My Lords, it is intimidating to follow so many noble and learned friends on my own side, let alone all around the House, but I am grateful for the opportunity to speak in this debate because, over the five years that I worked in the coalition Government, we wrestled with many of the issues that this Bill attempts to address. We recognised that our society faces real threats and that it is the duty of the Government to address them.
The then Deputy Prime Minister for whom I worked took that responsibility extremely seriously. He never had the slightest patience with those who dismissed these threats or opposed necessary proportionate and workable measures to counter those threats for ideological reasons. He was committed to ensuring that the security services had the powers they needed and he supported legislation where there was an evidence-based case for it, such as the Data Retention and Investigatory Powers Act 2014. He opposed legislation, such as the draft communications data Bill, where there was not. He was as impatient with those who were careless of our liberties as he was with those who were careless of our security.
I share the approach that he took. I do not see liberty and security as items to be weighed against each other on opposing scales but as principles essential to reinforcing each other. There is no liberty without security but, equally, no security without liberty. Anyone who has lived in a country where the authorities are constantly monitoring what you do, and where they think that they have the right to interfere with your liberty, will know just how insecure that makes you feel. I have no doubt about the threats we face or of the suffering brought about by terrorism, child exploitation or any of the other heinous crimes that the police and intelligence services have to tackle. I was lucky enough to work alongside members of the intelligence services in the previous Government and I have nothing but admiration for the work they do on our behalf and the way they go about it.
I welcome the fact that the Bill is a considerable improvement on the existing arrangements. It covers previously unavowed powers and contains significantly greater safeguards and oversight than had previously been present. It is particularly welcome that it has dispensed with the proposals in the draft communications data Bill that UK network providers be forced to collect and store third-party data relating to services operated by companies overseas.
At the time of the communications data Bill, we refused to agree to such a proposal because no one could make a credible case for it. In the absence of evidence or argument, it was simply asserted that if we did not agree to such a proposal, public safety would be put in jeopardy. Without a shred of evidence to support it, people who should have known better—including some Members of this House—went on television to castigate the then Deputy Prime Minister in the most lurid terms, accusing him of putting lives at risk.
Of course, subsequently, the highly respected Independent Reviewer of Terrorism Legislation, David Anderson QC, investigated the issue and could not have been clearer in his report that he found that no operational case had been made for the power and that,
“there should be no question of progressing this element of the old draft Bill until such time as a compelling operational case has been made”.
It is with that experience in mind that I am sceptical of demands for powers which are not backed up with evidence and which Ministers seek to push through simply by making an assertion that they are necessary for public safety.
While I welcome many parts of the Bill, it is in that context that I regard the retention of internet connection records as an issue of grave concern. The Home Office failed to make an operational case for it. The Government have not approached the issue by demonstrating where a lack of data is obstructing criminal investigations and then exploring how to tackle it. They have taken a proposal that the Home Office has been pushing unsuccessfully for nearly 10 years—perhaps more—and stated that the data would be useful for the police and intelligence services. That is not evidence-based policy-making; it is policy-based evidence-making and we should not accept it unless we have some much better answers than the Home Office managed to provide in the other place.
As my noble friend Lord Paddick highlighted, the Bill establishes a power for the Government to demand the retention of the internet connection records of every single person in this country for a 12-month period in case the state might wish to interrogate those data at some future date. It allows access to the huge amounts of data that will be collected by designated persons without a warrant. It is a very significant power for the Government to demand, a power which outside Russia is operated by no even nominally democratic country in the world. As my noble friend pointed out, Denmark, which operated such a system, has abandoned it, as its security forces were drowning in information they could not process. The scale of data retention under this proposal will be massive. The storage of such a vast amount of personal and private data will be a honeypot for hackers and risks compromising the privacy of millions of innocent people.
Many noble Lords have rightly made the point that the measures in the Bill have been subject probably to greater parliamentary and independent scrutiny than any similar measures that have come before Parliament, and the Government have made many welcome changes. I note in passing that this scrutiny and these changes have been possible only because people in the previous Government would not accept the imposition of measures without scrutiny and an evidence base and insisted that it be provided.
But despite all the parliamentary scrutiny, the public are almost wholly unaware that when this Bill is enacted it will mean the retention of everyone’s often highly personal internet connection records for a period of 12 months, under conditions of security which are unclear. When this power is put to members of the public, the evidence is that they are almost universally horrified by the potential threat it poses to their privacy. We should take that extremely seriously and we should be extremely cautious before we grant such a unique power to our Government. Neither should we lull ourselves into a false sense of security about what security this data can actually provide for us. We should not be naive enough to ignore the fact that those who wish us harm, such as Daesh, are unlikely to be troubled by such a power; they have plenty of ways to mask their activities.
So I hope that we will proceed with caution rather than complacency before we grant the power. In particular I hope that the Government can answer a number of questions. What exactly will ICRs cover? How will the ICR requirements operate in respect of communications on mobile devices via apps? What is the scope of the information they will provide? Where will the data be stored and under what conditions of security? Also, how is it sustainable for the Government to claim that these vast amounts of data can be stored and accessed securely at such a comparatively minimal cost? How is the figure calculated and is it not likely, as it is so often in these cases, to be exponentially more expensive than originally estimated? Lastly, why is the Home Office demanding a power that none of our allies appears to believe is proportional or necessary? We need answers to these questions before we proceed with this part of the Bill.
A number of other important issues in addition to ICRs have been mentioned today, in particular legal and professional privilege, bulk data collection and issues of extra-territoriality. All are areas that we will need to consider carefully during the future stages of the Bill. Finally, we should be wary of creating too cosy a consensus on this Bill lest that dulls our skills of scrutiny when there are very serious issues still to consider.