Clause 1 - Requirement for authorisation

Investigatory Powers (Amendment) Bill [Lords] – in a Public Bill Committee at 11:30 am on 7 March 2024.

Alert me about debates like this

Question proposed, That the clause stand part of the Bill.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

It is a pleasure to be here under your chairship, Mrs Cummins. The exceptional growth in volume and types of data across society globally since 2016 has affected the intelligence services’ ability to work and collaborate at the necessary operational pace. The existing bulk personal dataset safeguards do not account for the way that data and its availability have evolved since the Investigatory Powers Act 2016 was passed. This creates a negative impact on operational agility, while making it increasingly difficult for the intelligence services to develop the necessary capabilities.

Clauses 1 and 2 introduce an alternative regime for bulk personal datasets where there is low or no reasonable expectation of privacy—the so-called low/no regime. Clause 1 specifically provides a mechanism for the intelligence agencies to determine whether bulk personal datasets should be authorised under part 7 of the 2016 Act for sensitive datasets, or proposed new part 7A for low/no datasets.

Photo of Dan Jarvis Dan Jarvis Shadow Minister (Home Office) (Security)

It is a pleasure to serve under your chairship, Mrs Cummins. I rise to speak very briefly to clause 1, and to thank the Minister for his opening remarks.

At the outset of our consideration, we should all take the opportunity to pay tribute to the exceptional men and women who have served in our law enforcement and security services. We owe them a deep debt of gratitude. Let me say that the Opposition support the Bill, which updates aspects of the Investigatory Powers Act 2016. It is imperative that legal frameworks are updated to ensure that our security and law enforcement services keep up with the challenges to communications technology in an increasingly challenging and complex landscape of threats to our safety and national security. None the less, the important provisions proposed in this Bill need to be scrutinised carefully. The shadow Home Secretary and I made it clear on Second Reading that we will work with the Government to improve it in places, following the example of the constructive cross-party work that was done in the other place.

Photo of Stuart McDonald Stuart McDonald Scottish National Party, Cumbernauld, Kilsyth and Kirkintilloch East

It is good to see you in the Chair, Mrs Cummins.

I echo what the shadow Minister says. We are all here to assist the brave personnel in our security and intelligence services, but that does not mean that we will not closely scrutinise this legislation. We did not oppose the Bill on Second Reading. Some parts are good, but we have indicated our serious concerns about other parts because we think the powers go too far. They have not been shown to be necessary and proportionate; rather, they are more for the convenience of the security and intelligence services. How these powers are drafted also causes us concern, because they seem to allow behaviours beyond what we were told the powers were going to be used for. At other times, it is the nature of the oversight that is a concern, as the Bill introduces potentially intrusive powers.

I have one other brief point to make, which I indicated I would make at last night’s meeting of the Programming Sub-Committee. I had hoped that this morning we could perhaps have had some witnesses to guide us through this process. I think that would have been very helpful. It was very helpful in 2016, when we were looking at the original legislation, and I regret that we do not have such an opportunity this morning.

The provisions on bulk personal datasets and so-called low/no datasets are an area where we fear that the legislation is rather more a matter of inconvenience than something that has been shown to be a necessity. That will emerge in the debate about clause 2, which contains quite a lot of the detail about how the regime is supposed to work. Basically, we have been told that there will be a significant increase in the use of bulk personal datasets. We have been told that scrutiny is too slow, so we will either have to remove it or, perhaps more accurately, water it down in relation to these so-called low/no datasets. Fundamentally, I do not like that argument. The Minister will need to make a compelling case.

When we discuss clause 2, it would be useful if the Minister told us how many bulk datasets are retained and examined each year currently; how many datasets it is envisaged will be retained and examined after these powers come into force; what percentage of the datasets he thinks would be considered low/no datasets; how long authorisation processes take currently and why they take that length of time; and why cannot we improve or accelerate that process in some way, rather than having to water it down in the way that this Bill suggests. We will ask the Minister for that sort of evidence, because he is asking us to do away with parts of the oversight system that were put in place in 2016, and we want to understand how that oversight system is causing a problem at the moment. If he cannot explain that, we cannot support this new regime.

Photo of Kevan Jones Kevan Jones Labour, North Durham

It is a pleasure to serve on this Committee with you in the Chair, Mrs Cummins.

My hon. Friend the Member for Barnsley Central said very clearly that there is general support for the Bill. The need for it is self-evident: things have moved on since the passage of the 2016 Act—indeed, they have moved on very quickly in terms of the amount of data there is, not only data that the security services have to deal with but data in general life.

Bringing the legislation up to date is important, but if we look at the Hansard reports of the debates in 2016, when the right hon. Member for South Holland and The Deepings took the original legislation through the House, we see that there was then, quite rightly, concern that the state acquiring bulk data was intrusive into people’s private lives.

Having read those Hansard reports a couple of days ago, I accept that some of the concerns expressed in 2016 were overblown, as are some of the concerns expressed about this Bill. Frankly, if the accusations regarding what our security services are able to do were true, they would be 10 times, if not 100 times bigger than the actual security services we have today. Nevertheless, it is important in a democracy to ensure that the security services act proportionately—I am confident that they do—and that there is the necessary oversight of their actions and how they deal with the data they have. It is not just parliamentarians who need reassurance in that regard, but the public. The public need reassurance about the data that the state is holding.

Examples have been given, but frankly, they are a bit silly, because things such as the electoral register, which you, Mrs Cummins, I and everybody else can access, fall under the existing regime. The expectation that the data will not be made public is ridiculous, and the same is true of some of the other examples that have been given. For instance, some datasets for machine learning are open on the internet for everybody to see. I do not have any problem with that and I do not think that anybody else does.

Oversight, which we will discuss later, is important. We are giving the security services the powers to determine what is low and what is no. Do I trust that they will have the protocols in place to ensure that that process is done fairly? Yes I do, but I have been on the Intelligence and Security Committee for the last seven years; I know exactly how the protocols work internally in those organisations. To reassure the general public, we need a definition of how this process will take place. I will not touch on that now, but later I will raise the question of how we will have independent oversight of that process.

Neither I nor anyone else is saying that we distrust how the security services will handle those datasets, but one thing the ISC has been very clear on is that if we are going to extend the security services’ powers, there needs to be a corresponding extension of oversight to balance that. I do not want to put in place oversight that prevents operational effectiveness; it would be silly to give the security services powers and then make it impossible or too onerous for them to operate in practice, but striking a balance is important in a democracy.

We broadly got that balance right in the 2016 Act. Looking at international comparisons, we are way ahead of many other democracies in how we deal with oversight of those potentially very delicate issues.

Photo of John Hayes John Hayes Conservative, South Holland and The Deepings

I will not detain the Committee unduly, my Whip will be pleased to know. However, I feel it is important at this juncture—in part because, as the right hon. Member for North Durham says, I was responsible for taking the 2016 legislation through the House, and in part because of my current role on the ISC—to make some comment on the first part of this Bill, which deals with bulk powers. There are misassumptions about bulk powers. The Minister will be aware of how vital they are to the security and intelligence services and to the police. These powers are used in almost all investigations —95% of them—and they are critical if we are to deal with the changing character of the threat we face.

Contextually it is important to note that when the 2016 Act was passed, the nature of the threat was metamorphosising, and that is even more the case now. The scale and character of the threats are altering all the time, so the legal powers available to those we mission to keep us safe need to be fit for purpose and up to date. We knew that when we passed the 2016 Act; we knew that the legislation was dynamic and that it would be supplemented over time to take account of that metamorphosis, which takes two forms. First, the threat now is probably greater from state actors, and secondly, it is greater from those inspired to do harm via the internet in particular. That situation makes an implicit case for the kind of measures the Minister has brought before us today.

Furthermore, there is a paradoxical change in the methodology used by those who seek to do us harm. Because of the nature of technology, those people are now able to do things that they were not able to do when we debated the original Act that this Bill amends. I describe the change as paradoxical because those people have simultaneously learned that they can do immense harm with a vehicle and crude weapon; we know that from some tragic cases in recent years. Those inspired people do not need a sophisticated organisation with all kinds of capabilities; they simply need the perverse, indeed perverted, will to do damage. All of those factors legitimise the case for the measures in the Bill, which we will consider over the coming hours and days—but not weeks I am pleased to say, unless something goes badly wrong.

I agree entirely with those who say that there is general good will towards measures that are necessary to keep us safe, but with the Committee’s indulgence I will say something about the detail of clause 1 and part 1. Bulk powers are misunderstood by people who do not study such matters closely. The right hon. Member for North Durham made that point when he said that fears are sometimes exaggerated because people fail to grasp quite what the safeguards look like and the circumstances in which bulk powers are used.

I have some letters that I exchanged with my then shadow—now the Leader of the Opposition, no less— when we debated the 2016 Act. We put in place a set of reviews that examined the operational case for bulk powers. The Opposition insisted on that, and as Minister I was pleased to agree with their proposal. Lord Anderson examined the Investigatory Powers Bill then and has since reviewed it. He has made it clear that there is a solid case for the powers, subject to the proper safeguards and oversight, and that there is a case for the powers to be reconsidered in the way that the this amending Bill does.

Some 95% of the cyber-attacks on people and businesses in the UK discovered by the security and intelligence agencies were identified as a result of the powers in part 1. They are used to deal not only with terrorists, but with serious and organised criminals. It is important to understand the National Crime Agency’s role in that, and no doubt the Minister will speak about that in more detail. Much of the crime and terrorism that is identified and countered could not have been thwarted by more conventional means. This is the point that needs to be heard publicly: we simply would not be safe if such additional resources, facilities and legal authority were not available to our counter-terrorism police, the NCA and the agencies.

People sometimes assume that the agencies are searching for a needle in a haystack; actually, they are choosing the haystacks. To do so, they must have legal safeguards, because otherwise they will be subject to challenge. Those challenges will come not from people of good will, such as the people from across the House who are on this Committee. The people who will challenge the agencies are far from people of good will; they are people of ill will, who seek to do us harm.

None the less, I say to the Minister—as he would expect me to—that there are ways in which the Bill could be improved. Let me suggest just one; I will then sit down, before I test the Committee’s indulgence to its very limits, so that we can make some progress. The category authorisations that are associated with part 1 mean that, in the case of bulk personal datasets, an agency will want the power to retain and examine material over a considerable period. They will assess whether it can be handled and approved under the part 7A regime, and if the authorisation is approved by the judicial commissioner, the agency can then internally approve any individual personal dataset to be added to that category.

That is contentious and requires explanation. I am not against it, but the fear is that a category authorisation will be obtained and the internal process will then allow all kinds of other things to be added to it. It is important that we rectify that by ensuring that the Investigatory Powers Commissioner’s Office is notified whenever a new individual dataset is added to an existing valid category authorisation. As the Minister knows, this point has been made by the Committee on which the right hon. Member for North Durham and I serve. It seems to me to be reasonable. I do not think it is unhelpful to the agencies or the Minister, and it may provide the additional reassurance we all seek that the powers are subject to appropriate scrutiny and oversight.

With that initial foray into this territory, I will conclude, except to say that in my career in Parliament, I regard taking the original legislation through as my greatest achievement. [Interruption.] My former Parliamentary Private Secretary, my hon. Friend the Member for North Cornwall, is saying it is one among many, but I regard it as the most important thing I have done in Parliament because it is an important matter, not a party political matter; it is important for the safety and security of all our people.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

What can I say? We have got a little further on clause 1 than I anticipated. I am grateful to my right hon. Friend the Member for South Holland and The Deepings, the right hon. Member for North Durham and other hon. Members who have spoken. Bulk personal dataset authorisation is clearly an important change, as my shadow, the hon. Member for Barnsley Central, has set out; I was interested to hear the suggestion from my right hon. Friend the Member for South Holland and The Deepings that this was the shadow Minister’s first step on the path to greatness and to leading the Opposition. I am grateful for the points that hon. Members have made.

The type of data that may fall into part 7A is indeed covered—things like news articles, academic papers, public and official records, and the sort of bulk personal data that many people would have access to routinely. The changing nature of the need to hold data has meant that bulk personal data must be authorised in a different way than was previously thought. Paragraphs 4.14 and 4.20 of the draft code of practice set out further details of the datasets that would fall under the section 22A test, of which the hon. Member for Barnsley Central is no doubt aware.

The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East touched on various aspects of data that might fall within this approach. He will remember that Lord Anderson noted in his independent review that MI5 and MI6 estimate that roughly 20% of their bulk personal data holdings would fall into the category of “low and no”; for GCHQ, the figure would be nearer to 8%. Clearly, these things will evolve. To answer the point made by the right hon. Member for North Durham, the simple fact is that our world is producing incomparably greater volumes of data than ever before. The need to understand, handle and triage that data is therefore essential.

It is worth making the point, right at the beginning, that creating and storing huge volumes of data is to nobody’s advantage, and particularly not that of the intelligence services. The only purpose of having or examining data is to enable investigatory operations to get to targets of interest. It is not about anything other than ensuring that investigations can be properly targeted against those who threaten the interests of the British people, under various existing laws. This measure does not change those laws; it merely assists the targeting.

Question put and agreed to.

Clause 1 accordingly ordered to stand part of the Bill.