My Lords, I thank noble Lords for this short debate and the scrutiny on these important issues. First, I will address Amendments 15
and 16 tabled by the noble Lord, Lord West of Spithead, which seek to remove Clause 13 and the Schedule from the Bill. We have covered some of the same ground as we did in Committee, and I am afraid that much of my response will make similar points to those I made then. However, I can appreciate why he has raised the points he made about these provisions, and I hope that I can still provide him with assurance on why these measures are needed and proportionate.
As the Government have been clear, the purpose of Clause 13 is to ensure that bodies with regulatory or supervisory functions are not inhibited from performing the roles expected of them by Parliament. It restores their pre-existing statutory powers to acquire CD in support of those functions. When the IPA was passed in 2016—under the expert stewardship of the noble Lord’s fellow ISC member in the other place, the right honourable Member for South Holland and The Deepings—it made specific provision, at Section 61(7)(f) and (j) respectively, for the acquisition of CD for the purposes of taxation and oversight of financial services, markets and financial stability. The noble Lord and his fellow committee members have queried whether we are “unmaking” these measures in the 2016 Act through Clause 13 of the Bill. I would therefore like to put beyond doubt what has happened since then to lead us to this point of needing to refine rather than unmake these provisions.
Following the Tele2 and Watson judgment from the Court of Justice of the European Union in 2016, the Government took the opportunity to streamline the statute book, including but not limited to some changes in response to that judgment. This streamlining included the removal of the regulatory provisions contained in the IPA because, at that time, those public authorities with regulatory or supervisory functions were able to acquire the data they needed using their own information-gathering powers, and Section 12 of the IPA had not yet been commenced, removing many of those powers. The relevant data was outside of the provisions of the IPA at this time and therefore not considered to come within the definition of CD.
Since then, businesses have operated their services more and more online. This has meant that many have become, in part at least, telecommunications operators as defined by the IPA. As a consequence, growing amounts of the data that they collect—which regulatory and supervisory bodies would have previously been able to access using their own information-gathering powers—now fall within the IPA’s definition of CD. The effect of this is that public authorities are increasingly unable to acquire the CD that they need to perform their statutory civil or regulatory functions.
In summary, the IPA has been changed since it was commenced in 2016 to remove tax-related and financial stability-related powers to acquire CD and to introduce the serious crime threshold. Technology and society have moved on, with the result that more relevant data amounts to CD. Section 12 of the IPA has been commenced to remove general information powers. The combination of these changes has meant that public authorities are experiencing increased difficulty in carrying out their statutory functions. For example, the Financial Conduct Authority, His Majesty’s Revenue
& Customs and the Treasury are all examples of public authorities that already have the power to acquire CD using a Part 3 request but that may be unable to do so in the exercise of some of their functions as a result of the issue I have just set out.
These bodies perform a range of vital statutory functions using CD, including tackling breaches of sanctions regimes, enforcing the minimum wage and providing oversight of banking and financial markets. Schedule 4 to the IPA provides a list of public authorities that can acquire CD under Part 3 of the Act. The new definition of public authorities inserted by this clause will apply in the context of the sharing of CD between public authorities. This will include government departments and their arm’s-length bodies, and executive agencies administering public services. While data sharing between government entities is covered under other legislation including the Data Protection Act and GDPR, or under separate data-sharing agreements, its sharing for legitimate purposes should not be discouraged or prevented by the IPA.
Clause 13 is needed to ensure that such bodies can continue to fulfil these existing statutory duties in the context of a world that takes place increasingly online. It strikes an appropriate balance between necessity and proportionality. In particular, I re-emphasise that it makes clear that the acquisition by these regulatory bodies should be only in support of their civil and regulatory functions, and not used in support of criminal prosecutions. Furthermore, the Government have retained the serious crime threshold that applies when acquiring CD for the purposes of a criminal prosecution.
The codes of practice will also provide additional safeguards and clarity on how this should work in practice. The Government published these in draft ahead of Committee to illustrate this. Any changes to the existing codes will be subject to statutory consultation before being made and will require approval from Parliament under the affirmative procedure. I am therefore confident that the changes will be subject to a high level of scrutiny. To be clear, this applies to a limited cadre of public authorities with the necessary statutory powers conferred on them by Parliament and only specifically when in support of regulatory and supervisory functions—it is not creating a way to circumvent the safeguards in the IPA. It ensures that the acquisition routes and associated strong oversight by the Investigatory Powers Commissioner are reserved for those areas where it is most essential and has the most serious potential consequences in terms of criminal prosecutions.
I am happy to provide the reassurance—or I hope I am—that the noble Lord, Lord Anderson, sought. I am grateful to him for his comments regarding government Amendment 14, for engaging with officials to work through the concerns they raised and for his generous comments about the officials.
Our view is that the amended Clause 12 will be narrower in scope than the original drafting, which carried a risk of permitting access beyond the “who” and “where” of an entity. I assure noble Lords that the codes of practice will set out the further safeguards and details on the practical effect of Clause 12 so that operational partners are clear on the lawful basis of CD acquisition. It is appropriate that the technical
detail is set out in this way rather than in primary legislation. The codes of practice will be subject to a full public consultation and will be laid in Parliament under cover of an SI, via the affirmative procedure. I reassure the noble Lord that we will consult with partners and the regulators of the IPA to ensure that the high standards of the CD acquisition regime remain world leading. I am happy to continue this conversation, and for my officials to continue with the extensive engagement already undertaken with the users of the CD powers, to see whether any further refinement is needed.
Finally, I confirm that the intention behind the amendment is to include the type of subscriber data that is necessary to register for, or maintain access to, an online account or telecommunication service. Examples of such data would include name, address and email address. It is not intended to include all types of data that an individual might give a telecommunication service that is not necessary for the purpose of maintaining or initiating access to that service.
I turn to Amendments 17, 19 and 20 on internet connection records, also tabled by the noble Lord, Lord West. Much of the argument I have heard relies on a perception that the new condition D is inherently more intrusive than the existing conditions B and C. I will set out why this is not the case.
The safeguards for the new condition D replicate the well-established and extensive safeguards already in place for CD authorisations. The authorisation process for CD varies according to the purpose for which the data is being sought and the type of CD to be acquired. This regime works effectively and has been considered by the Court of Appeal and found to be lawful.
The purpose of new condition D is to enable ICRs to be used for target detection, which is currently not possible under existing Part 3 authorisations. The level of appropriate oversight and safeguards is linked to the sensitivity of the data to be disclosed and the impact that disclosure may have on the subject of interest.
As I have said, the Government do not believe that condition D is inherently more intrusive than conditions B or C. Conditions B and C authorise “target development” work, and as such enable the applicant to request data on a known individual’s internet connections. As an example, this means that the NCA could request records of the connections a known subject of interest has made in a given time period, provided that request was judged to be both necessary and proportionate by the Office for Communications Data Authorisations. In comparison, condition A enables the requesting agency to request who or what device has made a specific connection to an internet service.
Similarly, condition D would enable an agency to request details about who has used one or more specified internet services in a specified timeframe, provided it was necessary and proportionate—for example, accessing a website that solely provides child sexual abuse imagery. The actual data returned with condition D will most likely constitute a list of IP addresses or customer names and addresses. No information concerning any wider browsing that those individuals may have conducted will be provided. Information about that wider activity would be available only under a further condition B
or C authorisation. Condition D is therefore no more intrusive than conditions B and C in terms of what data is actually disclosed. As such, we see no benefit or logic to imposing a different authorisation route for condition D when the existing safeguards have proven sufficient in terms of ICRs applications under conditions A, B and C.
I use this opportunity to remind all noble Lords of the importance of this new condition D and how it will support investigations into some of the most serious crimes, as well as supporting the critical work against both state and cyber threats. ICRs could be used to detect foreign state cyber activity. For examples, ICRs could be used to illuminate connections between overseas state actors and likely compromised UK infra- structure. We understand that these actors have an intent to target UK-based individuals and organisations, including government and critical national infrastructure, from within UK infrastructure, which we typically would not see. The ICR data returned from TOs would be highly indicative of the extent of malicious infrastructure and could assist with victim exposure. Furthermore, improved access to ICR data would enable the National Cyber Security Centre to detect such activity more effectively and in turn inform incident management and victims of compromises. Using data to flag suspicious behaviour in this way can lead to action to protect potential UK victims of foreign espionage and attacks.
I now turn specifically to the ability of the intelligence agencies and the NCA to internally authorise condition D applications. The intelligence agencies and the NCA must obtain approval from the Investigatory Powers Commissioner for ICR applications for the purpose of preventing or detecting serious crime, other than in urgent circumstances. In urgent circumstances, such as threat to life or serious harm to an individual, the intelligence agencies and the NCA are able to obtain CD authorisations from internal designated senior officers in the same way that police forces are. In practice, the volumes of non-urgent requests are such that the IPC delegates responsibility for the authorisation of ICR and other CD requests to the OCDA.
In terms of oversight, the IPC could, if he wished to, consider specific types of CD authorisations himself. The IPC also has the power to directly inspect any part of the CD regime. If he wishes to focus attention on condition D applications, he has the necessary powers to do so. The approach we have adopted for condition D authorisations is therefore consistent with the wider CD regime and gives the IPC flexibility in how he exercises his powers and resources.
As is also consistent with the wider CD regime, condition D applications relating to national security will be authorised by a designated senior officer within the intelligence agencies. The CD codes of practice state that the designated senior officer must be independent of the operation and not in the line management chain of the applicant. This independence is declared within each application, and each designated senior officer completes training prior to taking up this role. Furthermore, each agency has one or more single point of contact officer, accredited by the Home Office and the College of Policing, who facilitates lawful acquisition of CD.
5.15 pm
Introducing a different approvals process solely for condition D applications that require judicial commissioner approval is unnecessary, unhelpful and unwarranted. A consistent approach to the authorisation of these applications has real value, encouraging efficiency and compliance. The amendment would simply increase the complexity of the regime and increase the risk of errors occurring because of the different approval approaches for otherwise very similar techniques. In this context, I again remind noble Lords that in IPCO’s most recent annual report published in 2023, it found that both GCHQ and MI5’s CD acquisition processes were
“working to a high standard … and were supported by strong internal governance procedures”.
The regime and its oversight are working. The amendment would make the regime more complicated and less flexible.
In addition to this assurance, it may be helpful if I detail the legal history for this arrangement. In 2022, the High Court held that applications from the intelligence services which related solely to serious crime had to receive independent authorisation, other than in urgent circumstances, on the same basis as those from law enforcement, which is why such applications now go to the Office for Communications Data Authorisations. The situation is different for national security cases, including economic well-being cases which must be relevant to national security, both because of the more sensitive context of national security and because of the different treatment provided to national security by retained EU law.
Noble Lords may also wish to note that Amendment 19, which would remove condition D2, would prevent any urgent requests for an internal authorisation being made by the NCA or the intelligence agencies for condition D ICRs. There again, not even EU law prevented internal authorisation for urgent CD requests.
To summarise, it is essential that the intelligence agencies and the NCA can self- authorise condition D ICR applications in urgent circumstances. Requiring the intelligence agencies to seek authorisation from the Investigatory Powers Commissioner for condition D is inconsistent with all other national security CD authorisations. It would add administrative burdens to those agencies and increase the risk of errors because of the inconsistency with other CD requirements, despite the very similar techniques and levels of intrusion involved in condition D when compared to conditions A to C. Finally, it would achieve nothing significant that is not already available in terms of oversight, because the IPC can already inspect the agencies’ use of CD. I therefore respectfully suggest that Amendments 17, 19 and 20 should not be moved.
I promise that I am getting to the end and I apologise for the length of my speech, but this is important and requires significant detail. I now address Amendment 18, also tabled by the noble Lord, Lord West of Spithead, which seeks to remove
“the economic well-being of the United Kingdom”
as a lawful purpose under condition D. The use of the economic well-being of the UK as a justification is permitted only in so far as those interests are also relevant to the interests of national security.
My understanding of the reasoning of the noble Lord, Lord West, for amendment 18 is that the economic well-being of the UK when relevant to national security is already included within the purpose of national security, and it is therefore unnecessary to specify it separately in relation to condition D. If that were the case, there would have been no reason for Parliament to specify economic well-being separately in the IPA or in the intelligence agencies’ foundational Acts or other Acts which relate to those agencies.
If this amendment removes “economic well-being” as a statutory purpose for condition D on the belief that it is already included within national security, the ICR conditions A to C will all refer to economic well-being, while condition D will not. The obvious implication from this is that Parliament deliberately left out “economic well-being” from condition D, so it is not available as a statutory purpose. It would be unwise to rely on Pepper v Hart to provide the clarity missing from the legislation that would be caused by Amendment 18.
At these times of heightened state threats, it is entirely sensible and prudent to include economic well- being as a statutory purpose of the use of condition D. Its inclusion is necessary, given that there are countries in the world which strive to harm the UK’s economic well-being in their desire to achieve increased geopolitical influence or dominance. The Government therefore believe that it is not in the wider public interest to remove this provision.
For example, noble Lords may be aware of the National Security and Investment Act 2021, which was made necessary to protect critical industries and enterprises from being controlled by those who would do our country and our democracy harm. The use of ICRs could help to support the necessary investigatory work that supports actions and decisions taken under that Act to safeguard the United Kingdom’s open business system. Amendment 18 would be an act of national self-harm because it would prevent a potentially useful capability in condition D being used to protect the economic well-being of the United Kingdom from attack by our adversaries.
Finally, because economic well-being is a permissible ground only in so far as it is also relevant to the interests of national security, drawing clear lines between cases which fall under the core national security ground and those which fall under the economic well-being ground can be difficult. This amendment would therefore add to legal uncertainty.
I hope that this rather lengthy explanation provides noble Lords with reassurance on why this provision and others have been included and the amendments are unnecessary.