The Minister of State, Home Department (Mr. Tony McNulty): I beg to move,

These regulations are made under section 2(2) of the European Communities Act 1972 and will enable the initial transposition of the European directive on the retention of data generated or processed in connection with the provision of publicly available electronic communication services, or of public communication networks, and, as everyone knows, will amend directive 2002/58/EC. The data retention directive requires that traditional communications data from fixed-line and mobile telephony remain available for lawful disclosure should that become necessary and proportionate.

I shall explain briefly why communications data are important and why the measures are necessary. Communications data have nothing to do with the content of the communication, but contain information about who is communicating with whom, when and where they are communicating, and the type of communication involved. Typically, public communication providers retain such information for business purposes, such as billing, network management and the prevention of fraud. Different businesses retain such data for different periods, and once their business purposes for retaining the data have expired, they are required to destroy them. The regulations are relevant only to businesses that keep their data for less than a year.

Why is the information important? Communications data such as mobile phone billing data have a proven track record in supporting law enforcement and intelligence agency investigations; they are vital investigative tools providing evidence of associations between individuals and can place them in a particular location. They can also provide clear evidence of innocence.

I pay tribute to public communications providers, big and small, that have provided enormous assistance to the Security Service and police by making communications data available for lawful disclosure, and participated in discussions with the Government about the implementation of the data retention directive. Without such data, the ability of the police and the Security Service painstakingly to investigate associations between those involved in terrorist attacks and those who might have directed or financed their activities would be limited. The ability of the police and the Security Service to investigate terrorist plots and serious crime must not be allowed to depend on the business practices employed by the public communications providers used by a suspect, victim or witness. The draft regulations will ensure that regardless of which public communication provider supplies the service, the communications data will be available.

The initial transposition applies only to traditional types of communication such as mobile or fixed-line telephony. In recognition of the technical complexities of internet communications, the Government decided to delay implementation of the directive with regard to internet-related communications, for which public consultation showed overwhelming support. The retention of internet-related communications data has been postponed because our early engagement with the industry indicated that extra time will be required to clarify requirements and develop a technically sound approach to implementation.

Mr. David Heath (Somerton and Frome) (LD): That is an important point. Voice over internet is a tool that is used increasingly by organised criminals and terrorist suspects. The sooner that we have the apparatus to deal with that, the better. I understand the technical limitations, but do the Government intend to introduce such regulations at an early date?

Mr. McNulty: We will do so at the earliest possible date. Given the body of opinion from the industry on the practicability of implementation, we decided that transposing that part of the directive now would not bring that forward any sooner. However, we want to do that at the earliest opportunity. The hon. Gentleman made a good point about voice over internet protocol, and the increasing use of telephony via the internet, rather than via traditional fixed-lines or mobiles. I agree that the directive must cover that as quickly as possible.

In contrast, the Government have a great deal of experience in the retention of traditional communications data. We have been working with the industry to ensure retention of such data since 2003, when Parliament approved the code of practice for voluntary retention of communications data under part 11 of the Anti-terrorism, Crime and Security Act 2001, which was passed in response to the new threat from terrorism demonstrated on 11 September 2001. I do not have to go into detail about the nature of that threat.

The voluntary code has provided an important building block in establishing a practical framework for communications data retention in the UK, and the draft regulations will provide a necessary next step towards a mandatory framework, as well as ensuring that communications data are available to assist investigations regardless of the different business practices of public communications providers. Many providers have expressed a preference for a mandatory framework, as they welcome the additional legal certainty that it will provide.

The regulations provide for a continuance of the established UK policy of reimbursing public communications providers who incur expenditure in adjusting their business practices to comply with the Government’s requirement for the retention of communications data. The recent public consultation confirmed the need for the provisions to avoid distortion of the highly competitive UK telecommunications market.

As Members will see in the explanatory memorandum, the consultation identified three broad concerns. First, some providers wanted an assurance that they could keep data beyond 12 months for their own business purposes. That is perfectly fine; it does not conflict with the draft regulations. Secondly, concern was expressed, in a “Call My Bluff” way, that the word “may” was used rather than “shall” in relation to reimbursement, but that concerns reimbursement on the basis of any adjustments that providers must make to comply with the directives rather than wider reimbursement for duplicate record storage and other such things. Thirdly, some providers sought clarity about the fact that the regulations will apply to all public service providers unless the data are held elsewhere by another provider. Public communications providers requiring additional clarification have been advised to write to the Home Office to ask how the regulations will apply to them. Those were the three broad concerns, and they have all been met.

The justification for, and practice of, retention of communications data were debated in the House during consideration of the Anti-terrorism, Crime and Security Act 2001 and the code of practice for voluntary retention of communications data. The regulations do not stray from the established policy position; they simply move the traditional telephone sector from a voluntary to a mandatory framework for the retention of communications data. That has been largely welcomed by the industry, albeit with the three concerns listed in the explanatory memorandum, which have now been met, and certainly by the law enforcement community.

Mr. Edward Garnier (Harborough) (Con): May I join the Minister in welcoming you to the Chair, Mr. Hancock?

The Chairman: He neglected to do it.

Mr. McNulty: I did; I apologise.

Mr. Garnier: He did it in his head, and I had access to it through data mining.

Mr. McNulty: It is a piece of data that I did not retain; I am sorry.

Mr. Garnier: It is encouraging that the Minister did not, at least in part, simply read out a brief and was too busy thinking about the guts or substance of his remarks.

I return to matters of more direct importance to the Committee. As the official Opposition, we accept the policy behind the regulations. It will be interesting to see whether tomorrow afternoon’s Fifth Delegated Legislation Committee, which will deal with similar but not identical regulations under the Regulation of Investigatory Powers Act 2000, produces a similar debate. I suspect that it might.

The Minister outlined the three concerns described in the explanatory memorandum. I shall not delay the Committee by rehearsing them, but I have the following questions. Regulation 9 provides that the compulsory time limit for storing the information for the benefit of the Secretary of State will be 12 months. The European legislation permits anything up to 24 months and the voluntary code that we have been working under for the past year or so has allowed up to 18 months—I may have that wrong, and if so, perhaps the Minister would correct me.

During the autumn, considerable debate will take place about the length of time that people may be detained prior to charge under the terrorism legislation. Yesterday, I listened to the head of the Association of Chief Police Officers, Ken Jones, and judging by what he said, that debate may have already started. Twenty-eight days is the current maximum, but there is a debate to be had about increasing it. Indeed, this morning, the Minister was on the radio urging public opinion to move beyond that period. I should be interested to hear whether he takes a similar view on the 12-month period set out in regulation 9. Is this merely the starting point, to be followed be an incremental ratcheting up beyond 12 months in line with any increase about which the Government seek to persuade Parliament and the public in respect of the 28-day period?

I have another discrete point to clarify. Who will have access to the stored information? I understand the huge public policy advantage in the police being able to track mobile telephone traffic in counter-terrorism and terrorism investigations. I want the Minister’s assurance that there will not be some great list of people—public authorities, whether local government authorities or non-criminal enforcement authorities—who may self-authorise and who will have the right to mine into this data and use it for their own governmental purposes, outside the remit of the criminal or counter-terrorism public policy system that is shared across the House.

It is the breadth of access, not the principle of access, that needs to be sorted out. With those brief remarks, and subject to my agreeing, by implication, with what the hon. Member for Somerton and Frome said in his intervention, it is my happy duty to say that the official Opposition are content to let the regulations come into force.

Mr. Heath: Words cannot express my joy at seeing you in the Chair, Mr. Hancock—I hope that that satisfies the protocols.

I am pleased to indicate that I, too, will not be opposing these regulations, because they seem to be a sensible extension of our current arrangements. I should be grateful to the Minister if he considered a few questions, the first of which relates to the voice over internet protocol. I was pleased to hear his comments about an extension at the earliest opportunity to internet providers. There is clearly an imperative for doing so in preventing and investigating crime, but the competitive aspects of other providers also make it necessary. The internet telephony providers already have a competitive advantage over other mobile communications, and to some extent, a further competitive advantage will exist, notwithstanding the reimbursement from Government, if they do not fall within these requirements. I hope that we will be able to proceed as soon as possible on this matter. Are other countries taking the same view about the practicalities? Has any other member state chosen to introduce the recycling directive—as I believe it is known—as it applies to internet telephony at an earlier date?

Secondly, what is the Minister’s understanding of why some countries want the provisions to be mandatory and not optional? He suggested that that was to provide legal certainty, but presumably there is no legal certainty about the requirement on companies or the rights of companies to retain the information and provide it when requested to do so by a member state’s police force. Presumably, the legal certainty that such countries seek, again, relates to competition policy—to ensure that others are not avoiding a burden that they face themselves.

In that context, why have the Government decided that reimbursement continues to be the best course, given that other countries are not doing so? If this country provides more favourable terms for some suppliers in the UK-based telephony market, does that involve any imbalance within the whole of the European communications industry? If so, is that satisfactory?

I was interested to see the three options in the explanatory notes: “do nothing”, “do everything” or “reduce duplication”. It seems to me that they are not genuine options at all; doing nothing is not really an option in respect of the directive, and one hopes that any responsible Government would try to avoid duplication as far as possible within the technological constraints.

Does the Minister have a theory about how duplication will be avoided in this country—and, most importantly, in the context of Europe-wide communications? I am thinking of the apportionment involved, when, for instance, somebody in another member state uses their mobile phone to call a British number from a British provider. Will it be necessary for both the network providing the immediate connection and the British receiving network to retain the information, or will one or the other do it? How will that be apportioned? Has that yet been worked out and will a large number of financial agreements be required to accomplish it?

My last point is about the issue raised by the hon. and learned Member for Harborough. There is clearly a question mark about access, although I do not think that it has yet caused any problem within the British context in respect of the non-mandatory retention of information. However, given that the database will become Europe-wide, it is reasonable to ask whether access to that large body of information will be available solely to police forces and investigatory bodies of the state. On what basis will people be able to require access? Will it be purely in pursuit of serious crime and terrorists, or will the threshold be much lower? Will access be routinely available to civil servants at a lower level who are not involved in the investigation?

The Information Commissioner has a role in policing access arrangements as far as the British Government are concerned. Will he also have a role when the information is derived from an overseas provider? Given that we are now talking about a Europe-wide system, will the Information Commissioner’s remit run to any call that originates or ends in the United Kingdom? That would seem necessary for our protection. Has the Minister yet discussed that issue with his counterparts in the other member states and with the Commission? If I get at least some of the answers to my questions, I shall not oppose the regulations.

Mr. McNulty: May I say, Mr. Hancock, what a profound pleasure it is to serve under your chairmanship? I sincerely apologise for not recognising the profundity of that pleasure earlier, and for omitting that courtesy. I am grateful that colleagues were not too forthcoming in reminding me of that.

Let me try to deal with some of the fair points that have been made. First, on the voice over internet protocol, the hon. Member for Somerton and Frome knows that the technology is emerging. We are working alongside the industry, in the UK and elsewhere, in trying to come to a voluntary arrangement in the first instance. I may have misled him by suggesting that our move on to the internet, which we want to undertake as soon as possible, will embrace the voice over internet protocol: it will not, simply because the technology is still emerging. We are going from fixed telephony and mobiles through to the internet, as I said, but our discussions with the industry revealed that more time is needed. The voice over internet protocol is further down the line, not least because it is early days and the technology is still emerging. Any number of providers have said that there may not be a need for billing data then, because there will simply be a common charge for access to the network, so things will be slightly different.

The hon. and learned Member for Harborough asked who will have access. As was half-indicated by the hon. Member for Somerton and Frome, it will be the police and relevant investigative authorities, as defined in the debate on the regulation of investigatory powers orders that we shall hold tomorrow. Under those orders, it is clear who can access data and who are the investigatory authorities. Under the Regulation of Investigatory Powers Act 2000—RIPA—there are requirements of appropriateness, necessity, proportionality and all the other things that are set out in the Act, which have been agreed by the Information Commissioner, who broadly supports our view. As for other member states, Denmark is well ahead in developing the transposition of the internet, and we will watch the situation there with interest. On the point about data outside Europe, the measure is principally designed to cover UK-generated data, and data providers give us information in that regard. Clearly, there will be some overlap with calls from elsewhere, but the transposition of the directive to UK law is principally about data from telephony generated within this country.

We rightly seek to build on what has gone before, and there are well-established reimbursement patterns in place. As I said at the outset, the reimbursement is more about how a provider has to change its business practice sharply to accommodate the directive rather than about reimbursement per se. The hon. Member for Somerton and Frome half-answered his own question; this is an extremely sensitive and competitive market, so the fact that the requirement to retain such data will be exercised on a level playing field has been broadly welcomed. Some providers want to get rid of their data at three or six-monthly periods, rather than retain them. That is problematic because the experience of the past couple of years under the voluntary code suggests that 12 months is sufficient. To return to what the hon. and learned Member for Harborough said, the period under the voluntary code was 12 months, not 18 months, and that was about right. We will keep matters under review, but the 12-month period has been quite successful. I reiterate that there has been a broad welcome, because people think, “If there is to be a fixed period, let it be the same for everyone.” That applies, too, to the point about sensitivity.

Reimbursement is not about giving a full subsidy, but about providing reimbursement in what we hope will be a cost-neutral system to the industry in the long term. It is intended to ensure that there will be adequate retrieval mechanism systems above and beyond what is already in place. As the voluntary code has broadly worked, we seek to build on it and transpose the directive accordingly. The 12-month period, the current reimbursement programme and the way in which the access requirements are laid out in RIPA have all worked well. Those are the appropriate ways in which to ensure that data are not only retained but accessed, and the measure is the right and proper way in which to transpose the directive. I am grateful not only for the Committee’s indulgence in accepting that that is broadly the way to go, but for the slight lifting of his petticoat by the hon. and learned Member for Harborough—“petticoat” is not the right word, but he knows what I mean—who told us that we will have even more fun when we discuss the RIPA orders, which are part of this process, on the morrow. With that, let me repeat what a pleasure it is to serve under your chairmanship, Mr. Hancock, and commend the order to the Committee.

Question put and agreed to.

Resolved,

Committee rose at five minutes to Five o’clock.