The debate within Parliament on DRIP is now largely over, after a day in the Commons and two in the Lords. At lot of points were made over the three days, some valid, some vastly less so. It was apparent that irrespective of MP or peer views on the content of the bill, there was widespread anger about the fast track process being used. I hadn’t realised that this was far from the first such, but this seemed to be a special case as all participants recognised the sensitivity of the bill and the overall lack of trust the public has in government at the moment. After watching all three day’s debate on the subject, I thought it may be of interest to a couple of my readers (literally) if I summarised the points made over the days. I’ve italicised my own thoughts, to try to differentiate between reporting and commentary. I apologise for the length of this post – there were a lot of interesting points raised in the debates, and I thought they deserved reporting.
Key Points (aka TL;DR)
- Widespread anger amongst debate participants about the process used by the bill, but apathy by many others
- The sunset clause is generally acceptable, although not ideal
- RIPA is going to be replaced, and there are assorted reports coming up over the next couple of years which will help this
- There is a need for DRIP following the ECJ ruling, but there’s a lot of reasonable concern that this Bill may be vulnerable to some of the same issues flagged in that ruling.
- There’s less of a need for the RIPA parts of the bill, especially being fast-tracked.
- Many assert that Clause 5 of the bill does confer new powers, contrary to the government view.
- It’s obvious that many MPs and Peers don’t understand RIPA etc, and even fewer have the technical competence to understand the technical aspects.
- Typical straw men arguments were used by many bill supporters, including the government, which was frankly disgusting.
- Overall, the government were incompetent in how they assembled and presented this bill.
Timing and Process
As mentioned, a significant amount of the debate covered the anger about the fast-track process, and other timing issues.
Why the delay/fast-track?
Many people asked why it’s taken around three months for the bill to come to parliament, given that the ECJ ruling was hardly a surprise. The government asserts this has been due to the time taken to evaluate the ECJ ruling, and craft a Bill which meets these needs, and that they have been in discussions with communications providers. The former seems unlikely to me, and while the latter is undoubtedly true this doesn’t fully explain the delay. Participants gave other reasons: i) a ploy by the Home Office to suppress scrutiny, ii) due to disagreement within the coalition. This latter is an interesting point, which I expect will come up during the upcoming election. Generally though, there was an understanding that the ECJ Ruling meant that the data retention clauses may need fast tracking. Some people did dissent on the other clauses of the bill though, such as the Constitution Committee report on DRIP “It is not clear why [clauses 4-5] need to be fast-tracked.” The government had asserted that this was because foreign companies, which had been helpful previously, were beginning to get nervous and require a legal shield urgently. The reason for this, and the reason for the major change from 2012 when this wasn’t a problem, was explained as being due to Snowdon. That makes eminent sense to me. Overall, while I think there shouldn’t have been a need for the fast-track, or as fast a fast-track, I can understand that there is a need for urgency.
The Bill contains a sunset clause for the end of 2016. There was a lot of disagreement with this debate, with amendments proposed by the Common’s to make this only 6 months, and the Lord’s for end of 2015 – both failed/were withdrawn. The primary reason given by the government, and others, for the end of 2016 are: a) that there are numerous reports due which would help come up with new guidance, but these aren’t due for several months, b) the legislative process for a full rewrite of RIPA (as is needed) will take 6+ months by itself, c) the upcoming general election. Taking the election period first, parliament is due to dissolve on 30th March 2015 and return some time after 7th May 2015 . Obviously no legislation can be progressed while parliament is dissolved, and it was asserted that it wouldn’t be feasible for anything to be done in the first six months of the new government. Furthermore, Lord Hodgson stated that “[Political] campaigns are bound to be conducted in primary colours to gain public attention. We are balancing the difficulties of issues of privacy and national security that have nuances and require light and shade, which do not lend themselves well to the hurly-burly of a general election campaign.” I find the arguments about the general election partly fair, but I think the public deserves to be able to take into account the views of the candidates and parties on the matter of data privacy. Waiting until after the election to have these discussions is a disservice to the public. Regarding the reviews and reports, please see the “Reviews of RIPA and DRIP” section. There are indeed several reports due which may be useful, although most are due prior to mid-2015, although notably the independent RUSI report and Independent Privacy and Civil Liberties Oversight Board are due after. Mid-2016 may have been a more feasible amendment. There were a couple of requests for detailed timescales to justify the end-2016 sunset. It would have been useful if the Home Office had drafted a rough indicative schedule in order to help explain why they had selected that date. Overall, I still don’t like the end-2016 sunset, but I had forgotten the general election was due, and so it’s barely acceptable to me now.
Reviews of RIPA and DRIP
The Select Committee of Home Affairs supports the Bill, as does the Intelligence Services Committee. The ISC was informed about the Bill the day before the Home Secretary’s statement, and has discussed with the agencies. Overall, they are happy that it doesn’t “simply add to the powers” of RIPA, which would have made them uncomfortable.
Reviews in DRIP
The opposition secured two significant amendments from the government. The first (clause 6) added a 6-monthly review on DRIP by the Interception of Communications Commissioner’s Office (IOCCO). They already review RIPA (2013 report is a good read ) so this is a small increase in their powers, although it should be noted that the retention aspects of the Bill were not previously within their purview. The IOCCO is relatively understaffed, so I do wonder how they’ll find this additional workload. I doubt they’ll find much of note, to be honest. The second (clause 7) provides for a review of Investigatory Powers and RIPA, by the independent reviewer of terrorism legislation, David Anderson QC, to be completed before 1st May 2015 (and hence before the election). There have been several areas of concern raised about this. Regarding the clause itself, the report goes to the PM, not parliament, and the PM can choose not to report to parliament any issue that “it appears to the Prime Minister that the publication of any matter […] would be contrary to the public interest” (Bill clause 7(6)). This is weaker than only allowing the PM to hide things prejudicial to national security. As an aside, Lord Blencathra mentioned that he had already addressed 7(2)(b)-(f) when looking at draft Communications Data Bill – it would be interesting to read his comments. Regarding David Anderson QC, there are claims that he is under-staffed as it is, and so concerns about adding to his workload. Additionally, he is possibly being replaced (or his role is being ‘developed’) by the Independent Privacy and Civil Liberties Oversight Board – what does this mean for this clause? A Joint committee of parliament will look at that report, plus the Intelligence Services Committee. I expect this joint committee to kick off the discussion on the replacement for RIPA.
An Independent Privacy and Civil Liberties Oversight Board  is due to be set up, with legislation coming in this session (i.e. before 30th March 2015). This will be made up of four members, and will replace the role of the independent reviewer of terrorism legislation. Their first report will be due a year after being established – so likely sometime around mid-2016. Two areas of concern were flagged up in the debate. Firstly, whether the members will have sufficient access to classified material to fulfil their role. The second was that it was noted that as even the Intelligence Services Committee apparently didn’t know about the GCHQ Tempora project, it’s unlikely the Oversight Board would be able to fulfil their role. I do have my concerns on this likewise. The Labour opposition have asserted that they want to do the following:-
- Strengthen the ISC and have an Opposition Chair (i.e. make the chair of the ISC a member of the opposition, rather than the government)
- Overhaul of commissioners – there are too many and the reports they produce are not public facing
- Change the focus of the commisioners, often they are limited to assessing compliance of existing legislation vs looking at whether legislation is still appropriate/effective
Royal United Services Institute (RUSI) are conducting an independent surveillance panel  which will extend beyond the 2015 general election.
The need for the ECJ rules comes from the confluence of two things. Firstly, the ECJ ruling that the EU Data Retention Directive was unlawful. This then left the UK implementation of that directive in danger, as it was not implemented as primary legislation. The second is the Data Protection Act, which requires companies to delete customer data as soon as it is no longer needed. If the UK retention laws were overruled, then companies would be legally required to delete any data they had retained under the UK law, which they themselves did not need to retain. There is a judicial review which asserts the unlawfulness of UK data retention legislation, which has been stayed while the ECJ ruled. This is due to report very soon, and I wonder if the government had strong suspicions that the review would conclude that it was unlawful, hence the need for the Bill. The Constitution Committee has reported that they believe the UK regulations now lack legal authority. The Home Office had previously told companies to ignore the ECJ ruling, as the law remained in the UK. This was widely seen as a stopgap. The government has asserted that DRIP, together with already existing laws, meet the key issues identified by the ECJ. There was a lot of concern during the debate that this is not the case, for example while variable retention terms are added, as per the ECJ ruling, neither DRIP nor the regulations provide objective measures for determining what retention term to use. Some MPs and peers believe there are other issues not addressed. David Davis (Con): “While the Bill may be law by the end of the week, it may be junk by the end of the year.” The question of whether the new law will be safe is still not decided. The Joint Committee on Human Rights has asked for the government to publish an analysis of the ECJ ruling and how the proposed UK legislation matches up, but this has not been done. Publishing such an analysis would be useful in working out how safe the law is.
Unlike the retention aspect of the bill, there was less evidence that the RIPA extra-territoriality terms needed to be fast-tracked. The Constitution Committee said they didn’t understand why needed to be fast-tracked.  The government asserted several times that companies had previously been friendly and complied, on an extra-territorial basis, with exceptions, but that recently companies who were previously compliant were requesting legal cover. No reason for this was given initially, however eventually the government asserted that this is since Snowdon. However, while the magnitude of the problem may have grown recently, this was not a new problem – Lord Davies: “The Joint Committee on the Draft Communications Data Bill noted in its report (published in December 2012) that ‘many overseas CSPs [communication service providers] refuse to acknowledge the extraterritorial application of RIPA’”.” The question remains therefore why this needed to be fast-tracked now, some 7+ months later, rather than addressed during what many debaters asserted was a light legislation session. As for whether extra-territoriality is new, Jack Straw (one of the RIPA architects) confirmed that initial intent of RIPA had included Extraterritoriality. Therefore government assertions that clause 4 of the Bill don’t add any new powers are possibly true, or at least in accordance with the initial intent. A concern was raised that this reading of RIPA didn’t tally with what other people thought, and that such a reading of RIPA was a ‘secret’. I’m not convinced by this, but do agree that there is confusion due to the purposefully complex construction of the law. However, extra-territoriality isn’t the only modification to RIPA in the Bill. Clause 5 modifies the description of a “telecommunications service” in an extremely broad way. It was stated that Liberty, the lawyer Graham Smith, and others believe that Clause 5 does confer new powers – rubbishing the government’s assertion that nothing in the Bill does so. This point was only concretely discussed by the Lords – I believe the Commons somewhat missed this. An unanswered question raised in both houses was what to do if companies say no. There was some government handwaving, but no real answer given. Finally, and not in the bill itself, the government has asserted that they will assign a Senior Diplomat to look at bi/multi-lateral agreements to cover extra-territoriality, such as the Mutual Legal Assistance Treaty (MLAT) with the US. For example, “mutual recognition of national warrants”. This does make me somewhat nervous, as the US courts are not renowned for the quality of their jurisprudence in national security matters.
What is “National Security”?
While people were generally happy about the attempt to limit RIPA use for ‘economic’ purposes to only apply to national security aspects of the economy, there was still the question of what is “national security” in this area. Katy Clark (Lab) asked, for example, whether this could be used “in a situation such as the miners’ strike of 1984-85?” There was reassurance from the government that such was certainly not the intention.
Replacement of RIPA
Clause 7 has been added to support an investigation of RIPA, and there seems to be cross-party agreement that RIPA needs replacement. I’m pretty confident that this is going to happen in the next parliament – it’ll be interesting to see what happens. In the interim, there has been much discussion that a number of bodies which can issue RIPA requests. It turns out only 13 are being removed.
Snowdon was mentioned several times, and generally when discussing several different points. Firstly, his releases were used as one of the explanations for why the public no longer trust the intelligence services and government oversight. Secondly, there was discussion about how these were handled differently in the US versus the UK. Attention was drawn to the generally lackluster reception in the UK parliament, and minimal discussion that has occurred. The proposed Independent Privacy and Civil Liberties Oversight Board was seen as one way to address this, largely aping the US equivalent set up several months ago. Thirdly, and related to the first point, there is concern over future oversight. Generally people think that GCHQ have behaved legally, although on the border of law, and that the complexity of RIPA has meant that many, including MPs and peers, didn’t fully understand what was allowed. There was concern that the government has had private or secret interpretations of RIPA, which has allowed justification of behaviour contrary to the understanding of many – for example the ‘external’ aspect of RIPA. I was generally not surprised about the interception/’external’ aspects of RIPA – I had read it in some depth – and in fact I was rather surprised that so few other people had. However, I’ve long had concerns about oversight, RIPA as it applies beyond the intelligence services, and several other related areas. Overall, if Snowdon has made a few people open their eyes, then good.
Lords vs Commons
It was interesting seeing the difference between the debates in the Commons and Lords. I found the Lords debate much more fact based, however that could be due to the abridged nature of the debates – several of the reports referenced in the Lords were only published after the Commons had concluded their debate. The Lords also ranged somewhat more widely in their discussion, looking beyond just this immediate Bill and a bit of RIPA. This included consideration of Extraordinary Rendition, and wider security matters. The turnout for both was relatively poor, albeit no worse than many other debates. It’s possible that as this was a party vote, and so was inevitably going to pass, many couldn’t be bothered. It’s also possible that some didn’t want this around their necks for the general election. Overall, I was slightly underwhelmed by both debates, and especially that in the Commons. That said, the debate over the next 30 months(!) on the replacement for RIPA is likely to be much hotter – there are definitely strongly held opinions and this is just any early battle in a much larger war.
Differentiation between types of data and aspects of RIPA etc
There appeared to be a lot of confusion in the debates between retention, acquisition, and interception, plus confusion between communications data and relevant communications data. For example Alan Johnson defended RIPA as being not intrusive by comparing the 221,000 postal items opened in 1969 with the only 2,670 intercept warrants in 2013. However he failed to note the 514,000 RIPA authorisations and notices which were also made. I’m going to assume Mr Johnson just made an error, rather than actively trying to mislead. The debate highlighted the unnecessary complexity and confusion inherent in DRIP, RIPA, and similar.
Need for retention
Several different statistics were provided to highlight why retention and RIPA were needed. According to the CPA, “Communications data is used in 95% of Serious and Organised Crime”, however no information was given about the types of data, or types of RIPA request – there’s a big difference between a request for subscriber information and full interception, not least that the latter requires a warrant from a Secretary of State. Several concrete examples were given for why data should be retained, however it was interesting that all those given only needed twenty-four hours of data at most – something which no MP flagged up. There was however an assertion that almost 50% of communications data used in child abuse cases are more than six months old. It’s unknown whether this referred to “communications data” or “relevant communications data”.
Communications Data Bill
Several references were made to the Communications Data Bill (aka snooper’s charter). Generally this appeared to be by fans of that Bill, who were attempting to tie the need for this Bill to the Lib Dems blocking that Bill. There was furthermore an assertion that the unpublished draft of that bill is no longer a snoopers charter.
Secondary legislation (Regulations)
Clause 1(3) of the bill allows for Regulations to be written, which are available in draft form . There are questions about when these will actually go before parliament, as they are necessary – no schedule has been given. The clause has also been flagged up as having problems by the Constitution Committee (that while it gives power to make regulations, there’s no requirement to do so)  and the Delegated Powers and Regulatory Reform Committee (that the powers aren’t restricted) . I’m not sure I agree with this latter, as I thought 1(4) restricted the powers, but it depends very much on what “may” means.
It seemed to me that MPs and peers don’t have a great handle on what the public think of the Bill or RIPA. Some debators asserted that lots of people cared and knew about RIPA/DRIP, others asserted that very few people knew. Personally I think that a lot of people care, but very few really know, largely due to the opaque way such legislation occurs. Quoting Baroness Kennedy (Lab) “We should always remember that it is the practice of those who draft legislation about the functions of the security services to make it as complex and impenetrable as possible, and that is what this legislation is—obscurantist lawmaking at its height. ” Additionally, few people are interested enough to do much research, I find I agree with Hazel Blears: “[the IOCCO] report has probably been read by perhaps a handful of people in this country.” Generally there was agreement amongst many that it is important to get the public on side, to have a public debate, and to build trust.
Dr Julian Huppert (LD) raised two amendments, which were both withdrawn in the interests of time, knowing that neither would pass. I thought both of these were excellent amendments. The first amendment proposed to require collection of data on RIPA etc requests, to provide better analysis. The government asserted that they are already going to be doing annual transparency reviews, and will look at amending the code of practice on acquisition and disclosure of Communications data later this year. Personally I’d have been happier if there was a statutory requirement rather than the government just saying “trust us”. The second amendment was to allow companies to report statistics on the number of RIPA requests received – to allow companies to provide their own transparency notices annually. The government completely disagrees, and reasserted that doing so would count as tipping off. They further asserted that it is the place of the IOCCO to report  on the number of requests received. While the IOCCO report is excellent, I think that statistical information cannot be too dangerous, especially when appropriately bucketed. Furthermore, the IOCCO do not report on the number, size, or duration, of retention requests – although maybe they will do so in the future.
Several individuals referred to how much data private companies hold, and yet the public has no worries, whereas the government has strict rules. There was definitely an appetite to include private data in some form of future legislation. It appears to me though that there is a big difference here – I can choose which companies I work with, whereas I cannot opt-out of having RIPA requests served against my data. There was also no discussion whatsoever on the impact of RIPA on private companies – RIPA results in vast numbers of disparate requests from a number of organisations, some of whom won’t be especially familiar with the technologies being requested. I think that will need to be addressed in future legislation, possibly with a central clearing house for authorities/agencies who are less familiar with both the legislation and the companies themselves.
It was obvious that the level of technical/IT competence of many in both houses was seriously lacking. Indeed, Baroness Lane Fox (of lastminute.com fame) said as such. What terrified me most though was that some seemed to have just enough knowledge (or briefing) to be dangerous in their incompetence – Helen Goodman (Lab) (see Straw Men, below) is the perfect example of this.
The debate was full of straw men arguments, especially on the government side/pro-Bill side. This is no surprise, however it was somewhat disappointing nonetheless. Still, a number of MPs and peers were cognizant of this and called it out. I must take a moment however to pour out my scorn for Helen Goodman (Lab). She represented the worst of someone briefed with just enough knowledge to be dangerous, who also seemed to believe in a binary straw-man world. I highly recommend you read her diatribe in Hansard, but be careful of spit-takes…
There were a small number of Anti-EU/EHRC debaters. It appeared the government barely, if at all, consulted with the devolved administrations. Many supporters of the Bill seemed to imply that what the police and intelligence agencies ask for, they should get, which is rather scary. Lord Hodgson (Con) captured this rather well when he said “The bottom line is that the security services and the police have told us that they need this Bill. They deserve our support because they work long hours unsung on our behalf to keep us safe. Therefore, this is a Bill they must have.” I’m hoping he was just referring to the government position.
Bill and Reports
- Constitution Committee report on DRIP: Link
- Delegated Powers and Regulatory Reform Committee report on DRIP: Link
- Latest DRIP Bill (approved by House of Lords): Link
- Draft Regulations under DRIP: Link
- Commons Business
- Commons Second Reading
- Commons Committee stage
- Lords Second Reading
- Lord’s Committee stage
- General Election Timetable
- Independent Privacy and Civil Liberties Oversight Board Terms of Reference
- Interception of Communications Commissioners Office 2013 Report
- Independent Reviewer of Terrorism Legislation David Anderson QC
- RUSI Independent Surveillance Review Panel