House of Commons portcullis
House of Commons
Session 2008 - 09
Publications on the internet
Public Bill Committee Debates



The Committee consisted of the following Members:

Chairman: Janet Anderson
Bone, Mr. Peter (Wellingborough) (Con)
Brake, Tom (Carshalton and Wallington) (LD)
Brokenshire, James (Hornchurch) (Con)
Brown, Mr. Russell (Dumfries and Galloway) (Lab)
Burns, Mr. Simon (West Chelmsford) (Con)
Coaker, Mr. Vernon (Minister for Security, Counter-Terrorism, Crime and Policing)
Davies, David T.C. (Monmouth) (Con)
Gwynne, Andrew (Denton and Reddish) (Lab)
Heppell, Mr. John (Nottingham, East) (Lab)
Huhne, Chris (Eastleigh) (LD)
Jenkins, Mr. Brian (Tamworth) (Lab)
McCabe, Steve (Lord Commissioner of Her Majesty's Treasury)
McDonagh, Siobhain (Mitcham and Morden) (Lab)
Ryan, Joan (Enfield, North) (Lab)
Scott, Mr. Lee (Ilford, North) (Con)
Twigg, Derek (Halton) (Lab)
Mike Clark, Committee Clerk
† attended the Committee

Fourth Delegated Legislation Committee

Monday 16 March 2009

[Janet Anderson in the Chair]

Draft Data Retention (EC Directive) Regulations 2009
4.30 pm
The Minister for Security, Counter-Terrorism, Crime and Policing (Mr. Vernon Coaker): I beg to move,
That the Committee has considered the draft Data Retention (EC Directive) Regulations 2009.
Good afternoon, Ms Anderson. It is a pleasure to serve under your chairmanship. I also say good afternoon to the hon. Members for West Chelmsford and for Hornchurch. I do not whether I haunt them or they haunt me, but we seem to follow one another around at various Committee sittings. It will be a pleasure to discuss this issue with them again. Indeed, I welcome all hon. Members to the Committee that is considering these important regulations.
As Committee members will be aware, the key effect of the directive and the regulations is to make the retention of communications data by communications service providers mandatory. However, before I speak in detail about the regulations, I should like to record the Government’s gratitude to our partners in industry. Communications service providers have for some years retained communications data on a voluntary basis under part 11 of the Anti-terrorism, Crime and Security Act 2001 and an associated code of practice. They have co-operated very effectively with law enforcement and other public authorities. Their co-operation has played a major role in tackling a range of threats. It has undoubtedly saved lives. I am sure that I speak for all hon. Members when I thank the communications service providers for their co-operation.
In addition to the voluntary basis for retaining communications data, communications service providers have been required to retain data relating to traditional fixed-line and mobile telephony since October 2007, when the first part of the transposition of the directive, relating to traditional telephony, was completed. Since then, law enforcement agencies have been working closely with industry to develop their expertise in using internet-related data and to understand which types of internet-related data should be retained by which service providers to provide most help to the law enforcement and intelligence agencies. A great deal of work has also been done on how internet-related data should be stored to ensure that they can be accessed efficiently when necessary. We are now in a position to complete the transposition of the directive and make the retention of data relating to internet communications mandatory.
In line with the requirements of the directive and with comments made by communications service providers during the consultation exercise, we are determined to minimise any possible duplication of data retention. To do that, we have decided to introduce a notice system so that service providers can be absolutely confident about what they are required to do under the regulations. The Government will issue notices to the providers required to retain data. They will also explain precisely which data sets they would like the service providers to retain. The Government will use their notice system to minimise the burdens imposed on industry, while ensuring that relevant communications data are retained.
Mr. Peter Bone (Wellingborough) (Con): Is the Minister saying that we are going further than the EU directive? Are we in effect talking at this stage about gold-plating?
Mr. Coaker: No, we are not going further than the EU directive requires. What I am saying is that to minimise the bureaucratic burden on businesses, particularly small businesses, we want to avoid four or five different communications service providers retaining the same data. So, in discussions with the communications service providers, we will look at who has the various data sets and we will specify through the notice who is required to retain what.
Essentially, the individual communications service provider will be given a notice requiring them to retain data and specifying which data they should retain. The purpose of that is to provide what the industry itself asked for, which was clarity about who was required to retain what. It would be nonsense if a small business was required to retain one data set when businesses further down the line have exactly the same set of data. That is why we are introducing the notice system. The hon. Gentleman will see that specific requirement in the regulations. Nobody will be required to retain data without being given notice.
Tom Brake (Carshalton and Wallington) (LD): I was hoping that in the interests of clarity the Minister could explain whether applications such as Facebook or instant messaging are covered by the directive.
Mr. Coaker: No. Social networking sites, such as MySpace or bebo, are not covered by the directive. That is one reason why the Government are looking at what we should do about the intercept modernisation programme because there are certain aspects of communications which are not covered by the directive.
Tom Brake: Clearly one of the principal purposes of the directive is to tackle crime. The Minister may be aware that in France it has been suggested that Facebook is being used as a means of obtaining drugs. People are aware that it is not covered by legislation in France and, from what the Minister is saying, it is not going to be covered by legislation here either.
Mr. Coaker: That is an extremely fair point. Let me be clear about what we are doing. We are transposing the directive. With all due respect, I would be in trouble with the hon. Member for Wellingborough if I then said that we had gone further than the directive, because we would then be retaining data over and above what the directive requires us to do. The hon. Member for Carshalton and Wallington will also know the controversy that currently surrounds the intercept modernisation programme. I look forward to his support when we present intercept modernisation programme proposals, which may include requiring the retention of data on Facebook, bebo, MySpace and all other similar sites.
I accept that this is an extremely difficult area. The interface between retaining data, private security and all such issues of privacy is extremely important. It is absolutely right to point out the difficulty of ensuring that we maintain a capability and a capacity to deal with crime and issues of national security, and where that butts up against issues of privacy. The hon. Gentleman is also right to point out that this directive is three or four years old. Those people responsible for the EU directive might want those very things included in it if they were drafting it now, but technology moves so fast. If we drew up a directive now, in 2009, who knows where the technology would be by 2013?
Let me use another example, which I saw at the Child Exploitation and Online Protection Centre. Paedophiles, who we are some of the most heinous people imaginable, are now using games to send their horrible material to each other. They do not send it in one game, but in several different games. Then, with awful, evil genius, the paedophile puts all the individual games together, and bit by bit draws off the appalling material from each one and puts that together. All I am saying is that these are extremely difficult areas. To cover data collection while recognising privacy is difficult. The hon. Gentleman made an extremely important point, which we will no doubt need to consider as we progress with the intercept modernisation programme.
The draft regulations specify a retention period of 12 months. The directive permitted a wider period of retention, from a minimum of six to a maximum of 24 months, but our experience over the past few years suggests that a 12-month retention period is appropriate, proportionate and necessary. It is proportionate in delivering benefits for law enforcement balanced against the potential impact on the privacy of those whose data are retained. Should we need to revisit the retention period in future, we will bring forward a new statutory instrument so hon. Members and Parliament will have an opportunity to debate it.
The consultation exercise highlighted the complexity of the issue. We have therefore undertaken to establish a group that will oversee the implementation of the directive and regulations. It will include experts drawn from industry and from the law enforcement and intelligence agencies. It will provide guidance to communications service providers so that they understand what is required of them. We will also continue to ensure that service providers are not penalised financially as a result of complying with the regulations. That is compatible with previous practice and is a fair way of ensuring that data are retained effectively and that there is no distortion of the communications market.
In light of the approach I have outlined, I hope hon. Members will agree that the regulations will provide a suitable basis for the transposition of the directive. In conclusion, I remind them, if they need reminding, of the importance of communications data. I suggested that the co-operation of industry on communications data has saved lives. That is not an exaggeration. The regulations relating to telephony have already been used to place murderers at the scenes of their crimes, to prevent murders and kidnaps from taking place and to identify serious sexual offenders who would not otherwise have been caught as quickly. Internet-related communications data are just as vital. The final transposition of the directive will ensure that communications data from all major types of communication are retained consistently and made available efficiently. With that, I commend the regulations to the Committee.
4.43 pm
James Brokenshire (Hornchurch) (Con): I, too, welcome you to the Committee, Ms Anderson. It is a pleasure to serve under your chairmanship again. I also welcome our continuing debate with the Minister. He will need to decide whether this is a continuance of a haunting at the conclusion of the Committee.
We are told that the regulations are simply intended to implement requirements under EU law. At one level, that is true; the EU directive of March 2006 on the retention of electronic communications data imposes obligations on member states to ensure that mobile telephony and other data are retained safely for not less than six months and not more than 24 months. However, these regulations cannot be viewed in isolation; their interrelationship with other existing law, most notably the Regulation of Investigatory Powers Act 2000, means that they have a much wider significance. While the directive may require retention of communications data, it makes it clear that the obligations that it seeks to impose are
“without prejudice to the power of member states to adopt legislative measures concerning the right of access to, and use of, data by national authorities”.
Our consideration of the regulations comes against the backdrop of an increasingly interventionist approach by the Government into all of our lives, seemingly taking the maxim “need to know” to mean that they need to know everything. Certainly, we need to know what the Government’s intentions are in relation to the creation of a new central database, which would create a central store of our electronic communications. The Minister has acknowledged that that is a highly controversial proposal, but we understand the need for communications data to be made available to the police, security services and certain other agencies in the fight against serious crime and to protect our national security. The problem is that the regulations’ impact goes much further.
The UK obtained a reservation to carve out the application of the directive to the internet access, internet telephony and e-mail provisions until 15 March 2009—yesterday. That deferral was in part because the retention of internet-related communications data, which involves much larger volumes of data and a considerable broader set of stakeholders within the industry, was felt to be a more complex issue than data relating to fixed or mobile telephony.
The regulations under discussion replace those from 2007 and impose a new obligation on internet service providers to retain data on the source, destination, date, time, duration and type of online communications for, as the Minister said, a period of 12 months. I again stress that I understand that, under the regulations, a communication’s content is not intended to be captured; however, the retention of and potential access to whom we may have contacted, when we contacted them and where we were when we did so, is sensitive information, and there is a risk of significant harm to personal privacy if it is misused or not held securely.
On the specifics of the regulations, notwithstanding what the Minister has said, the industry remains uncertain about the precise obligations that are being created. The Government propose to establish what the explanatory memorandum describes as an “implementation group” to
“develop guidance to assist in the implementation of the draft Regulations”,
but my industry contacts suggest that a great deal more work is required to create a common industry view on what records actually need to be retained in order to comply with the regulations. My contacts also suggest that many providers are reluctant to change their current retention practices until the relevant discussions have been completed, and that, in some cases, the engagement process is yet to commence.
How does the Minister propose to build trust and confidence on the proposals’ impact when there appears to be continuing uncertainty within the industry itself about how to respond to queries from its own customers on the information that it is allowed to retain on them? The Minister has accepted that a notice requirement will need to be provided to avoid duplication, but the situation adds to the picture that has been painted to me by some industry players of a huge amount of uncertainty.
The Minister’s comments on data retention reflected regulation 4(5), which states:
“No data revealing the content of a communication is to be retained in pursuance of these Regulations.”
Will he provide further clarification and confirm that the retention obligations will not apply to an individual’s web-browsing behaviour—the individual websites that someone might visit—which might otherwise be captured? When will the implementation group be established? What will its composition be? When does he expect it to publish relevant guidance? It appears that that guidance is very much required when we see that those regulations are intended to come into force on 6 April 2009 and there appears to be uncertainty in the industry.
The regulatory impact assessment envisages that the cost of implementing the regulations will be £46.5 million, which the explanatory memorandum implies will be cost neutral to the telephone and IT industry. Can the Minister confirm that that view is shared by the industry, particularly if there is uncertainty about the scope of the regulations with potential changes to current retention arrangements?
Can the Minister also explain why he appears to have left a parallel retention regime in place? The Retention of Communications Data (Code of Practice) Order 2003, which predates the data retention directive, has not been revoked by the regulations. Will he confirm that the code of practice regime is no longer intended to apply once the new regulations come into effect?
What discussions has the Minister had with the Information Commissioner concerning the safety and security of the vast quantity of additional sensitive information that would need to be stored under the regulations? The regulations envisage that the Information Commissioner will retain his role in the ambit of the directive, but it would be useful, in trying to understand the operation of the regulations, to know what discussions have taken place and what the Information Commissioner’s view is. Clearly, significant quantities of additional data will be stored, and will need to be stored securely, in order to ensure that the public can have trust and confidence in their relevant providers and that information will not inadvertently get into the hands of people who might misuse it.
The regulations are only one half of the issue. Their significance is heightened when examining who will potentially have access to information retained and extended under the proposed regulations. Access to communications data is governed by the Regulation of Investigatory Powers Act 2000. RIPA was originally introduced on the grounds of national security, but now has powers with abusively wide scope. The reasons for accessing and using our data have been extended to include the prevention and detection of crime or disorder, economic well-being, protecting public health and tax collection. That has led to RIPA powers being used in investigations into, among other things, whether children at a village shop had the right paperwork to deliver papers, whether a nursery was selling pot plants unlawfully and dog fouling.
RIPA gives all 474 local councils in England, every NHS trust, every fire service, 139 prisons, the Environment Agency and even Royal Mail, the authority—whether in whole, or in part—to access and use communications data, not just national security services. The number of requests for communications data under RIPA in the year ending 31 December 2007 amounted to 519,260 requests. Can the Minister confirm how much he expects that figure to increase as a result of the addition of internet data under the regulations, and whether the regulatory impact assessment properly takes into account all of the additional costs that will arise?
Against that backdrop—and what even the Home Secretary described as her concerns about the use of RIPA by what she described as, and I quote, the “dustbin Stasi”—the Government were forced to accept that the powers were being abused, saying that they would consult on the proposed changes. On 16 December, the Home Secretary said:
“Early next year, we will consult on a number of proposed changes to RIPA—and we will look at: revisions to the codes of practice that come under the Act; which public authorities can use RIPA powers; raising the bar for how those powers are authorised, and who authorises their use.”
However, when we turn to the regulations before us, we obviously start to get a slightly different picture and I say to the Minister that “early next year” has come and gone. It is spring now, the flowers are coming up and nothing has been sprouting in terms of this consultation that was promised by the Home Secretary last year.
Also, when we look at the explanatory memorandum that sits alongside these regulations, we get the clear impression of the Home Office having said one thing and now doing something completely different. Paragraph D4 on page 21 of the explanatory memorandum says:
“It is important to state that access to communications data is governed by the Regulation of Investigatory Powers Act 2000 (RIPA) and no changes to the safeguards set out in that Act are planned.”
Then, if the matter needed any further clarification, paragraph D7 on the same page says:
“We do not propose to alter the statutory mechanisms through which data is accessed.”
Finally, if that was not clear enough, paragraph D9 on page 22 makes it even more explicit, by saying:
“We consider that the safeguards set out in RIPA provide a rigorous check against disproportionate interferences with individuals’ right to respect of their privacy. The implementation of this Directive does not alter the balance in that debate.”
So, no changes are planned.
Can the Minister explain, therefore, why on earth the Home Secretary said what she said in December, scarcely three months ago, if we now know that, according to the explanatory memorandum that sits alongside these regulations, absolutely nothing is going to happen? How on earth can the Minister expect this Committee simply to approve these regulations when the Home Secretary herself acknowledges that there is this significant issue, and knowing that this additional communications data could be obtained for trivial matters and also knowing that the Government have done absolutely nothing to address the problem and, apparently, have no intention of doing so?
The Government could have added safeguards to these regulations without the problem of gold-plating, which my hon. Friend the Member for Wellingborough commented on earlier. They chose not to. Therefore, they will have to explain why they have failed to take this opportunity to restore public confidence. The Home Secretary even continues to maintain the right, by ministerial order, to create additional reasons why communications data can be obtained. That is unacceptable.
We believe that the powers under RIPA should be used only to combat serious crime and for the protection of national security. If this Government are not prepared to act, then a Conservative Government will be. We cannot support a statutory instrument introducing new powers tied to an existing piece of legislation with such abusively wide scope. If the Government should get their wish, I say to the Minister that, if my party is elected, we will legislate to put in place the necessary protections and to undo anything that the Government have put in place that conflicts with those protections.
There is also the question of how these regulations fit into the Government’s potential plan to create a huge new database cataloguing everybody’s use of the internet. Some have dubbed it the big brother database. The interception modernisation programme set this plan forward, with the expectation of a communications data Bill in this Session of Parliament, until the Government realised both the strength of opposition to their plans and the sensitivity of their proposals. Part of that Bill was intended to implement the EU retention directive. Last October, the Home Secretary backed off, pulling the communications data Bill from the Queen’s Speech and saying that there would be a consultation on the IMP, with the aim of having a well-informed debate on the issue.
It was said that the consultation would be launched in the new year and in a speech to the Institute for Public Policy Research on 15 October 2008, the Home Secretary said:
“But before proceeding to legislation, I am clear that we need to consult widely with the public and all interested parties to set out the emerging problem, the important capability gaps that we need to address and to look at the possible solutions. We also need to agree what safeguards will be needed, in addition to the many we have in place already, to provide a solid legal framework which protects civil liberties.”
When will this long-awaited consultation be launched? How much has been committed financially to the IMP including any developments of the new database? Do the Government still intend to embark on the creation of the new central database of communications data, because the regulations that we have before us are essential and central to those proposals? The Home Secretary also said that no content would be affected along the lines of what we have heard today.
 
Contents Continue
House of Commons 
home page Parliament home page House of 
Lords home page search page enquiries ordering index

©Parliamentary copyright 2009
Prepared 17 March 2009