My Lords, my noble friend Lady Hamwee and I have three amendments in this group. As a means of probing concerns about both national security notices and technical capability notices, we are suggesting that Clauses 225 and 226 stand part of the Bill, but we propose, in Amendment 92, that the provision in Clause 226(5)(c),
“obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data”,
be deleted. These provisions are some of the most concerning for communications companies and the technology sector in the UK as they appear to provide open-ended and unconstrained powers, although I accept that the amendments that the Government have put forward today, as outlined by the Minister, provide significantly more oversight than was originally suggested in the Bill.
National security notices can require a communications provider in the UK,
“to carry out any conduct, including the provision of services or facilities, for the purpose of”—
this is in Clause 225(3)(a)(i)—
“facilitating anything done by an intelligence service under any enactment other than this Act”.
So the power is not limited to facilitating the use of powers under the Bill but any other legislation as well. The power is to do anything that the national security notice requires.
Technical capability notices enable the Government to require communications operators to comply with any “applicable obligations” specified in the notice, and the recipient must not only comply but must not disclose that they have been served with the notice, seemingly including, under Clause 226(5)(c), to remove encryption. However necessary or proportionate such notices may be—and I accept that, with the double lock now in place, that will be tested—there could be a suspicion that UK communications companies and the UK technology sector are subject to such notices, undermining customer confidence in the security of the network or device that they are using.
Although such a notice may be served to persons outside the UK, and may require things to be done outside the UK, such notices are not legally enforceable outside the UK. As well as undermining public confidence in the security of UK networks and technology, such notices have the potential to act as a competitive disadvantage to UK technology businesses. Instead of the power to force a company to remove encryption from a whole service or technology, alternative and more targeted powers should be used instead.
7 pm