I am grateful to the right hon. and learned Member for that intervention. He possibly makes a fair point. If I recall correctly, the wording of
that proposed new subsection was borrowed from another part of the Bill. I might be wrong about that; I need to go away and have a look. I suppose the argument would simply be that if a category authorisation is to any extent being abused, it is right that the category authorisation is cancelled, and if somebody wants to come back with something similar, they can do so. However, I am not without sympathy to his point. I take it in the spirit in which it was intended, and will reflect upon it.
Let me move on from the question of oversight in relation to bulk personal datasets to the issue of “no” or “low” expectations of privacy in relation to such datasets, and how that test will operate in practice. Throughout the passage of the Bill, we have been repeatedly given some very easy examples of so-called “low/no” bulk personal datasets. For example, we have spoken about phone books, academic papers, public and official records, and other data that many people would have access to routinely. It was helpful that, in relation to what is now our amendment 9, the Minister said in Committee that Facebook posts and CCTV pictures would be considered sensitive and would not be caught by these provisions. It is very helpful to have that on the record.
None the less, it would to be useful to have greater precision in the Bill. Amendment 8 would take out reference to “low” expectations of privacy altogether, so that only “no” expectations would be covered by the new provisions. To us, “low” is such a difficult question to adjudicate—low expectations in particular. That is especially the case when we are dealing with datasets of potentially huge numbers of very different people with very different reasons for having very different expectations of privacy, particularly in how that would relate to different organisations. We cannot think of a single dataset example provided during the passage of the Bill that would not be adequately covered by “no reasonable expectation of privacy”. If that is the case, if that is really all the Bill will be used for, why not just accept the amendment? It would be useful to have an understanding of what “low” expectation of privacy is designed to cover.
Amendment 15 brings us to internet connection records. In 2016, the Government emphasised the very targeted nature of the ICR powers, but here we are being asked to incrementally expand those powers so that they are slightly less targeted. To us, that means that the independent assessment of proportionality and necessity is pivotal, so we think that it should be subject to advance judicial oversight. Even the explanatory notes accept that there are difficulties in formulating sufficiently targeted queries, noting that
“such queries are highly susceptible to imprecise construction”
and that “additional safeguards” are required.
For us, the required additional safeguard is judicial oversight. We were led to believe that the powers would be used only exceptionally, so it is hard to see how a judicial authorisation requirement would cause any significant problem. The Government argue that there may be times when warrants are needed on an emergency basis, but that could be dealt with by having emergency processes or very limited exceptions—it is not an argument against a general rule of advance judicial oversight.
I turn to the impact on technology companies of the Bill’s various provisions relating to notices—although the right hon. and learned Member for Kenilworth and Southam probably made more sensible and eloquent
points than those I am about to make. The written evidence that the Bill Committee received shows that tech companies, academics and human rights and privacy campaigners are still a million miles away from the Government in their understanding of how the provisions will work and of the impact that they will have on products and services. Apple wrote to the Committee that these provisions
“would dramatically disrupt the global market for security technologies, putting users in the UK and around the world at greater risk.”
It is frustrating and disappointing that we did not have the opportunity to explore those differences in detail through witness testimony. The Minister did his best to reassure us, and he made some important arguments about extraterritoriality and conflicts of laws, but given the serious concerns that have been raised, it is worth again asking the Minister to explain why those witnesses are wrong and he is correct. In particular, the Government’s explanation that the new pre-notification requirement in clause 21 is
“not intended as an approval mechanism”
has not dampened concerns. Apple argued in evidence to the Committee that
“Once a company is compelled to provide notice of a new security technology to the SoS, the SoS can immediately seek a Technical Capability Notice to block the technology.”
Other provisions in the Bill around maintaining the status quo during notice review periods work in tandem with these provisions to deliver what Apple and others see as a de facto block on adoption of new technology—that is the risk that they are highlighting, and it is what the Minister must address in his speech. It is why we have tabled amendments to take out some of those provisions. It is also why we have tabled amendment 19: an alternative that would introduce advance judicial oversight and, hopefully, a degree of reassurance that the new notification notice regime under clause 21 will not deliver the unintended effects that many fear.
Finally, I put on the record our support for the amendments tabled by members of the Intelligence and Security Committee, whose work on the Bill has been as helpful as ever—I congratulate them on their one-and-a-half victories so far. As is often the case when it comes to Bills of this type, we also put on record our support for several of the amendments tabled by the right hon. Member for Haltemprice and Howden (Sir David Davis), some of which are similar to amendments that we tabled in Committee, while others are similar to amendments that we supported during the passage of other Bills, including the National Security Act 2023. In particular, new clause 3, which is designed to place an absolute prohibition on the UK sharing intelligence with foreign Governments where there is a real risk of torture or cruel, inhuman or degrading treatment, is long overdue and would close a serious gap in the law. For us, that is self-evidently the right thing to do.