The
Committee consisted of the following
Members:
Chairman:
Mr. Mike
Hancock
Blunt,
Mr. Crispin
(Reigate)
(Con)
Donohoe,
Mr. Brian H.
(Central Ayrshire)
(Lab)
Farron,
Tim
(Westmorland and Lonsdale)
(LD)
Garnier,
Mr. Edward
(Harborough)
(Con)
Griffith,
Nia
(Llanelli)
(Lab)
Heath,
Mr. David
(Somerton and Frome)
(LD)
Keen,
Alan
(Feltham and Heston)
(Lab/Co-op)
Kirkbride,
Miss Julie
(Bromsgrove)
(Con)
Knight,
Mr. Greg
(East Yorkshire)
(Con)
Leigh,
Mr. Edward
(Gainsborough)
(Con)
McDonnell,
John
(Hayes and Harlington)
(Lab)
McNulty,
Mr. Tony
(Minister of State, Home
Department)
Mole,
Chris
(Ipswich)
(Lab)
Reed,
Mr. Andy
(Loughborough)
(Lab/Co-op)
Spellar,
Mr. John
(Warley)
(Lab)
Stoate,
Dr. Howard
(Dartford)
(Lab)
Watts,
Mr. Dave
(Lord Commissioner of Her Majesty's
Treasury)
Mark
Etherton, Committee
Clerk
attended the Committee
Eleventh
Delegated Legislation
Committee
Monday 16
July
2007
[Mr.
Mike Hancock
in the
Chair]
Draft Data Retention (EC Directive) Regulations 2007
4.30
pm
The
Minister of State, Home Department (Mr. Tony
McNulty):
I beg to
move,
That the
Committee has considered the draft Data Retention (EC Directive)
Regulations
2007.
These
regulations are made under section 2(2) of the European
Communities Act 1972 and will enable the initial transposition of the
European directive on the retention of data generated or processed in
connection with the provision of publicly available electronic
communication services, or of public communication networks, and, as
everyone knows, will amend directive 2002/58/EC. The data retention
directive requires that traditional communications data from fixed-line
and mobile telephony remain available for lawful disclosure should that
become necessary and
proportionate.
I
shall explain briefly why communications data are important and why the
measures are necessary. Communications data have nothing to do with the
content of the communication, but contain information about who is
communicating with whom, when and where they are communicating, and the
type of communication involved. Typically, public communication
providers retain such information for business purposes, such as
billing, network management and the prevention of fraud. Different
businesses retain such data for different periods, and once their
business purposes for retaining the data have expired, they are
required to destroy them. The regulations are relevant only to
businesses that keep their data for less than a year.
Why is the information
important? Communications data such as mobile phone billing data have a
proven track record in supporting law enforcement and intelligence
agency investigations; they are vital investigative tools providing
evidence of associations between individuals and can place them in a
particular location. They can also provide clear evidence of
innocence.
I
pay tribute to public communications providers, big and small, that
have provided enormous assistance to the Security Service and police by
making communications data available for lawful disclosure, and
participated in discussions with the Government about the
implementation of the data retention directive. Without such data, the
ability of the police and the Security Service painstakingly to
investigate associations between those involved in terrorist attacks
and those who might have directed or financed their activities would be
limited. The ability of the police and the Security Service to
investigate terrorist plots and serious crime must not be allowed to
depend on the business practices employed by the public
communications providers used by a suspect, victim or witness. The draft
regulations will ensure that regardless of which public communication
provider supplies the service, the communications data will be
available.
The
initial transposition applies only to traditional types of
communication such as mobile or fixed-line telephony. In recognition of
the technical complexities of internet communications, the Government
decided to delay implementation of the directive with regard to
internet-related communications, for which public consultation showed
overwhelming support. The retention of internet-related communications
data has been postponed because our early engagement with the industry
indicated that extra time will be required to clarify requirements and
develop a technically sound approach to
implementation.
Mr.
David Heath (Somerton and Frome) (LD): That is an
important point. Voice over internet is a tool that is used
increasingly by organised criminals and terrorist suspects. The sooner
that we have the apparatus to deal with that, the better. I understand
the technical limitations, but do the Government intend to introduce
such regulations at an early
date?
Mr.
McNulty:
We will do so at the earliest possible date.
Given the body of opinion from the industry on the practicability of
implementation, we decided that transposing that part of the directive
now would not bring that forward any sooner. However, we want to do
that at the earliest opportunity. The hon. Gentleman made a good point
about voice over internet protocol, and the increasing use of telephony
via the internet, rather than via traditional fixed-lines or mobiles. I
agree that the directive must cover that as quickly as
possible.
In
contrast, the Government have a great deal of experience in
the retention of traditional communications data. We have been working
with the industry to ensure retention of such data since 2003, when
Parliament approved the code of practice for voluntary retention of
communications data under part 11 of the Anti-terrorism, Crime and
Security Act 2001, which was passed in response to the new
threat from terrorism demonstrated on 11 September 2001. I do not have
to go into detail about the nature of that
threat.
The voluntary
code has provided an important building block in establishing a
practical framework for communications data retention in the UK, and
the draft regulations will provide a necessary next step towards a
mandatory framework, as well as ensuring that communications data are
available to assist investigations regardless of the different business
practices of public communications providers. Many providers have
expressed a preference for a mandatory framework, as they welcome the
additional legal certainty that it will provide.
The
regulations provide for a continuance of the established UK policy of
reimbursing public communications providers who incur expenditure in
adjusting their business practices to comply with the
Governments requirement for the retention of communications
data. The recent public consultation confirmed the need for the
provisions to avoid distortion of the highly competitive UK
telecommunications market.
As Members will see in the explanatory
memorandum, the consultation identified three broad concerns. First,
some providers wanted an assurance that they could keep data beyond 12
months for their own business purposes. That is perfectly fine; it does
not conflict with the draft regulations. Secondly, concern was
expressed, in a Call My Bluff way, that the word
may was used rather than shall in
relation to reimbursement, but that concerns reimbursement on the basis
of any adjustments that providers must make to comply with the
directives rather than wider reimbursement for duplicate record storage
and other such things. Thirdly, some providers sought clarity about the
fact that the regulations will apply to all public service providers
unless the data are held elsewhere by another provider. Public
communications providers requiring additional clarification have been
advised to write to the Home Office to ask how the regulations will
apply to them. Those were the three broad concerns, and they have all
been met.
The
justification for, and practice of, retention of communications data
were debated in the House during consideration of the Anti-terrorism,
Crime and Security Act 2001 and the code of practice for voluntary
retention of communications data. The regulations do not stray from the
established policy position; they simply move the traditional telephone
sector from a voluntary to a mandatory framework for the retention of
communications data. That has been largely welcomed by the industry,
albeit with the three concerns listed in the explanatory memorandum,
which have now been met, and certainly by the law enforcement
community.
4.38
pm
Mr.
Edward Garnier (Harborough) (Con): May I join the Minister
in welcoming you to the Chair, Mr.
Hancock?
The
Chairman:
He neglected to do
it.
Mr.
McNulty:
I did; I
apologise.
Mr.
Garnier:
He did it in his head, and I had access to it
through data
mining.
Mr.
McNulty:
It is a piece of data that I did not retain; I am
sorry.
Mr.
Garnier:
It is encouraging that the Minister did not, at
least in part, simply read out a brief and was too busy thinking about
the guts or substance of his
remarks.
I return to
matters of more direct importance to the Committee. As the official
Opposition, we accept the policy behind the regulations. It will be
interesting to see whether tomorrow afternoons Fifth Delegated
Legislation Committee, which will deal with similar but not identical
regulations under the Regulation of Investigatory Powers Act 2000,
produces a similar debate. I suspect that it
might.
The Minister
outlined the three concerns described in the explanatory memorandum. I
shall not delay the Committee by rehearsing them, but I have the
following questions. Regulation 9 provides that the compulsory time
limit for storing the information for the benefit of the Secretary of
State will be 12 months. The European legislation permits anything up
to 24 months and the voluntary code that we have been working
under for the past year or so has allowed up to 18 monthsI may
have that wrong, and if so, perhaps the Minister would correct
me.
During the
autumn, considerable debate will take place about the length of time
that people may be detained prior to charge under the terrorism
legislation. Yesterday, I listened to the head of the Association of
Chief Police Officers, Ken Jones, and judging by what he said, that
debate may have already started. Twenty-eight days is the current
maximum, but there is a debate to be had about increasing it. Indeed,
this morning, the Minister was on the radio urging public opinion to
move beyond that period. I should be interested to hear whether he
takes a similar view on the 12-month period set out in regulation 9. Is
this merely the starting point, to be followed be an incremental
ratcheting up beyond 12 months in line with any increase about which
the Government seek to persuade Parliament and the public in respect of
the 28-day period?
I
have another discrete point to clarify. Who will have access to the
stored information? I understand the huge public policy advantage in
the police being able to track mobile telephone traffic in
counter-terrorism and terrorism investigations. I want the
Ministers assurance that there will not be some great list of
peoplepublic authorities, whether local government authorities
or non-criminal enforcement authoritieswho may self-authorise
and who will have the right to mine into this data and use it for their
own governmental purposes, outside the remit of the criminal or
counter-terrorism public policy system that is shared across the
House.
It is the
breadth of access, not the principle of access, that needs to be sorted
out. With those brief remarks, and subject to my agreeing, by
implication, with what the hon. Member for Somerton and Frome said in
his intervention, it is my happy duty to say that the official
Opposition are content to let the regulations come into
force.
4.42
pm
Mr.
Heath:
Words cannot express my joy at seeing you in the
Chair, Mr. HancockI hope that that satisfies the
protocols.
I am pleased
to indicate that I, too, will not be opposing these regulations,
because they seem to be a sensible extension of our current
arrangements. I should be grateful to the Minister if he considered a
few questions, the first of which relates to the voice over internet
protocol. I was pleased to hear his comments about an extension at the
earliest opportunity to internet providers. There is clearly an
imperative for doing so in preventing and investigating crime, but the
competitive aspects of other providers also make it necessary. The
internet telephony providers already have a competitive advantage over
other mobile communications, and to some extent, a further competitive
advantage will exist, notwithstanding the reimbursement from
Government, if they do not fall within these requirements. I hope that
we will be able to proceed as soon as possible on this matter. Are other
countries taking the same view about the practicalities? Has any other
member state chosen to introduce the recycling directiveas I
believe it is knownas it applies to internet telephony at an
earlier
date?
Secondly, what
is the Ministers understanding of why some countries want the
provisions to be mandatory and not optional? He suggested that that was
to provide legal certainty, but presumably there is no legal certainty
about the requirement on companies or the rights of companies to retain
the information and provide it when requested to do so by a member
states police force. Presumably, the legal certainty that such
countries seek, again, relates to competition policyto ensure
that others are not avoiding a burden that they face
themselves.
In that
context, why have the Government decided that reimbursement continues
to be the best course, given that other countries are not doing so? If
this country provides more favourable terms for some suppliers in the
UK-based telephony market, does that involve any imbalance within the
whole of the European communications industry? If so, is that
satisfactory?
I was
interested to see the three options in the explanatory notes:
do nothing, do everything or
reduce duplication. It seems to me that they are not
genuine options at all; doing nothing is not really an option in
respect of the directive, and one hopes that any responsible Government
would try to avoid duplication as far as possible within the
technological
constraints.
Does the
Minister have a theory about how duplication will be avoided in this
countryand, most importantly, in the context of Europe-wide
communications? I am thinking of the apportionment involved, when, for
instance, somebody in another member state uses their mobile phone to
call a British number from a British provider. Will it be necessary for
both the network providing the immediate connection and the British
receiving network to retain the information, or will one or the other
do it? How will that be apportioned? Has that yet been worked out and
will a large number of financial agreements be required to accomplish
it?
My last point is
about the issue raised by the hon. and learned Member for Harborough.
There is clearly a question mark about access, although I do not think
that it has yet caused any problem within the British context in
respect of the non-mandatory retention of information. However, given
that the database will become Europe-wide, it is reasonable to ask
whether access to that large body of information will be available
solely to police forces and investigatory bodies of the state. On what
basis will people be able to require access? Will it be purely in
pursuit of serious crime and terrorists, or will the threshold be much
lower? Will access be routinely available to civil servants at a lower
level who are not involved in the investigation?
The
Information Commissioner has a role in policing access arrangements as
far as the British Government are concerned. Will he also have a role
when the information
is derived from an overseas provider? Given that we are now talking
about a Europe-wide system, will the Information Commissioners
remit run to any call that originates or ends in the United Kingdom?
That would seem necessary for our protection. Has the Minister yet
discussed that issue with his counterparts in the other member states
and with the Commission? If I get at least some of the answers to my
questions, I shall not oppose the
regulations.
4.49
pm
Mr.
McNulty:
May I say, Mr. Hancock, what a
profound pleasure it is to serve under your chairmanship? I sincerely
apologise for not recognising the profundity of that pleasure earlier,
and for omitting that courtesy. I am grateful that colleagues were not
too forthcoming in reminding me of
that.
Let me try to
deal with some of the fair points that have been made. First, on the
voice over internet protocol, the hon. Member for Somerton and Frome
knows that the technology is emerging. We are working alongside the
industry, in the UK and elsewhere, in trying to come to a voluntary
arrangement in the first instance. I may have misled him by suggesting
that our move on to the internet, which we want to undertake as soon as
possible, will embrace the voice over internet protocol: it will not,
simply because the technology is still emerging. We are going from
fixed telephony and mobiles through to the internet, as I said, but our
discussions with the industry revealed that more time is needed. The
voice over internet protocol is further down the line, not least
because it is early days and the technology is still emerging. Any
number of providers have said that there may not be a need for billing
data then, because there will simply be a common charge for access to
the network, so things will be slightly different.
The hon. and
learned Member for Harborough asked who will have access. As was
half-indicated by the hon. Member for Somerton and Frome, it will be
the police and relevant investigative authorities, as defined in the
debate on the regulation of investigatory powers orders that we shall
hold tomorrow. Under those orders, it is clear who can access data and
who are the investigatory authorities. Under the Regulation of
Investigatory Powers Act 2000RIPAthere are
requirements of appropriateness, necessity, proportionality and all the
other things that are set out in the Act, which have been agreed by the
Information Commissioner, who broadly supports our view. As for other
member states, Denmark is well ahead in developing the transposition of
the internet, and we will watch the situation there with interest. On
the point about data outside Europe, the measure is principally
designed to cover UK-generated data, and data providers give us
information in that regard. Clearly, there will be some overlap with
calls from elsewhere, but the transposition of the directive to UK law
is principally about data from telephony generated within this
country.
We rightly
seek to build on what has gone before, and there are well-established
reimbursement patterns in place. As I said at the outset, the
reimbursement is more about how a provider has to change its business
practice sharply to accommodate the directive rather than about
reimbursement per se. The hon. Member for Somerton and Frome
half-answered his own
question; this is an extremely sensitive and competitive market, so the
fact that the requirement to retain such data will be exercised on a
level playing field has been broadly welcomed. Some providers want to
get rid of their data at three or six-monthly periods, rather than
retain them. That is problematic because the experience of the past
couple of years under the voluntary code suggests that 12 months is
sufficient. To return to what the hon. and learned Member for
Harborough said, the period under the voluntary code was 12 months, not
18 months, and that was about right. We will keep matters under review,
but the 12-month period has been quite successful. I reiterate that
there has been a broad welcome, because people think, If there
is to be a fixed period, let it be the same for everyone. That
applies, too, to the point about sensitivity.
Reimbursement is not about
giving a full subsidy, but about providing reimbursement in what we
hope will be a cost-neutral system to the industry in the long term. It
is intended to ensure that there will be adequate retrieval mechanism
systems above and beyond what is already in place. As the voluntary
code has broadly worked, we seek to build on it and transpose the
directive accordingly. The 12-month period, the current reimbursement
programme and the way in which the access requirements are laid out in
RIPA have all worked well. Those are the appropriate ways in which to
ensure that data are not only retained but accessed, and the measure is
the right and proper way in which to transpose the directive. I am
grateful not only for the Committees indulgence in accepting
that that is broadly the way to go, but for the slight lifting of his
petticoat by the hon. and learned Member for
Harboroughpetticoat is not the right word, but
he knows what I meanwho told us that we will have even more fun
when we discuss the RIPA orders, which are part of this process, on the
morrow. With that, let me repeat what a pleasure it is to serve under
your chairmanship, Mr. Hancock, and commend the order to the
Committee.
Question put and agreed
to.
Resolved,
That
the Committee has considered the draft Data Retention (EC Directive)
Regulations
2007.
Committee
rose at
five
minutes to Five
oclock.