I should like to start by thanking the Minister for setting out clearly what is behind the three measures before us today. I particularly want to thank him for his remarks about the action being taken against those travelling to Iraq and Syria to become involved in terrorist activities. I am sure that the whole House will support the work that he and his Government are doing in that regard.
I shall deal first with the Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2015. This reissued guidance has five laudable aims, which the Opposition support. They are: to enhance the operational independence of the authorising officer from involvement in the specific investigation for which communications data are required; to strengthen the protections for information that has professional sensitivity—particularly journalistic material; to reflect the additional requirements on local authorities to request communications data through a magistrate; to improve the record-keeping requirements for public authorities; and to improve best practice in regard to international co-operation and emergency calls.
We support those aims in the guidance, but I should like to ask the Minister a few questions about how we have reached this point in the code of practice. First, the draft guidance was put out to consultation late last year. Why has the response to that consultation not been published for Parliament to consider alongside this statutory instrument? The Minister said that it had been published, but I have had real difficulty finding it. The Vote Office could not find it for me when I requested it, and it is not next to the other documents on the Home Office website, so could the Minister tell me where I can find it? As he said during the passage of the Serious Crime Bill, there were more than 300 responses to the consultation, and it would have been useful to be able to see them.
Secondly, will the Minister explain the key difference between this guidance and that published just before Christmas? Thirdly, will he explain the timings of these changes? Why was a consultation launched while reports from the independent reviewer of terrorism legislation, due out in a few weeks’ time, and further recommendations from the interception of communications commissioner were expected? I appreciate that the changes reflect some earlier recommendations from the commissioner, and there have been subsequent changes to reflect new
recommendations, but why is the code of practice being treated almost like a work in progress? Why not have the recommendations first, then a full consultation and then a final code of conduct, with special interim measures, which I know we would probably all support, to protect journalistic sources? Perhaps the Minister will be able to explain how this process has worked.
Will the Minister also explain how the code of conduct has been written to ensure that it accurately reflects recent legislative changes? First, I was thinking about the recent orders extending the grounds on which the Financial Conduct Authority can access data. Is all that covered in this code? Secondly, the Serious Crime Act 2015 implements some of the recommendations from the interception of communications commissioner. Although it is welcome that the guidance goes some way to reflecting those changes, with a page added to give specific protection to journalistic sources, the Act introduced only partial and interim measures, so I want to know from the Minister whether the guidance will need to be reissued again when the final legislative measures are introduced.
On the second order before us, I want to ask about the definition of “communication” and “message”, an area where the code of practice does not address many of the issues raised during the passage of the Counter-Terrorism and Security Bill, both in this House and in the other place, about how “communication” is defined. Paragraph 2.13 of the code of practice is very specific in relation to fixed-line telephony calls. That is fine as far as it goes, and it is probably all that was needed 20 or 30 years ago, but this code of practice is for 2015 and beyond. I am sure the Minister will accept that the way we communicate now is very different from when we just had fixed telephone lines.
Fixed-line telephone calls now are a small element of communications. When we look at internet-based communications, from e-mail to app-based messaging and social media, we see that the code of conduct is too vague in what it is trying to do. Paragraph 2.11 refers readers of the code of practice back to section 2(1) of the Data Retention and Investigatory Powers Act 2014 and to the schedule to that Act. I am not sure why a code of practice supposedly designed, to quote from the code, to be
“readily available to employees of a CSP”
to use should refer them back to an obscure part of an Act that was criticised by some right hon. and hon. Members for not being as clear as it could be.
Paragraph 2.16 is the only one I could find in the code of practice that seeks to explain what DRIPA means for internet-based communications. The paragraph is headed “Internet email” and states:
“Internet email under DRIPA is considered to be any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service.”
Is that simply a definition of internet-based e-mail providers such as Hotmail or Gmail, or is it meant to include social media? If it is meant to include social media, why does it not say that, so it is clear in the code of practice?
In Committee, I asked a series of questions about social media, which the Minister did not answer, and I do not think they were answered in the other place either. Let me ask the Minister again: does the code of
practice include messages sent on social media platforms such as Facebook? If it does, why is there no section in the guidance devoted to social media? As I have said, the title “Internet e-mail” is not clear in this respect. If social media are covered, does a message extend to tagging another person in a broader post? Specifically, if a person is tagged in a Facebook or Instagram post, does that count as a message for the purposes of this code? What about a person included in a tweet? Does that count as well?
Perhaps the Minister will also respond to questions on the generic forms of interaction on social media sites. I am talking about where there is no user-generated content, but there is an interaction—for example, I “love” a photo on Instagram, “like” a post on Facebook, “favourite” a tweet, or “swipe” on Tinder. Do those come within this code of practice?
When I raised those issues in Committee, the Minister said that the code covered all communications, by which he meant anything that conveyed a message—as if a message was a self-evident thing that did not need a clear definition. That rather clumsy presumption has been applied to this code of conduct. Will the Minister explain, with reference to the social media sites, how paragraph 2.16 is meant to be interpreted? I hope he can shed some light on this matter.
I also want to ask about the relationship that this code envisages between the Home Office and the communications service providers. For example, the code of practice gives the Secretary of State total discretion over the review of retention notices, but it says that factors leading to a review could include significant technological change. Can the Minister explain how an ongoing dialogue with the CSPs operates, and how it is being maintained to ensure that the Secretary of State will be aware of major technological changes?
Moving on, will the Minister explain why no impact assessment has been prepared for this legislation? Last week, we found that the impact assessment prepared for the Prevent elements of the Counter-Terrorism and Security Bill, vague and imprecise as they were, had not been signed off by the Home Office’s chief economist because the Home Office did not have the evidence base to support the legislation. Essentially, what that confirmed was that, after four years, the Home Office did not have that evidence about what works in terms of Prevent and so could not use that to inform and back up any legislative decisions. Is that the reason we do not have an impact assessment for the statutory instruments before us today? These codes of practice cover the process for decisions regarding compensation payments provided to CSPs, so they could have far-reaching cost and spending implications. They also have the potential to change significantly the compliance burdens on businesses.
I am very surprised that we do not have an impact assessment drafted for these orders. Perhaps the Minister can give us some background information; if he is not able to do so today, perhaps he could find it and place it in the Library. I have four questions. First, how many retention notices are currently in force, and how many are company-specific? Secondly, the code of practice talks about two years as the standard period for a review of a data retention notice. In practice, how many notices are reviewed before the two-year period? Thirdly, how many retention notices have been ended before the
two-year period? Fourthly, what is the total spend on compensation agreed with the communications service providers in each of the past five years?
The Government’s explanatory memorandum to the Authority to Carry Scheme (Civil Penalties) Regulations 2015 states:
“Full guidance will be provided to industry on the operation of the Scheme. The Home Office and other agencies will continue to engage with industry on the detail of the Scheme to assist implementation.”
Will the Minister make it clear when he expects this guidance to be made available? The transport industry also made an observation in a number of responses to the consultation—I think that there were 28 in total. The memorandum states:
“The majority of carriers felt, however, that a proposed maximum fine of £50,000 was excessive and disproportionate, especially when compared to the possible fines imposed by other countries.”
Will the Minister explain why, despite the view taken by the transport industry, the Government decided to maintain the upper limit of £50,000 for a fine?
Finally, I also note that the 21-day rule was breached for introducing those regulations. I hope that the Minister will comment on why. I am sure that he will make a commitment that every attempt will be made in future to ensure that orders are introduced within the appropriate time.
4.21 pm