power to serve such notices without having to take account of domestic legal obligations to which the recipient is subject.

Amendment 857, in clause 217, page 168, line 30, at end insert—

“(11) A person shall not be liable to have a technical capability notice served on him in accordance with regulations under this section by reason only that he provides, or is proposing to provide, to members of the public a telecommunications service the provision of which is or, as the case may be, will be no more than—

(a) the means by which he provides a service which is not a telecommunications service; or

(b) necessarily incidental to the provision by him of a service which is not a telecommunications service.”

This amendment would exclude (under powers in RIPA section 11(4)) those services that have a communications element, but are primarily not a communication service. This limits the very broad range of “telecommunication services” that could be required to build a technical capability under this Part.

Amendment 849, in clause 218, page 168, leave out lines 37 and 38, and insert—

“(3) Before giving a relevant notice, the Secretary of State must provide evidence that the notice is justified, necessary practicable and proportionate, having, among other matters, taken into account—”

Amendment 850, in clause 218, page 168, line 45, at end insert—

“(f) the effect on the privacy and human rights of people in the United Kingdom and outside the United Kingdom”

Amendments 848 to 850 would make explicit the requirement on the Home Secretary to justify the use of a power as intrusive as a technical capability notice. It will also require the Home Secretary to take account of the full effects of such a notice, particularly on people and companies based overseas.

Amendment 858, in clause 218, page 169, line 7, leave out—

“A technical capability notice may be given to a person outside the United Kingdom”

and insert—

“Where a technical capability notice is to be given to a person outside the United Kingdom, the notice shall be served at that person’s principal office outside the United Kingdom where it is established, for the provision of services. Where it is considered unfeasible or inappropriate in the circumstances”

This amendment would require that a UK agency would only serve a notice on an overseas entity that is capable of providing assistance under the warrant.

This important clause is causing a great deal of concern to operators that may be called upon to comply with a notice. The clause provides for a power to be vested in the Secretary of State to give a relevant operator a technical capability notice

“imposing on the relevant operator any applicable obligations specified in the notice,”

and

“requiring the person to take all the steps specified in the notice for the purpose of complying with those obligations”.

That is a very wide power, and the concern is about the extent of it. In a moment, I will refer to the code of practice, which sets out some of the capabilities that might be required.

It is clear that the power includes taking steps relating to encryption. I say that for two reasons. Subsection (4) lists in paragraphs (a) to (e) the obligations that may be specified in regulations. They include obligations

“to provide facilities or services of a specified description”

and obligations relating to

“apparatus owned or operated by a relevant operator”

or to

“the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data”.

That is clearly veering into encryption. Obligations may also relate to

“the security of any postal or telecommunications services provided by a relevant operator”

or

“the handling or disclosure of any information.”

If one reads ahead, clause 218(4) deals with further provisions on notices under clauses 216 and 217, stating:

“Where the relevant notice would impose any obligations relating to the removal by a person of electronic protection applied by or on behalf of that person to any communications or data, in complying with subsection (3) the Secretary of State must in particular take into account the technical feasibility, and likely cost, of complying with those obligations.”

The concern of many who might be called upon to comply with the obligations is about the wide-ranging nature of the power.

This also goes deep into the debate about encryption. It is absolutely clear that a notice could require protection to be removed, and the clause envisages that being the case. That becomes clearer when one reads the “Interception of Communications” draft code of practice from chapter 8 onwards. If one reads paragraphs 8.1 to 8.94, one sees what is in fact a power that allows the Secretary of State, through this mechanism, effectively to take control of a capability of a service provider. Paragraph 8.1 states:

“The purpose of maintaining a technical capability is to ensure that, when a warrant is served, companies can give effect to it securely and quickly. Small companies (with under 10,000 users) will not be obligated to provide a permanent technical capability”.

Paragraph 8.3 then lists the wide range of obligations that can be imposed in a notice under this clause.

Paragraph 8.4 of the draft code states:

“An obligation placed on a CSP to remove encryption only relates to electronic protections that the company has itself applied to the intercepted communications (and secondary data), or where those protections have been placed on behalf of that CSP, and not to encryption applied by any other party.”

That is very important provision, which I think I am right to say was clarified as a result of a recommendation from prelegislative scrutiny. The difficulty—I am anticipating the discussion we are about to have—is that this crucial issue is dealt with in the code of practice and not in the Bill. The concern expressed in the evidence given to the various prelegislative bodies and to the Committee was that companies will be obliged to remove the protections in their own systems. Paragraph 8.4 is of some comfort to them because it makes it clear that the obligation would only relate

“to electronic protections that the company has itself applied”

and not to other encryption—but the real problem is that paragraph 8.4 is in the code of practice and not in the Bill. That needs to be rectified. We cannot leave something as important as that in the code of practice. It goes to the heart of the power in the clause. It is far and away the biggest cause for concern among CSPs, yet it is not dealt with in the Bill. The Bill provides for a permissive, rather than a restrictive, regime—if I am wrong about that, I will happily take an intervention.

Paragraph 8.6 of the code of practice clarifies that:

“While an obligation to remove encryption may only relate to protections applied by or on behalf of the company…there will also be circumstances where a CSP removes encryption from communications for their own business reasons. Where this is the case, an intercepting agency will also require the CSP, where applicable and when served with a warrant, to provide those communications in an intelligible form.”

The code then makes provision for giving a notice, for the disclosure of technical capability notices, and for their review and variation. Paragraph 8.27 and 8.28 are very wide-ranging. Paragraph 8.28 states:

“CSPs subject to a technical capability notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.”

That goes deep into territory hitherto unregulated in this way; CSPs will be required to give the Government notice of their new products and services, so that the Government can consider whether to vary a notice that already applies to them. We can see why the service providers are so concerned about that capability.

Pressing on through the code of practice, we see that the contribution of costs for the maintenance of a technical capability is dealt with from paragraph 8.43. Again, these provisions give an indication of the breadth of the capability covered by the clauses of the Bill. Paragraph 8.43 states:

“Section 213 of the Act recognises that CSPs incur expenses in complying with requirements in the Act, including notices to maintain permanent interception capabilities under Part 9. The Act, therefore, allows for appropriate payments to be made to them to cover these costs.”

In a sense, the requirement for CSPs to give notice when they have new or different services and to maintain permanent interception capabilities when they would not otherwise do so means the taking control of their services for the purposes of the Act.

The code of practice continues, at paragraph 8.46:

“Costs that may be recovered could include those related to the procurement or design of systems required to intercept communications, their testing, implementation, continued operation and, where appropriate, sanitisation and decommissioning.”

That, again, is an indication of just how wide these powers will be. Paragraphs 8.51 to 8.53 deal with the power to develop compliance systems, suggesting that,

“In certain circumstances it may be more economical for products to be developed centrally, rather than CSPs or public authorities creating multiple different systems”

and stating that clause 214 provides the Secretary of State with that power. Paragraph 8.53 is the inevitable conclusion of that, stating:

“Where such systems are developed for use by CSPs, the Government will work closely with CSPs to ensure the systems can be properly integrated into their networks”,

which is the option of ensuring that the CSP itself develops and maintains the capability. If not, the Secretary of State can do so and then there will inevitably be a requirement to integrate that capability into existing networks, and so on and so forth. That is why, although the detail of paragraphs 8.1 to 8.94 is welcome, it is the clearest evidence one could get of the breadth of the powers.

Amendment 846 would

“provide clarity and legal certainty for industry that the Government will not require back doors to be installed into products and services, is not seeking to weaken or restrict the use of encryption and that companies cannot be required to remove encryption if they do not have the means to do so at their disposal.”

The amendment is intended to deal with the concern of service providers about how the clause would apply to encryption. Amendment 847 would add a requirement to take into account privacy interests. I will not press that amendment to a vote and I will not spend time on it now, because to some extent it is probably overtaken by the overarching privacy provisions, which we will deal with later in a new clause.

Amendment 848 is self-explanatory. There is a continuing concern among service providers about obligations being imposed on them that would put them in breach of the law, or a restriction under the law, in the country or territory in which they are operating. The intention behind the amendment is to remove that conflict by ensuring that no obligation under clause 217 would

“cause the person to act contrary to any laws or restrictions under the law of the country or territory where it is established, for the provision of services.”

Amendment 857 would deal with a sub-clause of service providers by excluding

“those services that have a communications element, but are primarily not a communication service. This limits the very broad range of ‘telecommunication services’ that could be required to build a technical capability under this Part.”

Amendment 849 is probably the most significant of this group of amendments, as it would insert a new requirement into clause 218:

“Before giving a relevant notice, the Secretary of State must provide evidence that the notice is justified, necessary practicable and proportionate”.

It then lists what must be taken into account. I pause there because it is significant that clause 217 is not subject to a necessity and proportionality test. It is subject to a reasonableness test. Clause 217(3) shows that there is no need for the Secretary of State to show necessity or proportionality.

Interestingly, when it comes to variation in clause 219(4), as far as the national security notice is concerned, there is a requirement to demonstrate proportionality. The amendment would build in a new test to be applied under clause 217. Finally, amendment 858 is our old friend “service outside the jurisdiction”, which I have rehearsed already.

In arguing in opposition to the amendments, I first want to address the last point that the hon. and learned Member for Holborn and St Pancras made. I can come back to his point about the tests, but in a nutshell, they are inherent to the Bill. The tests of necessity and proportionality are part and parcel of the decision-making process that the authority will be enjoined to carry out.

It is noticeable that, for obvious reasons, necessity and proportionality have been written into relevant clauses throughout the Bill, but here, I think for the first time, we have a wide-ranging power with no such test—unless I have missed it, in which case I will happily concede the point.

In strict terms, the hon. and learned Gentleman is right—I am looking at clause 218 in particular. I think that subsection (3) might help him, because although we do not have the words “necessity” and “proportionality” there, the matters to be taken into account lead one to conclusions based on necessity and proportionality, and perhaps do so in a more prescribed way that is more helpful to the decision maker. Subsection (3)(a) to (e) addresses the hon. and learned Gentleman’s point, and I put it clearly on the record that the principles of necessity and proportionality are part and parcel of the tests to be applied.

I also note that necessity is required under clause 217(6), which relates to the steps specified in a technical capability notice. I do not know whether that helps the hon. and learned Gentleman. I will certainly consider the issue carefully, but on the face of it, I do not think there is a worry of the sort that he envisages.

The Intelligence and Security Committee described the clause as a

“seemingly open-ended and unconstrained power”.

Does the Solicitor General not agree that it is therefore essential that the tests of necessity and proportionality are spelled out in the clause, as they are in other parts of the Bill?

I hear the hon. and learned Lady, but I am not convinced that the basis of her argument is right given the breadth of the power. As I said in the context of national security notices, the technical capability notice is only a preliminary step. It will allow the subsequent implementation of a warrant, which will then be subject to the tests of necessity and proportionality. I would not want the Committee to operate under a misapprehension. It is my strong, and I hope clear, assertion that we are dealing with an earlier stage of the process, so we should not be driven to the conclusions that I know critics of the Bill want us to reach.

May I deal with encryption, which, as the hon. and learned Gentleman rightly characterised, is at the heart of the matter? I put it on the record that the Government recognise the vital importance of encryption. It has become part of our daily lives. It keeps our personal data and intellectual property secure and ensures safe online commerce, and the Government work closely with industry and business to improve their cyber-security. I can reassure the Committee that in the preparation of the code of practice, there has been close consultation with the interested parties in the industry to ensure that it comprehensively reflects the realities and needs of those who operate in this sphere. Not only does the code of practice replicate the provisions of RIPA, but it goes further, with a degree of specificity that is not possible in primary legislation. It will be a flexible, living instrument that will form a clear prospectus within which everyone can work. I make no apology for the measure being in a code practice, which is where it should be, rather than in primary legislation. With the best will in the world, we all know that it is difficult to amend primary legislation and ensure that it keeps pace with the somewhat breathtaking changes that occur in this particular field of operation.

I also want to talk about the role of GCHQ, which plays a vital information assurance role and provides advice and guidance to allow the Government, industry and the general public to protect their IT systems and use the internet safely. As the director of GCHQ, Robert Hannigan, made clear in his speech on 8 March:

“I am accountable to our Prime Minister just as much, if not more, for the state of cyber security in the UK as I am for intelligence collection.”

In the past two years the security and intelligence agencies have disclosed vulnerabilities in every major mobile and desktop platform, including some of the big names that underpin business here in the UK. In September 2015, Apple publicly credited CESG, the information assurance arm of GCHQ, with detecting a vulnerability in its operating system for iPhones and iPads, and we all know where that vulnerability could have led. The vulnerability was fixed as a result of that intervention, so the suggestion, which I know has not been advanced in this Committee—and I hope will not be—that the Government are opposed to encryption, or would legislate to undermine it, is wholly wrong.

We have to ensure that we have the necessary capabilities to keep our systems safe. Encryption is now, in effect, the default setting for most of our IT products and online services, and although it can be a power for good in keeping the law-abiding safe and secure, sadly it is used easily and all too cheaply by terrorists, paedophiles and other criminals. Therefore it can only be right that we retain the ability to require telecommunications operators to remove encryption in strictly limited circumstances, with strong controls and safeguards, so that we can address the increasing technical sophistication of those who would seek to do us harm. If we do not do that, we must simply accept that there are areas online that are beyond the reach of the law, where criminals can go about their business unimpeded and without the risk of detection. I do not accept that, and I know the general public do not accept it either. That is our starting principle.

Clause 218(8) and (9) provides that the recipient of a notice must comply with it but must not disclose either its existence or its contents. Does that mean that if an Apple against the FBI scenario were to occur in the UK, Apple would not be able to disclose even the fact that it had been served with a notice, let alone challenge it in court? That is how I read it.

Not without the permission of the Secretary of State. I will return to the mechanism in question, but I am grateful to the hon. and learned Lady for raising that point. I am sure I will be able to provide her with clarity as I develop my remarks.

The starting principle is shared by David Anderson, who in his important review said:

“My first principle is that no-go areas for law enforcement should be minimised as far as possible, whether in the physical or the digital world.”

That view was shared by the Joint Committee on the draft Bill and is shared by the Select Committee on Science and Technology, both of which recognise that, in tightly prescribed circumstances, it should remain possible for our law enforcement and security and intelligence agencies to be able to access decrypted communications or data. That is what clauses 217 and 218 are all about: strong safeguards to ensure that obligations to remove encryption can be imposed only in limited circumstances, subject to rigorous controls.

Clause 217 relates to technical capability notices. Before such a notice is given, the Secretary of State must specifically consider the technical feasibility and likely cost of complying with it. Clause 218(4), which has been the subject of some debate, provides that that consideration must explicitly take into account any obligations to remove encryption applied by, or on behalf of, a communications service provider. In my submission, that deals with the point about third parties that the hon. and learned Member for Holborn and St Pancras raised.

I looked carefully at that subsection, but perhaps the Minister could explain why it is a limiting provision. It is a requirement provision as far as the notice is concerned, but on the face of it, encryption is not limited to protection applied by, or on behalf of, the person themselves. It tells us how that situation would be dealt with, but it is not limited to that.

I have been interested in the clause for a while, because there are issues about what “relevant notice” means, for example. I assure the hon. and learned Gentleman that that applies only to technical capability notices, not national security notices. I will carefully consider how we can make that absolutely clear, and in that context I will have another look at the how the clause is worded. I want to put beyond any doubt the fact that the clause relates only to a technical capability notice and does not relate to third parties. That has been an important undertaking that we have given.

Deliberating on the interesting discourse that has taken place between the Solicitor General and the hon. and learned Member for Holborn and St Pancras, I take the point that the hon. and learned Gentleman makes about necessity and proportionality running as a theme throughout the Bill. My hon. and learned Friend the Solicitor General is of course right that these are preliminary measures, and therefore once an outcome that has been tested for proportionality has been reached, that will not be a problem. I say to him that there is an argument for taking that into account and making it even clearer, either in the supporting documentation or in the Bill.

I am grateful to my right hon. Friend, and I will do that.

Before I go further, I will deal with the point that the hon. and learned Member for Edinburgh South West made about Apple. My understanding is that the process will give her some reassurance. In that scenario, Apple, as the recipient of the notice, could refer it back to the Secretary of State, who in turn must then consult the technical advisory board and the IPC before deciding whether to proceed further with the notice. If the Secretary of State proceeded, it would then be judicable in the courts, which would determine whether the notice could be enforced. It is quite similar to the scenario that we discussed in the context of national security notices. I hope that gives her some assistance.

I have looked at this issue in the past day or two, and I was concerned about the implication that on the face of it, one could not challenge the provision in court, because there is an absolute bar on disclosure. Am I right in assuming—if I am, it should be on the record—that the Secretary of State will give permission, where appropriate, for a legal challenge to be brought? In other words, there could be disclosure for the purposes of legal proceedings.

On the face of it, that has to follow. If any clarification is needed on that, I am sure I can assist as I further develop my remarks.

I was dealing with the process of consultation before the giving of a notice, and we have had the Apple example. I would like to develop the importance of the draft codes of practice, which the hon. and learned Gentleman has referred to.

The Solicitor General is talking about the power of review in clause 220, which should be read with the power to issue notices. That is important because it obliges the Secretary of State to consult the technical advisory board and the Investigatory Powers Commissioner. That process was endorsed by EE, a communications service provider, in its evidence to the Joint Committee on this very point.

I am grateful to my hon. Friend, who provides an example of the sort of dialogue that will be very much part of the process. There will not be mere diktat without further discussion. I was about to develop that point in the context of the draft codes of practice, because they make it clear that should a telecoms operator have concerns about the reasonableness, cost or technical feasibility of any requirements set out in a notice, which of course would include any obligations to remove encryption, they should be raised during the consultation process. That is the dialogue that we have talked about. Also, a telecommunications operator that is given a technical capability notice may refer any aspect of it—again, I gave an example earlier—including obligations relating to removal of encryption, back to the Secretary of State for review. We have dealt with the consultation process set out in the Bill.

The Bill makes it absolutely clear that in line with current practice, obligations placed on telecommunications operators to remove encryption may relate only to encryption by or on behalf of the Government. That is the point I was making about subsection (4).

I wonder whether clause 217(3) is relevant in the context of what we are discussing. It shows that the Secretary of State can impose the requirements only in so far as they are practicable. The Secretary of State will be prevented from requiring a service provider to do something that it cannot do, for example because a third party has encrypted the material and it is not physically capable of assisting.

I am grateful to my hon. and learned Friend, who is right to pray in aid that subsection, which sets out the bones on which we flesh out the procedure in the code of practice.

I am getting a bit confused. My understanding was that these provisions applied only to communications service providers. I think it was the hon. and learned Member for Edinburgh South West who raised the question of Apple, which to my mind is not a communications service provider, but the Minister responded in the same terms. Will he clarify who exactly we are talking about and who the provision is intended to cover?

The hon. Gentleman is right to make that important point and to steer us back on to the straight and narrow. I am not criticising the Committee for trying to bring the Bill to life with some examples. We are indeed talking about communications service providers, not third parties, which is important in the context of the Bill.

Are we not concerned here with the “relevant operator”, which is defined in clause 217(2) as

“a postal operator…a telecommunications operator, or…a person who is proposing to become a postal operator or a telecommunications operator.”?

That definition is the basis of the concern for companies such as Apple.

The hon. and learned Lady is absolutely right to bring us back to clause 217(2). The problem that hon. Members are anticipating is that the provisions will somehow catch parties that no one would regard as appropriate. I think I have given clear assurances on that third party problem.

I am very grateful to my hon. and learned Friend, and I do not want to be unhelpful, but I would like some clarification regarding Apple. As he is aware, Apple refused to do what the FBI asked. Although the case was never ultimately determined by the courts, because the FBI managed somehow to break open the machine and retrieve the information, how would the clause affect a similar situation if a provider such as Apple refused point-blank to co-operate, just as it did with the FBI?

In endeavouring to answer my right hon. Friend’s point, may I deal first with the question about telecommunications operators? Some assistance may be gained from clause 223(10), where a telecommunications operator is defined in a way that includes Apple. The famous Apple case—the California case—was about the use of a password, which is slightly different from the question of encryption, but it does demonstrate the important tussle between the need to balance public safety and privacy. In that case, the FBI, with an appropriate search warrant, was asking for the chance to try to guess the terrorist’s passcode without the phone essentially self-destructing—after so many tries, everything gets wiped.

We are talking about an attempt to obtain communications data within the robust legal framework that we have set out, with the double lock and all the other mechanisms that my right hon. Friend and the Committee are familiar with. I am grateful to him for raising that case, but there are important differences that it would be wrong to ignore. In a nutshell, without the powers contained in the Bill, a whole swathe of criminal communication would be removed from the reach of the authorities. That is not in the interests of the constituents he has served with distinction for well over a quarter of a century—he will forgive me for saying that—or any other of the constituents we represent.

I was going to come back to the obligations imposed under a technical capability notice, with particular regard to the removal of encryption. The obligations imposed under such a notice will require the relevant operator to maintain the capability to remove encryption when it is later served with a warrant notice or authorisation. That is different from merely requiring it to remove encryption. In other words, it must maintain the capability, but there then needs to be the next stage, which is the warrant application and the notice of authorisation, where there is of course the double lock. The company on which the warrant is served will not be required to take any steps, such as to remove encryption, that are not reasonably practicable.

In a nutshell, this measure is about not an interference with privacy but sets out the preparatory stage before a warrant can be applied for. The safeguards provide the strict controls that I assure the Committee are needed in this sphere of activity. We are maintaining and clarifying the existing legal position.

I am anxious to clarify what the Solicitor General said about the justiciability of the issuing of such a technical notice. As far as I can see, the Secretary of State is the gatekeeper to justiciability, because the contents of a notice can be revealed only with his or her permission. Where does it say that that can be justiciable, because I cannot find it?

I think it is clause 220, but I will get some further assistance on that point for the hon. and learned Lady before I resume my seat. I am grateful for that intervention.

The Bill does not drive a coach and horses through encryption. It does not ban it or do anything to limit its use. A national security notice—we debated this matter on clause 216—cannot require the removal of encryption, which further supports my argument that there is no blank cheque in the context of these notices. On the issue of civility, rather than keep this Committee waiting, I will write to the hon. and learned Lady to clarify the point that she rightly raised.

This is a general point. Although we are examining this Bill in detail, there will of course be an ongoing debate, particularly as the technical companies tussle with the public, about what the public find acceptable. Those companies should not think that the debate ends here; they will have to justify their actions to the public in future.

My hon. Friend is absolutely right. The code of practice has been drafted in that real-life context. It will no doubt be amended and looked at—it will be a living document—as this technology develops and as we move forward. With this clause, we are trying—I do not like this phrase, but I have to use it—to future-proof the legislation to make it resilient so that it lasts and to ensure that this House does not have to return to it time and again to respond to the challenges that increased and enhanced IT present.

My hon. and learned Friend referred to clause 220, which indeed does give the person who receives the notice the power to give it back to the Secretary of State, who then has to consult the Technical Advisory Board and the Investigatory Powers Commissioner, who will then take evidence from those people.

I am glad that my hon. and learned Friend has reminded us of that. I referred earlier to that consultation process. The next stage is when the Secretary of State decides to proceed. I will consider that issue even more carefully to ensure that the Committee is furnished with as much information as possible before Report.

Let me deal with the amendments tabled in the name of the hon. and learned Member for Holborn and St Pancras and others. On amendment 846, the Bill already makes it absolutely clear that a communications service provider will not be obligated to remove encryption where it is not reasonably practicable for them to do so. I do not think the amendment adds anything, and in many cases it would have the effect of inhibiting law enforcement agencies and the security and intelligence services from working constructively with tele- communications operators as the technology develops. I am sure that that is not the intention of the amendment. Depending on the individual company and the individual circumstances, it may be entirely sensible for the Government to work with a company to determine whether it would be reasonably practicable for it to take steps to develop and maintain the technical capability to remove the encryption it has applied to communications or data.

My worry about the amendment is that we would end up with communications services that can be used by criminals and others to communicate with each other unimpeded. We know that internet gambling sites, which have chat room provisions, are used by criminals for entirely unrelated criminal activities. I am sure that that is not the intention behind the amendment. Therefore, with respect, I urge hon. Members to reconsider it.

I will not deal in detail with amendment 847, because I do not think the hon. and learned Gentleman seeks to press it. Although I oppose it, I will move on without argument to amendments 848 and 858. We have discussed similar amendments on extraterritoriality in relation to other powers in the Bill. I pray in aid the arguments I used earlier. The provisions in the Bill allow a notice to be given in the most appropriate manner, taking into account the preferences of each company, which is an example of the adaptability of the legislation to the real world.

Amendment 848 is unnecessary because the clause is about not the acquisition but the development and maintenance of a technical capability. Conflict of law issues are much more likely to arise in respect of giving effect to a warrant, and we already have protection in the Bill for such cases. Admirable though the amendment may seem, it is therefore unnecessary.

Amendment 849 is unnecessary because it duplicates provisions in clauses 218, 216 and 217. I have discussed clause 218(3), which stipulates that the Secretary of State must consider a wide range of matters before giving a notice. That detailed assessment already speaks to the issues raised by the amendment. The Secretary of State has to be satisfied that the conduct is proportionate, justified, necessary and practicable.

I am sorry to interrupt the Solicitor General’s flow, but I sense he is coming to the end of his argument. Will he clarify something? Am I right in understanding that there is nothing in the clause to prevent someone who is intent on evading surveillance from using open-source encryption software that is personally generated by the user? That would mean they could encrypt files and email communications themselves, independent of any provider, and therefore remain untouched by this legislation.

That question is about the definition of the provider. I am sure we will be able to provide some clarity on that before I draw my remarks to a conclusion. I am grateful to the hon. and learned Lady for raising that point.

Amendment 850 relates to consideration by the Secretary of State of the effect of a notice on the privacy and human rights of people both here and outside the kingdom. The amendment is unnecessary because of the point I made before, which I will reiterate: the clause is not about notices authorising an interference with privacy. A warrant provided for elsewhere in the Bill is required to do that, and we have already considered the potency of the double lock and the test to be applied. A point that is relevant to all the amendments in this group is the statutory function of the Investigatory Powers Commissioner to oversee the use of notices. I raised that in the context of national security notices, and I pray it in aid here again.

Amendment 857 seeks to narrow the category of operators to whom a technical capability notice can be given. I am worried that that would limit the effects of law enforcement. We know about the diversification of criminality and terrorism in order to find new ways to avoid protection. I am concerned that narrowing the legislation would allow loopholes to get larger. It is therefore important that the obligations relating to the technical capabilities for a range of operators can be imposed by the Government in order to ensure we keep ahead of the curve.

The hon. and learned Lady made the powerful point that the clause does not relate to personally applied encryption. However, measures in part 3 of RIPA 2000 provide for where law enforcement agencies can require an individual to remove encryption that he or she has applied themselves. We know that the Bill generally does not cover all the agencies’ powers. This is perhaps a welcome opportunity to remind ourselves of the existing provisions in part 3, so I am grateful to her.

Of course we accept that it may well be appropriate to exclude certain categories of operator from obligations under the clause—I am thinking, for example, of small businesses; we are always mindful of the burden of regulation on small businesses—but it is our intention to use secondary legislation to achieve that. It would not be appropriate in primary legislation to impose blanket exemptions on services with a communications element that are not primarily communications services. To do so would send a rather alarming and clear message to terrorists and criminals that communications over certain systems will not be monitored. That sort of carve-out recalls the point that I made about the use by criminals of seemingly unrelated or innocuous communications channels in other internet facilities or apps, in order to hide their illicit enterprises.

I know that I have taken up an inordinate amount of the Committee’s time. I am obliged to the Committee and to you, Ms Dorries, for your indulgence. I hope that I have set out the reasons why I urge hon. Members to withdraw the amendment, and I pray in aid my arguments as advancing the case that the clause should stand part of the Bill. I urge the hon. and learned Gentleman to withdraw the amendment.

I have only three issues to address. The first, which requires more attention from the Solicitor General—I say so with no disrespect—is the question of the extent of the prohibition on disclosure and, essentially, access to the courts or appropriate tribunals. On the face of it, clause 218(8) is a prohibition on disclosure, save with the permission of the Secretary of State. With respect to Committee members, I do not think that clause 220 provides the answer, because that deals with the consultation exercise where a notice is being reviewed.

I have no doubt that, if the Secretary of State exercised her power under clause 218(8) to prevent access to the courts, it would run straight into an article 6 access to courts argument that would succeed on judicial review. I had assumed that one could read into the clause by implication that permission would not be refused in a bona fide and proper case where access to court—or the relevant tribunal, which may be a better way of putting it—was an issue. If that were made clear for the record or by some redrafting of the clause, it would help. As I said, I think that, in practice, any court in this jurisdiction would strike down pretty quickly a Secretary of State who sought to prevent access to the court.

I think that the hon. and learned Gentleman is right about that. On that basis, I will have another look at clause 218(8), to get it absolutely right. I reassure him that it is not the Government’s intention to preclude access to the court.

I am reassured. I am sure that that would not be the case, but it might be sensible to clarify that rather than relying on clause 220, because I am not sure that that is the right way to do it. However, I will say no more about that.

I was going to press for votes on amendments 846 and 849, but I have listened carefully to what the Solicitor General said and to what the Minister said when he rose to make some observations earlier. They are by far the two most important amendments. Amendment 846 deals with encryption. I think I heard the Solicitor General say that he will look again at the wording of clause 218(4) to see whether it is possible to make clear what is clear in the code of practice, namely, that an obligation placed on a CSP to remove encryption relates only to electronic protections that the company itself has applied to intercepted communications and secondary data. That is clearly the position that the Government adopt, because it is now set out in the code. I think that the Solicitor General might accept that, at the moment, clause 218(4) does not quite achieve that objective. On the basis that he is prepared at least to look at that again, I will not press amendment 846.

Equally, amendment 849 relates to the test. I listened carefully to what the Minister said. It would be more sensible if the clauses were aligned with the other provisions in the Bill and made clear the necessity and proportionality test. The Minister’s intervention appeared to make clear what the expectation would be in any event; he made it clear that at least some consideration would be given to whether that expectation can be reflected in some way that is not apparent in the Bill. The observations made by the Solicitor General and the Minister persuaded me not to press the amendments to a vote, so I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

The Scottish National party is not happy with this clause without amendment. I was going to press it to a vote, but having heard what the Solicitor General said about the clause, and pending his writing to me, I am willing not to press it. I just lay down a marker in that respect.

Question put and agreed to.

Clause 217 accordingly ordered to stand part of the Bill.

Clause 218

Further provision about notices under section 216 or 217

Question proposed, That the clause stand part of the Bill.

The SNP takes the same position as it did on the previous clause.

Question put and agreed to.

Clause 218 accordingly ordered to stand part of the Bill.

Clause 219

Variation and revocation of notices

I beg to move amendment 734, in clause 219, page 170, line 8, at end insert

“(and in the application of section 218(3) and (4) in relation to varying a relevant notice, references to the notice are to be read as references to the notice as varied).”

This is a technical amendment. Ms Dorries, I should have welcomed you to the Chair earlier, but I do so now. The amendment is uncontentious and makes a drafting correction to clause 219. On that basis, it should not cause the Committee any undue concern, and I move it in that spirit.

Amendment 734 agreed to.

Clause 219, as amended, ordered to stand part of the Bill.

Clause 220

Review by the Secretary of State

I beg to move amendment 851, in clause 220, page 170, line 31, leave out subsection (6) and insert—

‘(6) The Board must consider the technical requirements and the consequences, for the person who has made the reference and for others likely to be affected, of the notice so far as referred.”

This amendment would require the Technical Advisory Board to look at more than just an implementation of cost measure and instead examine the full costs of the notice.

Our discussions have already strayed on to clause 220. This short amendment is reasonably clear. Subsection (6) makes it clear that the technical advisory board, referred to in subsection (5)(a),

“must consider the technical requirements and the financial consequences, for the person who has made the reference, of the notice so far as referred.”

That is where the person served with the notice has referred the notice back to the Secretary of State, which then triggers a consultation exercise. The board must be consulted; subsection (6) sets out what the board must consider. The amendment is fairly self-explanatory; it would serve the limited purpose of requiring the technical advisory board to look at more than just the implementation of cost measure, and instead examine the full costs of the notice.

As the hon. and learned Gentleman said, the amendment would broaden the scope of the technical advisory board by requiring it to consider other matters as part of any review of the obligations imposed by the Secretary of State in a notice. Under the amendment, the board would be required to consider the consequences for others likely to be affected by the obligations imposed by a notice. That is understandable—I can see why the hon. and learned Gentleman tabled the amendment—but unnecessary.

The technical advisory board is essentially a committee of experts. It has a very specific role to play in advising the Secretary of State on cost and technical matters. That role is reflected in its membership: a group of experts drawn from communications service providers and from those entitled to apply for warrants and authorisations under the Bill. Such people are well placed to consider the technical requirements and the financial consequences. If they consider it appropriate, they may look beyond cost and technical feasibility, but those matters, rightly, are the board’s central purpose and are at the core of its work. The board is also required to consider evidence or representations made by communications service providers and must report its conclusions to them and to the Secretary of State.

In my view, responsibility for considering the broader effects of the notice on the communications service provider to whom it has been given should sit with the Investigatory Powers Commissioner. While it is absolutely right that the board considers both the technical aspects and the cost, the broader matters that the hon. and learned Gentleman is rightly concerned about should fall within the scope of the commissioner, as they do in the Bill. As part of any review of the obligations set out in the notice, the commissioner must report on the proportionality of those obligations; that will include an assessment of the consequences of the notice, both on the persons seeking the review and on anyone else affected—which is essentially the argument the hon. and learned Gentleman made for the amendment.

Furthermore, the clause requires the commissioner to seek out the views of the person who has received the notice, who will have the opportunity to raise any concerns about the effect of the notice with the commissioner for consideration; the commissioner must report his or her conclusions to that person and to the Secretary of State. Essentially, combining the role and responsibilities of the board with the role and responsibilities of the commissioner means that each of them will provide a function central to the hon. and learned Gentleman’s concerns, so the amendment is unnecessary. I should add that the commissioner is properly and well placed to consider the proportionality of the matter as a whole, after careful assessment. The amendment’s wording would introduce duplication and, frankly, a degree of ambiguity about the respective roles of the board and the commissioner and about what each of them is considering. With that reassurance, I hope the hon. and learned Gentleman will withdraw the amendment.

The Minister says that the Bill places no inhibition on the wider technical consequences looked at by the board, and that other consequences rightly come under the remit of the commissioner. I am grateful for that clarification; I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Amendment proposed: 852, in clause 220, page 171, leave out lines 1 and 2 and insert—

“(9) The Secretary of State may, after considering the conclusions of the Board and the Commissioner, and with approval of a Judicial Commissioner—”.—(Keir Starmer.)

This amendment would require judicial authorisation for these clauses and bring them in line with other parts of the bill.

Question put, That the amendment be made.

Amendment proposed: 859, in clause 220, page 171, line 4, at end insert—

“(9A) Any variation made under subsection (9) must be approved by a Judicial Commissioner.”—(Keir Starmer.)

This amendment would require judicial authorisation for the variation and revocation of national security and technical capability notices. This would also extend the “double lock” standard that is set in other parts of the Bill.

Question put, That the amendment be made.

Clauses 220 and 221 ordered to stand part of the Bill.

Clause 222

Review of operation of Act

Question proposed, That the clause stand part of the Bill.

With this it will be convenient to consider new clause 23—Review of the Operation of this Act

“(1) The Secretary of State shall appoint an Independent Reviewer to prepare the first report on the operation of this Act within a period of six months beginning with the end of the initial period.

(2) In subsection (1) “the initial period” is the period of four years and six months beginning with the day on which this Act is passed.

(3) Subsequent reports will be prepared every five years after the first report in subsection (1).

(4) Any report prepared by the Independent Reviewer must be laid before Parliament by the Secretary of State as soon as the Secretary of State is satisfied it will not prejudice any criminal proceedings.

(5) The Secretary of State may, out of money provided by Parliament, pay a person appointed under subsection (1), both his expenses and also such allowances as the Secretary of State determines.”

I inform the Committee that I consider clause 222 and new clause 23 to be alternatives. If the Committee decides that clause 222 should stand part of the Bill, I will not put the Question on new clause 23. If the Committee decides that clause 222 should not stand part, when the Committee comes to decisions on new clauses, I will put the necessary Questions on new clause 23 without debate.

I take it, Ms Dorries, that I am entitled to make a submission as to why the clause should not stand part of the Bill, and should instead be replaced with new clause 23.

In short, it is welcome that following the recommendation of the Joint Committee on the draft Bill, there is now some sort of sunset provision in the Bill. Those who sat on the Joint Committee or read its report will recall that various people who gave evidence made a strong case for a sunset provision in the legislation. The Information Commissioner summarised that case by saying:

“The draft Bill is far reaching and has the power to affect the lives of all citizens to differing degrees. For these reasons, the bill should include a sunset clause or other provisions requiring effective post legislative scrutiny. This would ensure that measures of this magnitude remain necessary, are targeted on the right areas and are effective in practice. To fail to make this provision risks undermining public trust and confidence. It will also enable the legislation to be considered in the light of the latest jurisprudence from the”

Court of Justice of the European Union and the European Court of Human Rights. Various variations on the Information Commissioner’s proposal were put to the Joint Committee by other witnesses, including medConfidential, Dr Paul Bernal, the right hon. Member for Haltemprice and Howden (Mr Davis), Privacy International and the Interception of Communications Commissioner’s Office.

The Home Secretary expressed reservations about having a sunset provision, but it is good to see that there is now some such provision in the Bill. What is missing from it, however, is an independent element.

Clause 222 provides that at the relevant time, which is roughly five years after the legislation has been passed, the Secretary of State

“must…prepare a report on the operation of this Act.”

It goes on to say that he or she

“must…take account of any report on the operation of this Act made by a Select Committee of either House of Parliament (whether acting alone or jointly).”

To an extent, that follows up on recommendation 86 of the Joint Committee, because it recommended that a provision be added to the Bill for post-legislative scrutiny by a Committee of the two Houses within six months of the end of the fifth year after the Bill was enacted. However, an independent element is missing from this sunset clause.

Throughout the deliberations of this Committee, much reference has been made to the report of the independent reviewer of terrorism legislation, David Anderson, QC. I think we can all see the benefit of having that sort of independent input. The purpose of new clause 23 is to transform this sunset clause into one that will have the necessary element of independence to ensure the sort of public confidence that is required for a sunset clause.

I remind members of the Committee that the Information Commissioner said that a sunset clause should be there to shore up public trust and confidence. Without the independent element, it is less likely that such public trust and confidence will be ensured. The purpose of new clause 23 is to provide that

“The Secretary of State shall appoint an Independent Reviewer”

to prepare the report, rather than it being done by the Secretary of State or persons acting under their auspices. The new clause would also provide that the necessary financial wherewithal was made available to enable that job to be done properly.

I shall speak briefly in support of new clause 23. The essential difference between this new clause and clause 222 is, of course, that the new clause would provide for a review within an initial period of five years and for subsequent five-yearly reviews, and for the reviews to be carried out by the independent reviewer, which we submit is more appropriate.

I understand why this new clause has been tabled, but it puts me in a bit of a dilemma. Is a review by the Secretary of State a good thing? Yes. I would therefore support clause 222 if I could not get anything better. I would not want to vote against the Secretary of State reviewing the Act if I lost on new clause 23, because it is sensible to have a Secretary of State review it. In other words, clause 222 is good, but new clause 23 is better; that is the way I would put it. I am in a dilemma, because if I vote against clause 222, I am voting against a good clause that I would naturally support in principle, but if the vote on new clause 23 was not carried—and having looked at the voting record so far, I am not confident that it would be—

Order. Mr Starmer, would it be helpful to say that you could table amendments to clause 222 on Report, if you wished to?

Yes, that is probably the way out of my dilemma, but really this is more for the record. I will not vote against clause 222, but that is not because I think it is preferable to new clause 23; I would like to have the new clause as well. We will reflect on how we deal with that apparent dilemma.

That was the most heartwarming qualified advocacy of an amendment that I have ever heard in Committee; I was quite touched by it. I could not help thinking that there must be countless Tory voters in Holborn and St Pancras who feel about the hon. and learned Gentleman as he feels about this clause. I know that he bathes in their generous acclamation on a daily basis. It was very decent of him to put his case in the way he did.

I will deal with the substance of the new clause and its purpose. The hon. and learned Gentleman is right that new clause 23 would replace the Government’s proposals for a review of the operation of the Act as set out in clause 222, and he is also right that the clause obliges the Secretary of State to report to Parliament on the operation of the Act within four to five years. He described the detail, and I will not tire Committee members by quoting it more specifically. The new clause proposes instead the appointment of an independent reviewer to report on the operation of the Act every five years, beginning five years after the Act is passed.

Where we find common cause is in thinking that both pre-legislative and post-legislative scrutiny are essential. One could make that argument for most legislation, but particularly for legislation in this field, for two reasons: first, its import; and, secondly, the changing circumstances that will doubtless apply, as regards both technology, which the Bill deals with expansively, and the threat we face. All we know about the changes that have taken place over recent years suggests that those changes will continue and may grow in character and speed.

I fully understand why the hon. and learned Gentleman wants the whole House to take a close look at these matters over time. Indeed, the Home Secretary, in her evidence to the Joint Committee on the draft Bill, said:

“As technology advances, it may be necessary to revisit the powers, the legislative framework and the safeguards that are available”.

That is eminently sensible, and something that the Government wholeheartedly support.

As I said, clause 222 provides for judicial review. The hon. and learned Gentleman did not mention it, but he will know that the Joint Committee looked at that, and said that

“the appropriate vehicle to do this would be a specially constituted joint committee of the two Houses. This work should begin within six months of the end of the fifth year after which the Bill is enacted. Although the appointment of such a committee would be a matter for the two Houses, a provision in the Bill would provide a clear mandate and guarantee the timescale for this review.”

The Joint Committee gave that quite careful consideration. The members of this Committee who were also members of that one will recall that they did so because of the shared determination, which the hon. and learned Gentleman has articulated well, that we should not assume that as time goes on we will not need to be reasonably flexible about the application of the powers.

The Solicitor General made a point about providing legislation that looks as far into the future as possible. Certainly, the purpose of the Bill is to not only draw existing legislation into a single place but, as far as one reasonably can, prepare for the future. However, in doing so, it is important to be mindful of what the Joint Committee said, reflecting the Home Secretary’s evidence.

The hon. and learned Member for Holborn and St Pancras will know that the Joint Committee went on to recognise that the Government cannot, in statute, require Parliament to appoint a post-legislative scrutiny Committee. Let me explain that a little more. Ms Dorries, as you will understand with your experience in the House, it is not for the Government to say what Select Committees might look at over time. It certainly would not be for the Government to dictate to the Intelligence and Security Committee, for example, how it should regard or review the legislation within its scope or purview. It would be a dangerous precedent to set to say that any particular Select Committee should, statutorily, consider matters at a particular point in time, or in a particular way.

The clause says that the report should take account of any other report on the operation of the Act, mindful of what I have just described—that is, that the ISC, other Select Committees, or Committees of both Houses could bring evidence to bear that would inform that review. In essence, it would be a matter for Parliament to decide precisely what was looked at and when, within the confines determined in the Bill, but it is essential that the Secretary of State is missioned to report on the Bill’s implementation in the timetable described. That is something that legislation can quite properly do; it both gives all kinds of powers to the Secretary of State, and confirms those powers.

While I can see why the hon. and learned Gentleman supports the new clause, it is unnecessary, not because of the intent, but because of the detail. Essentially, we are offering two different models in order to achieve the same end. A parliamentary Committee would be just as independent as a separately appointed reviewer—and it would avoid the argument, which I know Opposition Members would be quick to have, about who should be responsible for appointing the reviewer.

This may be blindingly obvious, and any Secretary of State, including the current one, would almost certainly take this into account anyway, but could we amend subsection (3) to make it absolutely clear that the Secretary of State must take into account reports of the independent reviewer in addition to those of Select Committees? While that is not precisely what the new clause would achieve, and while I am absolutely sure that any Secretary of State would do that in any event, it would weave in an element of the new clause’s intention. It would not presuppose that there would necessarily be a report, but if there were one, it would be taken into account.

I am not unsympathetic to that suggestion, but let me qualify that slightly. There is an argument to say that we would want another reviewer involved in the process, because what we want is as much empiricism as possible. We have neither the time nor the patience for a long debate about the philosophical character of empiricism, and I am not an empiricist, philosophically, but in terms of legislation, it matters. There is an argument for introducing still more independence into the process.

The hon. and learned Gentleman is right to say that, of course, the Secretary of State would want to take into account the views of all those in positions of authority who have taken a view on the Bill and its implementation and effects in her or his report. I certainly would not want to exclude from that consideration any of the authoritative reports published on the Bill. I think that probably meets the hon. and learned Gentleman halfway, and perhaps a little more than halfway.

Any parliamentary review would take evidence from a range of witnesses. It is, again, almost inconceivable that the independent reviewer would not be a key witness, as our current independent reviewer was to the Joint Committee and other Committees of the House. It would—again, as the Joint Committee did—be likely to appoint technical advisers, who would inform the process and work in concert with the ISC. While the Government support a post-legislative review of the Bill, that review should be conducted by Parliament—by legislators drawing on external expertise and evidence, as the Joint Committee recommended. I therefore invite hon. Members not to press the new clause to a vote.

I will not press new clause 23 to a vote.

Question put and agreed to.

Clause 222 accordingly ordered to stand part of the Bill.

Ordered, That further consideration be now adjourned. —(Simon Kirby.)

Adjourned till this day at Seven o’clock.

Investigatory Powers Bill (Sixteenth sitting)

The Committee consisted of the following Members:

Chairs: †Albert Owen, Nadine Dorries

† Atkins, Victoria (Louth and Horncastle) (Con)

† Buckland, Robert (Solicitor General)

† Burns, Sir Simon (Chelmsford) (Con)

† Cherry, Joanna (Edinburgh South West) (SNP)

† Davies, Byron (Gower) (Con)

† Fernandes, Suella (Fareham) (Con)

† Frazer, Lucy (South East Cambridgeshire) (Con)

† Hayes, Mr John (Minister for Security)

† Hayman, Sue (Workington) (Lab)

† Kinnock, Stephen (Aberavon) (Lab)

† Kirby, Simon (Brighton, Kemptown) (Con)

Kyle, Peter (Hove) (Lab)

† Matheson, Christian (City of Chester) (Lab)

† Newlands, Gavin (Paisley and Renfrewshire North) (SNP)

† Starmer, Keir (Holborn and St Pancras) (Lab)

† Stephenson, Andrew (Pendle) (Con)

† Stevens, Jo (Cardiff Central) (Lab)

† Warman, Matt (Boston and Skegness) (Con)

Glenn McKee, Fergus Reid, Committee Clerks

† attended the Committee

Public Bill Committee

Tuesday 3 May 2016

(Evening)

[Albert Owen in the Chair]

Investigatory Powers Bill

Clause 223

Telecommunications definitions

I beg to move amendment 869, in clause 223, page 172, line 41, leave out sub-paragraph (i) and insert—

‘(i) is about an entity to which a telecommunications service is provided by that telecommunications operator and relates to the provision of that service,”

This amendment clarifies the definition of communications data, limiting requirements on organisations to be providing data about the services that they supply.

It is a pleasure to welcome you back to the Chair, Mr Owen. This is an amendment to the interpretation clause dealing with telecommunications definitions, in particular subsection (5), which deals with the definition of communications data. The amendment would replace subsection (5)(a)(i) with the purpose of clarifying that the definition of communications data applies to the providers of the relevant telecommunications services, rather than allowing an organisation to be required to provide data about services it does not provide. Without the amendment, the definition of communications data is flawed because it does not tie the data to the provider of the telecommunications service and therefore seems set to encompass third-party data, which I know the Home Office denies is the intent.

The amendment would make two small changes. First, it specifies that the telecommunications service has to be provided by that telecommunications operator—in other words, it avoids pulling in third-party data. Secondly, it specifies that the data relate to the particular service provided and not to a different one. I will be interested to hear what the Solicitor General has to say about this amendment, which seeks to clarify and tighten up the clause.

It is good to see you back in your place, Mr Owen. I look forward to a fruitful session.

I welcome the hon. and learned Lady’s remarks. We considered these issues in the context of part 4, in particular third-party data. I do not want to rehearse the arguments about why we consider the code of practice to be the appropriate place to enforce the commitment made by my right hon. Friend the Home Secretary on the Floor of the House on Second Reading. However, the Government note the strength of feeling on this issue, as evidenced by the outcome of the vote on an earlier amendment. We have heard that message loud and clear, so we are considering whether we could do more to make the commitment clear. I hope that that gives the hon. and learned Lady some reassurance that we are taking these matters seriously, and I am grateful to her for raising them.

The aim of the amendment appears to be to prevent a public authority from obtaining third-party data and to prevent a communications service provider from being required to retain those data. I am not sure that the amendment achieves that desired outcome. It would remove third-party data from one element but not from all elements of the definition of communications data. I do not think there is any debate about the need to get the definition of communications data right, but it must correctly and logically classify the data held by CSPs or what can be reasonably obtained by them. The principle of communications data is clear; changing the definition so that the classification of data changes depending on which provider holds it would cause a degree of confusion that I am sure the hon. and learned Lady does not intend.

My first argument is that the clause is not the right place to prevent public authorities from obtaining third-party data or to prevent a CSP from being required to retain them. Clause 53(5)(c) makes it clear that a communications data authorisation can provide for the obtaining of third-party data where that is reasonably practicable for the communications service provider. That maintains the existing provision under the Regulation of Investigatory Powers Act 2000. Where a CSP holds communications data, whether in relation to its services or those provided by a third party for its business purposes, or where it is able to obtain them, they should be available to the public authorities for the statutory purposes in the Bill. We should not put them out of the reach of law enforcement agencies, based solely upon which company holds the information.

I suspect that the hon. and learned Lady’s intent may be to stop a service provider being forced to comply with an unreasonable requirement relating to third-party data—[Interruption.] I am grateful to her for indicating her assent. I assure her and the Committee that, in my view, the Bill already does that. A provider is required to comply with a request for comms data, including third-party data, only where reasonably practicable for them to do so. There is no need to impose a further restriction on that basis.

I recognise the sensitivities of third-party data, but I am afraid that a blanket restriction on its acquisition is not the way forward. We consider that the Bill and the code of practice strike the right balance. On the basis of my earlier assurances to the hon. and learned Lady about getting the language clear, I invite her to withdraw the amendment.

I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 223 ordered to stand part of the Bill.

Clause 224 ordered to stand part of the Bill.

Clause 225

General definitions

I beg to move amendment 870, in clause 225, page 177, line 11, at end insert—

‘(a) an advocate,

(b) a barrister,

(c) a solicitor.’

This amendment provides a definition of a “professional legal adviser” relating to use of the term in clauses 25, 100, 135 and 171.

I am grateful to the Law Society of Scotland for drawing my attention to the necessity of this amendment. When we debated the clauses on legal professional privilege—we have done so on a number of occasions during this Committee’s proceedings—I drew attention at an early stage to the Law Society of Scotland’s evidence to the Joint Committee. It gave evidence alongside the Law Society of England and Wales and expressed its shared and serious concerns about the requirement to provide for the protection of legal professional privilege on the face of the Bill. It is pleased that the Government have taken steps to do that, although it is not happy with the extent of the protection provided. That is perhaps a debate for another day.

The purpose of the amendment is to deal with the definition of items subject to legal privilege at line 29, on page 175. The amendment deals with the definition in relation to Scotland and would define a “professional legal adviser” as a person who is an advocate—that is, of course, the correct professional designation for counsel in Scotland or a Scottish barrister—a barrister or a solicitor. The aim is to avoid leaving the definition of a “professional legal adviser” open to too wide or ambiguous an interpretation. It will limit the definition of those who are qualified to provide professional legal services to advocates, solicitors and, in certain circumstances, barristers. I will be interested to hear what the Solicitor General has to say about the proposed definition of a “professional legal adviser”.

When I saw the amendment, I was reminded of points I made earlier regarding the dangers of over-defining either legal professional privilege itself or those who are subject to it. Let us remind ourselves that legal professional privilege exists not to create a special category of person—in this case, a lawyer—who is exempt from requirements by which the rest of us have to abide, but to protect the client and the integrity of the advice that a lawyer may give to their client. My concern about the proposed definition is that it limits the definition of what items would be subject to legal privilege. For example, legal executives might well be in the position where they are giving advice and are covered by legal professional privilege. Even paralegals could be, should be and would be covered by legal professional privilege.

I absolutely accept the intention behind the amendment, but however well intentioned it might be, trying to define “professional legal adviser” in the Bill would actually damage and undermine the importance of legal professional privilege. We have had many debates about it, but I think the Bill serves to protect that privilege. We are continuing to discuss the precise extent to which that is reflected in all parts of the Bill, but there is no doubt about the Government’s clear intention. I am proud to be a Minister supporting this approach because I always felt that RIPA was deficient in that respect—I held those views long before I became a member of the Government. I am pleased that we are making such progress.

I am interested in the Solicitor General’s point about legal executives or paralegals. Does he agree that, in so far as communications with such individuals would require protection, they would be protected by subsection (1)(b)(ii), which specifies

“communications made in connection with, or in contemplation of, legal proceedings and for the purposes of those proceedings”?

That is a good point, but there is a danger that we overcomplicate the situation and end up restricting what is commonly understood as the important legal professional privilege that exists between lawyer and client. Instead of overcomplicating it, it would be far better to keep maters straight and reflect the position provided for in the Police and Criminal Evidence Act 1984, which applies here in England and Wales, the Police and Criminal Evidence (Northern Ireland) Order 1989 and the definitions relating to Scotland. The other statutes for England, Wales and Northern Ireland do not define “professional legal adviser” and I do not see a compelling need to do so here. As I have explained, the Bill goes a long way towards protecting that important legal privilege and serving the interests that that privilege is all about. It is not about the lawyers but the client. Fundamentally, it is that communication that merits special protection.

I wholly accept that it is not about lawyers but about the client, but is there not a need to define what is meant by “professional legal adviser”? That is all this is about really.

The hon. and learned Lady puts her case with her customary spirit and brio, if I may say so, but despite her attempts to persuade me, I am concerned that if we seek to narrow the definition in the way the amendment would, the sort of unintended consequences that I know the hon. and learned Lady would be very reluctant to see happen might flow. We should not, in the context of primary legislation, start to define what is better explained in other ways. For that reason, I urge her to withdraw the amendment.

I hear what the Solicitor General has to say, and in the circumstances I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 225 ordered to stand part of the Bill.

Clauses 226 to 231 ordered to stand part of the Bill.

Schedule 9 agreed to.

Clause 232 ordered to stand part of the Bill.

Schedule 10

Minor and consequential provision

I beg to move amendment 634, in schedule 10, page 235, line 33, leave out paragraph 46.

This amendment omits the amendments of paragraph 19ZD of Schedule 3 to the Police Reform Act 2002. Paragraph 19ZD is to be repealed by the Policing and Crime Bill.

This is a technical amendment that essentially removes the duplication of a consequential provision in another piece of legislation—the Policing and Crime Bill—that makes what is in this Bill unnecessary. It is entirely uncontentious and I will not tire the Committee by speaking for any longer.

Amendment 634 agreed to.

Schedule 10, as amended, agreed to.

Clause 233

Commencement, extent and short title

Question proposed, That the clause stand part of the Bill.

With this it will be convenient to consider:

New clause 24—Duration of this Act

“(1) This Act expires at the end of one year beginning with the day on which it is passed (but this is subject to subsection (2)).

(2) Her Majesty may by Order in Council provide that, instead of expiring at the time it would otherwise expire, this Act shall expire at the end of a period of not more than one year from that time.

(3) Such an Order may not provide for the continuation of this Act beyond the end of the year 2022.

(4) No recommendation may be made to Her Majesty in Council to make an Order under subsection (2) unless a draft of the Order has been laid before, and approved by a resolution of, each House of Parliament.”

New clause 24 is a true sunset clause, modelled on clause 1 of the Armed Forces Bill currently before Parliament. We had a spirited debate before the break about potential replacements for clause 222, which is a clause of review. The new clause is another alternative—a sunset clause in the true meaning of the term, which would provide for the Act to expire at the end of a certain period, subject to certain provisos. I do not intend to push the new clause further at this point, given the position we took in relation to new clause 23.

Clearly, the sunset clause that the new clause proposes is being debated—briefly, I hope—as we approach the sunset of our consideration of this important Bill. A sunset provision is often a feature of emergency legislation and has indeed been appeared in legislation of the kind that we are now debating. It is usually because the legislation has been introduced to meet some particular short-term challenge and Parliament is given limited time in which to consider the legislation responding to that challenge. That is not the case in respect of this Bill, which has had extensive prelegislative scrutiny, both before its draft incarnation and since. It has now had considerable scrutiny by the Committee, and will no doubt continue to be scrutinised as it progresses through its further stages. I am therefore not sure a sunset clause is appropriate.

The hon. and learned Lady is well aware of the three independent reviews that preceded the publication of the Bill, and of the three Committees of this House that have considered the Bill in considerable detail since then. One of those—the Joint Committee—considered at length a sunset clause and a review of the legislation. We debated that a few minutes ago under an earlier group of amendments. As I said at that time, rather than proposing a sunset clause, the Joint Committee suggested a review of the legislation. I understand that suggestion, given the dynamism of the circumstances that the Bill is designed to address—the need to deal with changing technology and so on and so forth. Indeed, the Government, taking full account of the sagacity of the Joint Committee, have built that into the Bill in clause 222, which we have debated at some length.

The complexities of this legislation are acknowledged and understood. I can see why the hon. and learned Lady makes a case for this sort of consideration. In David Anderson’s report on these matters, which I will not quote at immense length unless the members of the Committee wish me to do so, he makes clear that although it is important to consider the effects of the Bill, it is not necessary to accelerate that process in the way that the new clause would. He also makes clear, as others have, that it is vital that the legislation stands the test of time and is fit for the future. I am therefore uncomfortable with introducing specific deadlines of the kind proposed in the new clause.

The hon. and learned Lady has repeatedly and rightly argued that many of the provisions of the Bill require considerable investment. The obligations such as those in respect to data retention require a lot of thought, a good deal of planning and an investment of time and effort from communications service providers and others. Putting that infrastructure into place is a testing business; it is the right thing to do, but it is testing none the less—a point made by the hon. Member for City of Chester and others during the course of the Committee’s consideration. Then to say that we are going to look at all of that again in 12 months’ time sends out a very unhelpful signal to those we are missioning to do that work. We have gone about this business thoroughly. We have discussed this at length with communications services providers throughout the process and time and again they have said that they want certainty; they want a reasonable degree of surety about what is expected of them. I think they would be reticent about investing in the way that they need to if they felt that this all might change in 12 months’ time.

The Home Secretary put the case as well as it can be put when she told the Joint Committee that “advances in technology” are not

“going to move according to sunset clauses established by Parliament.”

Although it is important that these matters are reviewed—as I said on clause 222, we have set into motion the means by which they will be reviewed—I do not think a sunset clause of the type proposed is the right way forward. On that basis, given the assurances that I have offered, I hope the hon. and learned Member for Edinburgh South West will see fit not to press the new clause.

Yes, I confirm I will not press the new clause.

Question put and agreed to.

Clause 233 accordingly ordered to stand part of the Bill.

New Clause 12

Warrants: notification by Judicial Commissioner

“(1) Upon completion of conduct authorised by a warrant under this Part, or the cancellation of a warrant issued under this Part, a Judicial Commissioner must notify the affected party, in writing, of—

(a) the conduct that has taken place, and

(b) the provisions under which the conduct has taken place.

(2) The notification under subsection (1) must be sent within thirty days of the completion of the conduct or cancellation of the warrant.

(3) A Judicial Commissioner may postpone the notification under subsection (1) beyond the time limit under subsection (2) if the Judicial Commissioner assesses that notification may defeat the purposes of an ongoing serious crime or national security investigation relating to the affected party.

(4) A Judicial Commissioner must consult with the person to whom the warrant is addressed in order to fulfil an assessment under subsection (3).”.—(Joanna Cherry.)

This amendment would introduce a requirement that all equipment interference produces a verifiable audit trail. This will be particularly vital to the success and legitimacy of prosecutions. It is recommended that further provision for the independent verification of audit trails is included in Part 8 (Oversight Arrangements).

Brought up, and read the First time.

With this it will be convenient to discuss the following:

New clause 13—Audit trail of equipment interference—

“Any conduct authorised under a warrant issued under this Part must be conducted in a verifiable manner, so as to produce a chronological record of documentary evidence detailing the sequence of activities (referred to hereafter as ‘the audit trail’).”.

New clause 18—Notification by Intelligence and Surveillance Commissioner

“(1) The Intelligence and Surveillance Commissioner is to notify the subject or subjects of investigative or surveillance conduct relating to the statutory functions identified in section 196, subsections (1), (2) and (3), including—

(a) the interception or examination of communications,

(b) the retention, accessing or examination of communications data or secondary data,

(c) equipment interference,

(d) access or examination of data retrieved from a bulk personal dataset,

(e) covert human intelligence sources,

(f) entry or interference with property.

(2) The Intelligence and Surveillance Commissioner must only notify subjects of surveillance under subsection (1) upon completion of the relevant conduct or the cancellation of the authorisation or warrant.

(3) The notification under subsection (1) must be sent by writing within 30 days of the completion of the relevant conduct or cancellation of the authorisation or warrant.

(4) The Intelligence and Surveillance Commissioner must issue the notification under subsection (1) in writing, including details of—

(a) the conduct that has taken place, and

(b) the provisions under which the conduct has taken place, and

(c) any known errors that took place within the course of the conduct.

(5) The Intelligence and Surveillance Commissioner may postpone the notification under subsection (1) beyond the time limit under subsection (3) if the Commissioner assesses that notification may defeat the purposes of an on-going serious crime or national security investigation relating to the subject of surveillance.

(6) The Intelligence and Surveillance Commissioner must consult with the person to whom the warrant is addressed in order to fulfil an assessment under subsection (5).”.

The new clause relates to part 5 of the Bill, which deals with equipment interference—more colloquially known as “hacking”. The effect of the new clause would be to require that the targets of hacking, or the targets of equipment interference, are notified after the fact, as long as that does not compromise any ongoing investigation. The effect of the new clause would mean that the judicial commissioners were under a mandatory statutory duty to notify those subject to surveillance once a particular operation or investigation had ended. At present, unlawful surveillance only comes to light as the result of a chance leak, whistleblowing or public interest litigation of the sort brought by Liberty and other non-governmental organisations and concerned citizens. That is deeply unsatisfactory and is also potentially contrary to our obligations under the European convention on human rights. If a person’s article 8 and other Human Rights Act-protected rights have been infringed, in order to have access to an effective remedy, as required under human rights law, the person must first be made aware of a possible breach. This was stated by the Court in Strasbourg in Klass v. Federal Republic of Germany back in 1978 and reiterated more recently in Weber and Saravia v. Germany in 2006. In both cases, the European Court of Human Rights reiterated

“that the question of subsequent notification of surveillance measures is inextricably linked to the effectiveness of remedies before the courts and hence to the existence of effective safeguards against the abuse of monitoring powers, since there is in principle little scope for recourse to the courts by the individual concerned unless the latter is advised of the measures taken without his or her knowledge and thus able to challenge their legality retrospectively.”

More recently, in the case of Zakharov v. Russia in December 2015, the Grand Chamber of the European Court of Human Rights found that judicial remedies for those subjected to interception in Russia were generally ineffective, particularly in light of the total absence of any notification requirement with regard to the interception subject, which meant that there was no meaningful ability to mount retrospective challenges to surveillance measures, and therefore such provision as there was in Russia was ineffective. Do we want to be passing legislation that is as ineffective in the protection of our constituents’ rights as that in Russia?

The Bill, as it stands, provides a new power for the Investigatory Powers Commissioner to inform someone subjected to a surveillance error by a public authority, but not by a communications service provider, if the commissioner is made aware of it and considers it sufficiently serious, in the public interest, not prejudicial to national security, and so on. We debated that at some length last week. For an error to be serious, it must have caused significant prejudice or harm to the person concerned.

As we also discussed last week, the Bill states that a breach of the Human Rights Act is not, in itself, sufficient for an error to be considered serious, which is a serious shortcoming of the Bill. When notifying someone of an error, before making a decision the Investigatory Powers Commissioner must ask the public authority responsible for the error to make submissions to the commissioner about the matter concerned. That is a narrow, arbitrary and highly discretionary power that will relate only to the most serious errors that judicial commissioners discover during their very limited audit of the use of surveillance powers, which highlights the conflicted position in which judicial commissioners may find themselves, and it does not discharge the Government’s human rights obligations to provide post-notification by default unless they can justify continued secrecy. That is very significant because the security repercussions of hacking into a device or network create an even greater imperative for post-notification, as we discussed at length when we debated amendments and clauses under part 5.

When we debated part 5, it was noted by me and others that a hack, once it has been carried out, may compromise the security of the hacked device, leaving it open to further exploitation by criminals or even other Governments. It is the equivalent of the state breaking into a house, conducting a search and then leaving without locking the doors and without the resident realising that all that has happened. It is one thing for the state to hack into a device where it is strictly necessary and proportionate, but it is quite another for the state to leave the scene, leaving individuals vulnerable to criminal attacks with no way of protecting themselves. If the Government wish their security and law enforcement agencies to have this significant power, they must accept the concomitant responsibility. The purpose of new clause 12, put briefly, is to put the judicial commissioners under a mandatory statutory duty to notify persons after the fact, once an operation or investigation has ended, unless there are very good reasons not to do so.

New clause 13 also addresses equipment interference, or hacking, under part 5. The purpose of the new clause is to introduce a requirement that all equipment interference must be accompanied by a verifiable audit trail. The reason for the new clause is that hacking or equipment interference can include any number of methods, many of which empower the hacker to add, delete and alter files and software, changing the content of the hacked device. Unlike traditional searches, the practice of equipment interference necessitates interference with items that may later be used as evidence, and the new clause would protect the integrity of such potential evidence and the success of prosecutions. It is essential that we do that, because otherwise potential evidence could be compromised in such a way that it was not able to be used and prosecutions could be undermined. With an independently verifiable audit trail, however, that risk ought to be avoided.

Another benefit of an audit trail is that it provides a helpful way of seeing that the conduct has taken place in accordance with good practice. Similarly, the police have to keep a log of activity undertaken when conducting traditional property searches, and those of us who have experience of the criminal courts will know how useful those logs are. A verifiable audit trail would be particularly vital should certain practices be conducted by telecommunications operators; if tasks were outsourced to private contractors it would ensure that they were carried out in accordance with the law. The new clause, therefore, is in the public interest and it strengthens the power in the Bill, in the sense that it tries to protect the integrity of evidence and the success of subsequent prosecutions.

New clause 18 relates to part 8 of the Bill. It would introduce a new duty of general notification and create the presumption that subjects of surveillance had been notified after the end of a period of surveillance, subject to a public interest in preserving the integrity of police investigations and national security inquiries. What underlies the new clause is the key safeguard identified by the European Court of Human Rights that individuals be notified of surveillance as soon as is reasonably possible.

The House of Lords Constitution Committee previously recommended that

“individuals who have been made the subject of surveillance be informed of that surveillance, when completed, where no investigation might be prejudiced as a result”,

and provision for mandatory notice would allow individuals to pursue a claim before the tribunal in their own right, even in circumstances where the investigatory powers commissioner had not identified an error. That model operates in other countries without difficulty, and although notification in sensitive cases might be less likely, the potential for disclosure could create an additional impetus towards lawful decision making by agencies and other bodies that were exercising the compulsory powers.

I will give some examples of what happens in other countries. For instances of intersection and law enforcement matters in the United States of America, notification is, by default, within 90 days of the termination of the relevant surveillance, unless the authorities can show that there is good cause to withhold the information. A similar model operates in Canada, where the subject of an intersection warrant for the purposes of law enforcement must be given notice within 90 days of a warrant expiring, but the period can be extended by up to three years in terrorism claims, subject to judicial oversight if it is in the interests of justice. I understand also that similar notification provisions apply in Germany and the Netherlands, with similar exemptions to protect the integrity of ongoing inquiries.

I am anxious to know, therefore, what Ministers have to say about the proposed new clauses. I have been careful in my arguments to emphasise that adding the new clauses to the Bill need not compromise the integrity of surveillance and investigations. Other countries do it. They have time lapses and exceptions to extend a time lapse, as in Canada, from 90 days to up to three years for a terrorism claim, again subject to judicial oversight and the question whether it is in the interests of justice.

The thrust of my argument is necessity. The amendments are necessary for us to comply with our duties under the European convention on human rights, and it appears that they operate without problem in other jurisdictions, not just on the continent of Europe but in the United States of America and in Canada.

I have listened with great care to the arguments of the hon. and learned Lady. I absolutely agree that, where a serious error has occurred in the use of investigatory powers, the commissioner should be able to inform those affected. We have clause 198(1) to deal with that. However, I do not agree with the principle that as a matter of course, everyone or anyone subject to the use of a lawful investigatory power should be notified of the use of those powers, even with the caveat “unless it would damage an ongoing serious crime or national security investigation”. Such a principle would mean that we could not exclude the possibility of having to notify suspected criminals and terrorists that powers had been used against them, just because a specific ongoing investigation had stalled or indeed ended with evidence of wrongdoing, but without sufficient evidence to meet the prosecution test.

As hon. Members will know, suspected criminals and terrorists will often appear on the radar of the police and security services at different times and in different contexts. Clearly, it would not be at all appropriate to inform them that investigatory powers had been used in one case, as that could prompt them to change how they behave or communicate and hamper subsequent investigation.

National security is particularly important in relation to this matter, because the amendment would require the commissioner to make the subject of interest aware of the conduct that had taken place. That would not only run contrary to the long-standing policy of successive Governments of neither confirming nor denying any specific activity by the security and intelligence agencies; it would essentially require the techniques that they use in specific cases to be made public. That cannot be in the public interest. It would assist terrorists and criminals in their operations, which I am sure cannot be the intention behind the amendment.

Furthermore, the commissioner can delay notification only on the basis of serious crime rather than of crime generally, meaning that the amendment would require the commissioner to inform suspects in active criminal investigations that their communications data had been acquired. One example is an investigation into stalking. It may well not meet the serious crime threshold, but as we have discussed in another context, communications data could be essential, because they could show contact between two parties. My worry about the amendment is that it would require the stalker to be informed that his communications data had been requested, which surely cannot be the intent.

Does the Solicitor General agree that new clause 12(3) deals with the very problem that he has just identified? It says:

“A Judicial Commissioner may postpone the notification under subsection (1) beyond the time limit under subsection (2) if the Judicial Commissioner assesses that notification may defeat the purposes of an ongoing serious crime or national security investigation relating to the affected party.”

I am afraid that it does not, because it uses the words “serious crime”. I have given an example that might not be seen as a serious crime, although as we all know, stalking is absolutely no joke to the victims and can lead to extremely serious consequences for them. I know that the hon. and learned Lady agrees with me about all that.

Beyond the principled objections to the amendment, there are numerous practical problems. It would not be practical, for example, for the commissioner to make everyone whose data were subject to a data retention notice aware of that fact. The commissioner would have to require the relevant telecommunications operator to provide them with a list of all relevant customers, and that operator would have to inform the commissioner every time a new customer joined the service. I worry that it would be pretty easy for criminals to use that process to identify services that they could use to avoid detection, and that unreasonable burdens would be put on all the public authorities covered by the Bill.

By way of probing, if we were to delete the word “serious”, so that the subsection read, “notification may defeat the purposes of an ongoing criminal investigation or a national security investigation,” would that deal with the Solicitor General’s concerns?

I am grateful to the hon. and learned Lady for the way in which she is seeking a reasonable compromise, but I worry that her proposed approach is, on that basis, unnecessary. We already have checks and balances in the framework of the Bill that allow for serious error to be properly identified and dealt with, and for those affected to be notified. As I was saying, I worry that we would end up placing unreasonable burdens on public authorities by requiring them constantly to make a case to the commissioner about whether what they were doing would hamper national security or crime investigations if suspects were told that investigatory powers were being used against them. It would be far better for the police to spend their time and money on getting on with the work of investigating criminals than on determining whether individuals should be informed about what we should not forget is perfectly lawful investigative activity, with the caveat I mentioned about serious error.

Furthermore, in the context of bulk warrants under parts 6 and 7 of the Bill, the public authority or commissioner would need to examine all the data collected under the warrant to identify those individuals whose data had been collected. That would be impracticable and would actually lead to greater intrusions into privacy, because, as we know, bulk data are not examined to that degree unless there is a specific purpose and a properly framed approach. I am sure that cannot be the intention of the amendment. These proposed new clauses are at best unnecessary and at worst frankly unhelpful, and risk undermining the work of our law enforcement and security and intelligence agencies.

On new clause 13 and the audit trail point, the draft code of practice, at paragraph 8.5, requires that

“When information obtained from equipment interference is used evidentially, the equipment interference agency should be able to demonstrate how the evidence has been recovered, showing each process through which the evidence was obtained.”

There will, however, be circumstances when equipment interference is used on an intelligence-only basis—that is, a non-evidential basis. Given those points, and given that it is in the interests of law enforcement and the intelligence agencies to ensure that where equipment interference is used to support a criminal investigation, that is done accordance with evidential standards, new clause 13 is, with respect, not necessary.

If that new clause is in fact about the enhancement of oversight, we have made it clear that while the powers of the new commissioner are being significantly increased, their resources will be greatly increased, which means that they will be able to audit, inspect and review equipment interference agencies as they see fit. In addition, the draft code of practice for equipment interference will require the relevant agencies to keep extensive records to support and enable oversight. There has been no suggestion from the current oversight commissioners in respect of property interference warrantry that a statutory requirement for an audit trail is necessary.

The hon. and learned Lady properly made reference to recent ECHR authorities, most notably Zakharov, a case that I have looked at in the context of these debates. We have to be careful about Zakharov, because it deals with the targeted interception regime—a particular aspect of the debate, as she knows—rather than the bulk regime, in relation to which it is sometimes prayed in aid. I give that caveat in the spirit of fairness, because of course the Zakharov case contained reference to Kennedy v. United Kingdom, a 2010 case in which the UK was found to be in compliance with article 8. In particular, the role of the Investigatory Powers Tribunal was seen as an important part of the checks-and-balances mechanism that allowed the Court to come to the conclusion that the article 8 requirements were satisfied.

We know that the Zakharov case was in the context of a Russian domestic law scenario, which I think we all agree is somewhat different from the scenario in which we work. I do not seek to palm it off glibly on the basis that it relates to Russia and not to the UK, but looking at the ambit of Zakharov and the domestic context in which that case was brought, it is somewhat more difficult than appears at first sight to draw direct comparisons and conclusions from that authority that undermine the carefully calibrated approach the Government are taking to investigatory powers. For all those reasons, I respectfully ask the hon. and learned Lady not to press her new clause.

I would like to put my new clauses to the vote.

Question put, That the clause be read a Second time.

New Clause 13

Audit trail of equipment interference

‘Any conduct authorised under a warrant issued under this Part must be conducted in a verifiable manner, so as to produce a chronological record of documentary evidence detailing the sequence of activities (referred to hereafter as “the audit trail”).’—(Joanna Cherry.)

Brought up, and read the First time.

Question put, That the clause be read a Second time.

New Clause 18

Notification by Intelligence and Surveillance Commissioner

‘(1) The Intelligence and Surveillance Commissioner is to notify the subject or subjects of investigative or surveillance conduct relating to the statutory functions identified in section 196, subsections (1), (2) and (3), including—

(a) the interception or examination of communications,

(b) the retention, accessing or examination of communications data or secondary data,

(c) equipment interference,

(d) access or examination of data retrieved from a bulk personal dataset,

(e) covert human intelligence sources,

(f) entry or interference with property.

(2) The Intelligence and Surveillance Commissioner must only notify subjects of surveillance under subsection (1) upon completion of the relevant conduct or the cancellation of the authorisation or warrant.

(3) The notification under subsection (1) must be sent by writing within 30 days of the completion of the relevant conduct or cancellation of the authorisation or warrant.

(4) The Intelligence and Surveillance Commissioner must issue the notification under subsection (1) in writing, including details of—

(a) the conduct that has taken place, and

(b) the provisions under which the conduct has taken place, and

(c) any known errors that took place within the course of the conduct.

(5) The Intelligence and Surveillance Commissioner may postpone the notification under subsection (1) beyond the time limit under subsection (3) if the Commissioner assesses that notification may defeat the purposes of an on-going serious crime or national security investigation relating to the subject of surveillance.

(6) The Intelligence and Surveillance Commissioner must consult with the person to whom the warrant is addressed in order to fulfil an assessment under subsection (5).’—(Joanna Cherry.)

Brought up, and read the First time.

Question put, That the clause be read a Second time.

New Clause 22

Retention of Communications data

“An operator who has not been designated as the operator of an electronic communications network or service according to section 34 of the Communications Act 2003; or whose service has fewer than 50,000 subscribers, shall not be required to comply with a retention notice under section 78 of this Act.” —(Joanna Cherry.)

This new clause excludes the providers of rural or community access communications services and small service providers from the obligation to collect and retain data.

Brought up, and read the First time.

I beg to move, That the clause be read a Second time.

The new clause relates to part 4 of the Bill, in particular clause 78, and to the retention of communications data. It would exclude the providers of rural or community access communication services and small service providers from the obligation to collect and retain data, which I believe would be in accordance with policy statements made by the Home Office. I am indebted to William Waites, Duncan Campbell and Adrian Kennard for drawing our attention to the need for this new clause and for assisting in its drafting. I can do no better than remind hon. Members of the statement submitted by Mr Waites on behalf of his organisation, HUBS CIC—document 53 in the written evidence submitted to the Committee—in which he explains:

“I am a founder and director of HUBS CIC, a Scottish Community Interest Company whose purpose is to facilitate broadband provision in rural and remote parts of the country outwith the reach of the large, well-known carriers.”

Hon. Members will be aware of this issue, which has been debated elsewhere in the House in this Session. The statement continues:

“HUBS’ members are small Internet Service Providers typically with tens to hundreds of individual end-user subscribers each. Together they provide the only available Internet service in large swathes of the West Highlands and the South of Scotland…HUBS does not provide service to end-users but instead makes bulk Internet services available to its members that would not otherwise be obtainable due to their small size.”

The members’ concern about clause 78

“is about how the data retention requirements…in particular, and the new obligations and duties on Telecommunications providers in general relate to service providers operating in the environment of HUBS’ membership…A typical member’s entire network infrastructure will cost on the order of tens or hundreds of thousands of pounds. It is optimised for lightweight, energy efficient operation. There are no data centres or indeed cabinets that have adequate physical security for safely storing the most intimate records of individuals’ on-line activities…Indeed it is recognised in general that keeping sensitive data secure is so important, that the best way to meet this obligation is simply to not record it.”

Therefore,

“Constructing facilities in each of these service providers to extract, record, securely store and make available any ‘Internet Connection Records’…would cost at least as much as their entire infrastructure…HUBS, though it is designed to enable the micro ISPs to benefit from economies of scale, cannot help here because it does not know the individual end users…Due regard should also be given to the social dynamics. If an ISP has a couple of dozen subscribers, two or three of which are actively involved in operating the network, data retention has a very different flavour.”

That is very often the position in rural and far-flung communities. It is like asking neighbour to spy on neighbour. I am sure that is not what the Government intend, but the new clause would spell that out. It would give providers of rural or community-access communication services and small service providers the reassurance they require in the Bill.

To put it shortly, the provisions in clause 78 are clearly designed for a very different environment from that which I have described, so those who operate within that environment are keen to have the Government’s assurance that they will be excepted from the requirements of the clause.

I think I can deal with this very briefly, because there are only two points to make. First, the amendment is flawed. The Department for Culture, Media and Sport tells us that the suggested designation is no longer used, if ever it was. That is a fundamental problem, but that is not a good enough argument alone. A better argument—my second point—is that restricting a retention notice to only large operators could result in large geographic gaps in capabilities or indicate to criminals that they should use only small providers. It is understandable that the hon. and learned Lady wants to defend the interests of small providers, but the provision could have unintended consequences of the sort I do not think she means.

Finally, the Joint Committee said:

“We believe that the definition of telecommunications service providers cannot explicitly rule out smaller providers without significantly compromising the data retention proposals as a whole.”

I appreciate the hon. and learned Lady’s intent, but I am not sure the form of the amendment is adequate or the arguments sufficient to be persuasive.

I am not sure what the Minister is saying. Is he saying he could look at the amendment and make it better, or that the principle underlying it is not acceptable?

I am saying that it is not wise to designate providers based on their size. There will be niche market providers who may provide a particular function exclusively and there may be others providing in a particular area. Taking them out of the system would contradict the purpose of the legislation. Let me see if I can compromise. We have said throughout, and when we were debating an earlier group of amendments, that we understand that some smaller providers will face a significant challenge. I have also said that it is important to recognise that while large providers will have mechanisms to implement readily the changes we expect of them—

Sorry, Mr Owen, I have lost my train of thought. The concern behind the amendment is that although certain assurances have been given, I have tried to explain that, without a guarantee that requirements will be placed on such providers, they may simply grind to a halt. Is there any way round that? That is the purpose of the amendment.

Let me try to make a more pithy intervention. Of course we understand that we need to support providers in meeting their obligations and we will take the steps necessary to do that. What I do not want to do is to exclude them in the Bill from the requirement because that would have consequences that the hon. and learned Lady does not intend.

I am sure the last thing the denizens of the west or the south of Scotland want is some mass influx of terrorists to start using their small internet service providers. On the other hand, they do not want their hard-won and hard-fought-for internet access to be completely compromised by unreasonable requirements being put on it. They are concerned that, although assurances have been given, there is nothing in clause 17 to prevent the Government from putting what would be practically and financially crippling requirements on them. That is the purpose of the amendment.

The arithmetic is inevitable, Mr Owen. I would like to think carefully about what the Minister has said, and go back to the organisations concerned and discuss it with them so I will withdraw the new clause for now.

Clause, by leave, withdrawn.

New Clause 25

Discharge of the powers, duties and functions: obligations

“The discharge of the powers, duties and functions under this Act is subject to an obligation to have due regard to the following—

(a) the public interest in protecting national security,

(b) the public interest in the prevention and detection of serious crime,

(c) the public interest in the protection of the privacy and the integrity of personal data,

(d) the public interest in the security and integrity of communications systems and networks,

(e) the principle of necessity,

(f) the principle of proportionality; and that no interference with privacy should be considered proportionate if the information which is sought could reasonably be obtained by other less intrusive means,

(g) the principle of due process, accountability and respect for the human rights of those affected by the exercise of powers under this Act, and

(h) the principle of notification and redress.”—(Keir Starmer.)

Brought up, and read the First time.

With this it will be convenient to discuss the following:

New clause 26—Discharge of the powers, duties and functions: protection of national security—

“The discharge of the powers, duties and functions under this Act is subject to an obligation to have due regard to the public interest in protecting national security.”

New clause 27—Discharge of the powers, duties and functions: prevention and detection of serious crime—

“The discharge of the powers, duties and functions under this Act is subject to an obligation to have due regard to the public interest in the prevention and detection of serious crime.”

New clause 28—Discharge of the powers, duties and functions: protection of the privacy and integrity of personal data—

“The discharge of the powers, duties and functions under this Act is subject to an obligation to have due regard to the public interest in the protection of the privacy and the integrity of personal data.”

New clause 29—Discharge of the powers, duties and functions: security and integrity of communications systems and networks—

“The discharge of the powers, duties and functions under this Act is subject to an obligation to have due regard to the public interest in the security and integrity of communications systems and networks.”

New clause 30—Discharge of the powers, duties and functions: necessity—

“The discharge of the powers, duties and functions under this Act is subject to an obligation to have due regard to the principle of necessity.”

New clause 31—Discharge of the powers, duties and functions: proportionality—

“(1) The discharge of the powers, duties and functions under this Act is subject to an obligation to have due regard to the principle of proportionality.

(2) No interference with privacy should be considered proportionate if the information which is sought could reasonably be obtained by other less intrusive means.”

New clause 32—Discharge of the powers, duties and functions: process, accountability and respect for the human rights—

“The discharge of the powers, duties and functions under this Act is subject to an obligation to have due regard to the principle of due process, accountability and respect for the human rights of those affected by the exercise of powers under this Act.”

New clause 33—Discharge of the powers, duties and functions: notification and redress—

“The discharge of the powers, duties and functions under this Act is subject to an obligation to have due regard to the principle of notification and redress.”

I welcome you back to the Chair, Mr Owen, for what I anticipate will be our last debate in this Bill Committee as we take this clutch of new clauses together. I say it is our last debate, but in some ways new clause 25 concerns an issue that we have been debating throughout Committee, from the very opening sitting and through every sitting we have had since. The discussion has been to-ing and fro-ing over whether there ought to be more specific provision for weight to be given to privacy in each clause or each time a power is set out, or whether there ought to be some overriding clause.

The new clause is an overriding privacy clause that is consistent with the recommendation of the Intelligence and Security Committee. For the Labour party, it is an important provision, upon which we place considerable weight. In other words, somewhere in the Bill, there needs to be a recognition of the real rights and interests that are affected by the powers in the Bill. A clause is needed to ensure consistency through the Bill, as there are examples of different powers being dealt with in slightly different ways. That clause should also act as a reminder to decision makers about the key principles they are applying in pretty well all the decisions they make. Perhaps most importantly, the clause should reassure the public on the key principles that run through the Bill.

I will concentrate on new clause 25. Considerable thought has been given to how an overriding privacy clause could be put together in a way that has meaning—and therefore gives confidence to the public—but is not so detailed as to be impractical to operate as an overriding clause. The way that the new clause has been put together is that four important public interests are recognised in paragraphs (a) to (d).

First is the public interest in protecting national security. That runs through the Bill and is the starting point. The second is the national interest in preventing and detecting serious crime, which also runs through all the powers we have debated. Thirdly, there is the public interest in the protection of privacy and the integrity of personal data. Now and again that crops up in the Bill, although not consistently, but it is an overriding interest. Fourthly, there is the public interest in the security and integrity of communications systems and networks. Those are the four powerful public interests.

Paragraphs (e) to (h) deal with the principles to be applied, including the principle of necessity and the principle of proportionality. As we have heard, there are examples where, although the Minister and the Solicitor General understandably say, “Well, of course that would be the reference point for decision making,” they are not on the face of the Bill. The new clause would provide the reassurance that that was the framework against which decisions were made.

As far as the principle of proportionality is concerned, the second limb of paragraph (f) is taken directly from the code of practice. It has been thought through and put into the code of practice but, for reasons I have argued previously, ought to be on the face of the Bill. Paragraph (g) deals with

“the principle of due process, accountability and respect for the human rights of those affected by the exercise of powers under this Act”,

and paragraph (h) deals with

“the principle of notification and redress.”

Now, they are principles and therefore are not fixed. The principle of accountability does not mean that everything must, necessarily, be transparent in the way it might be for other powers and duties in other Acts. The principle of notification does not mean there must always be notification. These are broad principles to be applied through the Act.

Whenever one tries to devise an overarching clause such as this, it is a careful exercise, or a judgment call, to try to decide what ought to be in and what ought not to be in. That is why the new clauses that follow are in the nature of a menu or suite of options. I am grateful to the Public Bill Office for giving me guidance on how to devise a number of clauses that would allow the Committee as a whole to look at each of these eight provisions and take a view on which ones ought to be included in an overarching privacy clause. My strong preference is not to get to new clause 26 and onwards, because I do not think that would be a particularly satisfactory way of dealing with an overarching privacy clause.

May I indicate, absolutely clearly and transparently, that I will listen carefully to what the Government say? In other words, I do not pretend for a moment that these new clauses could not be improved upon by different drafting. The issue we are probing is whether in principle there ought to be an overarching privacy clause, or an overarching set of public interests and principles, and if so, what broadly speaking would be included in them.

In that sense, new clause 25 can be properly described as a strongly probing clause. In other words, what we want to draw out are the views of the Committee on what an overarching clause ought to have in it; and if it is then necessary to have another joint exercise at drafting such a clause, then so be it.

I rise to speak as someone who, as a lawyer, will have interpreted clauses such as this to advance a particular case, giving weight to a particular clause or using it to enhance a case or stress a particular fact. To take paragraphs (g) or (h), for example, when we have already discussed notification perhaps not being necessary, they might be construed as saying that notification was necessary in a particular clause where it has no meaning at all. Will the hon. and learned Gentleman acknowledge that, in inserting in an overarching clause, we might be hostages to fortune, by including intentions that we did not intend in specific provisions?

I am grateful for that intervention; there are really two answers. The first is that it has been the constant refrain from the Minister that most of these principles run through the Bill and that therefore they are unnecessary, although I would say it is necessary to flush them out in this form.

To give another example, when the Human Rights Act was being passed, there was a real concern about how freedom of expression would operate in practice, and the Government of the day were persuaded that there ought to be a clause that really indicated to the courts that special consideration or weight ought to be given to freedom of expression.

All that has meant in practice is that the courts, when dealing with freedom of expression, have looked carefully at that clause and given it due weight. It works pretty well in practice; it does not tie the hands of a court. However, it is a reminder to a court of what the most important public interests were in the view of those passing the legislation and what the principles running through the Bill were. More importantly, it was a reminder to decision makers. For every case that goes to court, there are however many hundred thousand decisions that are made by decision makers on the ground.

I have some experience in Northern Ireland of working with the police over there in implementing the Human Rights Act. Counter-intuitively in many ways, having statements of necessity and proportionality built into the decision-making process really helped them, because they were able to assess, probably better than most others, why they thought what they were doing was necessary, and able to articulate why they thought it was proportionate, and they actually came to very good decisions as a result of what might be seen as broad principles being built into their decision-making process.

Such a provision would assure the public as to how the Bill is intended to operate and what the strong currents going through it are. I genuinely think it would help decision makers in the fine decisions, when they are not quite sure where the balance lies, and it would be a reminder to the courts of the particular public interests and principles that Parliament intended to lay down as running through the Bill. The danger of such a clause is always that it will be overused by lawyers, but I do not think that is what has happened in practice with similar provisions.

I can assure you, Mr Owen, that I will not detain you, the Minister or the Committee for long, save to endorse what my hon. and learned Friend the Member for Holborn and St Pancras has said.

If this is to be our final debate in Committee, I pay tribute to the forensic diligence exercised by my hon. and learned Friend throughout our proceedings and as exemplified by new clause 25 that he has tabled. The crux of so much of what we have discussed in Committee has been balance—where the right balance is between the protection of individual privacy and the ability of our security, intelligence and law enforcement agencies to protect us as a nation. We all have different beliefs about where the balance lies and it is the job of the Committee and the House to establish that balance.

As my hon. and learned Friend has made clear, adding this overarching new clause would give the public a level of comfort—a level of trust, indeed—that we have the balance correct. The new clause would remind us, right at the start of the Bill, of the principles that we think underpin the legislation. That would provide the public with the comfort that they require and also imbue a sense of trust in the final Act that we hand over to the judiciary, the Home Secretary and the agencies that are charged with protecting us. Given the structure of the Bill and the repeated application of certain measures to different areas of activity, an overarching clause would provide a solid foundation to the rest of the Bill’s structure.

I commend my hon. and learned Friend for his work, and in particular for the new clause, because it helps to achieve the balance between protection of privacy and the protection and defence of the realm. I hope that it goes a long way towards winning the support of more sceptical members of the public who might be looking for reasons why they should not support the Bill; now, we can give them a reason why they should.

I add my support and that of the Scottish National party to the new clause. I will tell hon. Members about an example of such a clause in Scottish legislation, which they might wish to look at. In doing so, I pay generous tribute to honourable Labour and Liberal Democratic parties which passed it. In coalition in the first Session of the Scottish Parliament, they passed a wonderful piece of legislation, the Mental Health (Care and Treatment) (Scotland) Act 2003. It was based on a report produced by a committee chaired by the late right hon. Bruce Millan, a former Secretary of State for Scotland and a very distinguished gentleman.

The 2003 Act sought thoroughly to modernise and codify the law of Scotland on mental health and, in particular, to take into account the human rights of those who have mental health problems. To do that, it set out in section 1 of the Act general principles that everyone discharging functions under the legislation must stand by. It is a piece of legislation that has very much stood the test of time and it has greatly enhanced the protection of the human rights of those in Scotland with mental health problems. It has also balanced that against the protection of the public in certain situations. The new clause does not take a legislative approach that is without precedent. If Members want to see how it might be done, they can find a similar example to new clause 25 in section 1 of the Mental Health (Care and Treatment) (Scotland) Act 2003.

I have immense numbers of notes prepared for me by my officials. It will surprise neither them nor you, Mr Owen, that I intend to use very few of them.

It is fitting that our last debate in this Committee obliges us to consider the matter that lies at the heart of all that we have debated, which is the balance, to use the word used by the hon. Member for City of Chester, between personal interest and national interest—the balance between what I might describe as the defence of personal privacy and the underpinning of the common good. In those terms, communal wellbeing and individual fulfilment are for me inseparable, and the national interest can only be defined as the people’s interest. It is right that we should consider how that balance is reflected in the words before us.

The hon. and learned Member for Holborn and St Pancras has tabled a measured new clause that attempts to strike that balance. He is right that it is in keeping with and in sympathy with my view, expressed in our very first sitting, that privacy is woven into the Bill throughout its provisions. He is also right that the overarching emphasis we place on privacy is important.

I will draw my remarks into sharp focus simply by saying this: the Government will introduce a clause along the lines proposed, and the new clauses before us will serve to inform that. My hon. and learned Friend the Member for South East Cambridgeshire is right that that has to be done with some caution, because, as both she and the shadow Minister said, we must avoid the pitfall of it being used as a way of frustrating the intent of the Bill in all kinds of other ways. The delicacy of its construction is a matter of appropriate concern.

Nevertheless, I am convinced that the new clause makes things clear. It is a helpful addition to our scrutiny, and I will finish where I started by saying that the balance that the hon. Member for City of Chester described is critical not only to his thinking, but to that of the Government and the shadow Minister. On that basis, I hope that the shadow Minister will withdraw the new clause with the assurance that it will be central to my consideration as we bring forward measures of a precisely similar kind.

I am grateful to the Minister for how he has put his final observations. It was in keeping with how all our debates have been conducted over our various sittings. I will not press any new clause to a vote. Pretty much every time that my wife and I take our children into a restaurant, no matter how many options are on the menu, they inevitably want something that is not on the menu. That is the position I find myself in now. I am happy that the suggested ingredients will be taken away and put together in a way that reflects the clause that the Minister, I am glad to say, has said he will introduce. I beg to ask leave to withdraw the motion.

Clause, by leave, withdrawn.

Question proposed, That the Chair do report the Bill, as amended, to the House.

In summary, Mr Owen, perhaps I could say a few words of thanks. I start by saying that anyone who has examined what we have done over the last several days and weeks would agree that the interpolations have been posed without contumely and the responses offered without bombast; our consideration has been motivated by well-informed interest and our determination has been tempered by reasonableness. So it should be, for this Bill is of the greatest significance. It is fundamental that we protect our national security and public safety—one might say there is nothing more fundamental—and that is what the Bill attempts to do.

I thank you, Mr Owen, and your co-Chairs, for gluing the Committee together with both sagacity and generosity. I thank the Clerks for grouping the amendments with professional skill; the Hansard Reporters for glowing, as they always do, with expertise; the Doorkeepers for guarding us and honing their locking and unlocking skills—largely due to the hon. and learned Member for Edinburgh South West, by the way; the officials at the Home Office for their gaping and gasping, I hope in admiration at the performance of those they advise, but possibly with incredulity, I cannot quite work out which; and the Ministers and other members of the Committee, for groping for the light in the dusk if not the darkness of their imperfections.

I particularly thank the Members on my side of the Committee: three immensely learned Ladies and three honourable Gentlemen learning at their knee; an almost perfect Parliamentary Private Secretary; a wonderful Whip; and my dear friend, the Solicitor General.

It would be both unwise and ungenerous not to pay tribute to the Opposition on the Committee who have been remarkable for their diligence, their reasonableness and their good humour, and for the way in which they have gone about the business of trying to perfect the Bill. I pay tribute to the hon. and learned Member for Holborn and St Pancras. I know he does not like my saying this—I have said it twice before and he criticised me both times—but it is the first time that he has done this, despite his long experience of other related things. He has done himself proud, if I might say so. The hon. and learned Member for Edinburgh South West, with just as much diligence, has held the Government to account thoroughly, but always, as I said, in the right spirit.

The Bill leaves Committee in a much better place as a result of the deliberations, our discourse and the scrutiny we have enjoyed. I thank all those I have mentioned and any whom I have forgotten to mention for their help in making that happen.

Before other hon. Members make comments, I would inform them that when the Division bell goes, I will put the Question, whether a Member is in full flow or not, so that we do not have to come back after the vote, which will take up to three-quarters of an hour.

Thank you, Mr Owen. I have been handed a note which says, “Vote shortly”, and I think that is an instruction not to take long, but it would be remiss of me not to pay tribute and to say thank you to so many people who have made this process work as well as it has worked.

I start of course with yourself, Mr Owen, and your co-chair, who have taken us through the proceedings in an efficient and orderly way and allowed the points to be debated in the way they needed to be debated and drawn out where they needed to be drawn out. We are genuinely grateful to you for that.

I also thank the Public Bill Office. This has been a huge exercise and, on occasion, amendments that we thought we had lodged were not lodged where we thought they had been lodged and therefore, at 10 o’clock and 11 o’clock at night, the team upstairs was working to find the amendments, put them back in the proper order and make sure that we had them for the next day’s deliberations. It was not just what we might consider the ordinary working hours.

I think I am right in saying that, for better or worse, more than 1,000 amendments have been tabled by Labour party, Scottish National party and Government Members. That is a pretty record number. I think we have had up to 40 Divisions on the Bill. There has been a huge amount of work over and above, and we are all grateful for it. We are grateful for the work done to ensure that Hansard properly reflects what has gone on in this debate, so that things are put on the record accurately and that others can see what was argued, why it was argued and how it was argued not only when the Bill progresses through the House but also if and when it becomes an Act. We are also grateful to the other staff—the Doorkeepers and so on—who have helped with the process.

May I thank the Home Office team? Although, in a sense, they provide the notes to Government Members, I know how hard they have to work behind the scenes to ensure that what appears, particularly from the Minister and the Solicitor General, is informed, up to the minute and seemly and deals with difficult and probing issues. That is a huge amount of work behind the scenes. They have been helpful to the Opposition as well—

And we finished a day early. I would like to pay tribute to both the Minister and the Solicitor General. There are different ways of doing this. I am not over-experienced in it, but I know that sometimes there can be trench warfare, where both sides simply dig in, fire their ammunition and little is achieved. They have both listened to what we have said by way of our submissions and agreed on a number of occasions to think again in relation to the Bill. That is genuine progress, although it may not be reflected in the number of votes we have won. This is my second Bill Committee, and the number of votes I have won is still a very round number. However, I genuinely think we have achieved through our dialogue and through the approach of both the Opposition and the Government something that will pay dividends and will strengthen the Bill when it becomes an Act.

I also want to pay tribute to the SNP team. As will have been evident, there has been a lot of work behind the scenes to ensure that we are not duplicating one another’s work and that we think through what we do. That has been very helpful.

Order. I think the hon. and learned Gentleman should sit down and allow Ms Cherry to speak for herself, because we are going to a vote.

I will. I hope that the hon. and learned Lady will mention the non-governmental organisations that have helped us. Thank you.

I add my thanks to all those who have been mentioned so far. It has been a true pleasure to work so closely with the hon. and learned Member for Holborn and St Pancras. I pay tribute to the people behind the scenes who have greatly assisted Opposition Members in our preparation for this Committee.

A number of non-governmental organisations have been mentioned. I will not mention any one in particular; they know who they are, and they have been of great assistance to us. I also want to thank my hon. Friend the Member for Paisley and Renfrewshire North. This is my first time on a Bill Committee, and without his assistance, I would have been in even more of a guddle than I was on some occasions. I am very grateful to him for keeping me right.

I add my thanks to all members of the Committee, the Clerks in particular, officials, the Official Report, the Doorkeepers and so on.

Question put and agreed to.

Bill, as amended, accordingly to be reported.

Committee rose.

Written evidence reported to the House

IPB 72 Access Now