My Lords, this has been a very short debate; in fact, there has been an absence of debate. However, I am grateful to the Minister for meeting us prior to today to discuss the Bill; speaking with officials was very helpful. I offer the apologies of my noble friend Lady Hamwee, who has an important committee meeting this afternoon and is unable to speak in this debate, but the House can be reassured that she will submit amendments to which she will speak in Committee.
I am grateful to techUK for its advice on this matter. The Bill looks very much like the equivalent of the United States Clarifying Lawful Overseas Use of Data, or CLOUD, Act, which sets out how the US Government can access overseas data for law enforcement where an international agreement is in place. When the United States passed the Act, the British Prime Minster, Theresa May, was the first leader to indicate that the United Kingdom would be willing to establish an agreement with the US on the basis of its Act, which I presume is why we are bringing forward equivalent legislation here.
My briefing on the CLOUD Act is that it clarifies how and when the US and other countries can gain access to data stored in different jurisdictions, allowing bilateral deals with foreign countries on data sharing for law enforcement purposes. The legal clarity which that Act provides, which I presume this Bill will also provide, has been welcomed by tech giants such as Microsoft, Google, Apple and Facebook.
Noble Lords will know that we are part of the Five Eyes group of countries that share intelligence on terrorism issues, along with the United States, Canada, Australia and New Zealand, so it is no surprise that we are looking through the mechanisms of this Bill to establish a reciprocal arrangement with the USA and presumably with the other Five Eyes countries in due course, in addition to other countries as we are able to strike arrangements with them.
It makes sense, rather than relying on mutual legal assistance treaties, to allow law enforcement agencies to apply to the British courts to access data directly from an overseas service provider rather than going through government channels, provided an international agreement is in place with the country concerned. Bearing in mind the vast volume of data handled by service providers based in the United States of America, America will obviously be a priority for the mechanisms in this Bill. I am grateful for the House of Lords briefing on this issue, which outlines the tortuous process of MLAT, which can take up to 10 months to complete, so the need for this Bill is clear.
There are issues of privacy here and therefore of compliance with the GDPR—the general data protection regulation that has recently been introduced—and the UK’s ability to secure a certificate of adequacy from
the European Union if we were to become a third-party country after Brexit. Noble Lords will recall that the EU allows data exchange only with third-party countries whose data regulations and privacy laws are considered by the EU to meet EU standards. If the UK enters a bilateral arrangement with a non-EU country whereby it can apply directly to UK service providers to hand over sensitive personal information, presumably the EU will have to be satisfied that the safeguards in the Bill are sufficient for the EU not to withdraw any adequacy certificate for the UK. Perhaps the Minister can explain.
For example, in Clause 3 “excepted electronic data” goes beyond legal professional privilege to include confidential records such as medical records, evidence from the confessional—“spiritual counselling”—and welfare counselling, but in Clause 3(5) these exceptions do not apply to terrorist investigations. Noble Lords will recall that as a member of the European Union we have carte blanche to make whatever arrangements we want as far as terrorist investigations are concerned, but once we become a third-party country the EU will scrutinise those arrangements and take them into consideration in deciding whether an adequacy certificate should be issued: the devil will be in the detail of the Bill.
The European Commission in April 2018 published its own e-evidence proposals for European production orders, which is the EU version of the CLOUD Act. It sets out when law enforcement officers can request data and what the response times from the tech companies should be. These proposals will apply across all EU countries, whereas the US arrangements, which President Trump is said to prefer, deal only with individual countries—they are bilateral arrangements. How do these proposals fit with the EU e-evidence proposals?
As with all UK law that has extraterritorial effect, there are issues of enforcement. The Minister and her officials were good enough to explain to us that, clearly, if the international service provider has offices in the UK, sanctions could be applied, but it would be more difficult if the overseas company had no assets in the UK. One has to ask whether contempt of court is an effective enforcement process if that overseas service provider has no assets in the UK.
I shall very briefly outline some other areas where we may need to explore further. Clauses 4(5) and 4(6) say that the judge must be satisfied that some or all of the data will be of “substantial value” to the investigation or proceedings and that it is “in the public interest”. The judge will have to weigh the benefit to the proceedings and the circumstances under which the person came into possession or control of the data. This appears to be vague. How high a threshold is this for the applicant investigator to surmount?
In Clause 8, the order may forbid the person against whom it is made to disclose the existence or contents of the order without the permission of the judge or the applicant. This appears to have consequences for open justice.
In Clause 10, is the use of the data as evidence restricted to the offence for which the order is made? What happens if other offences are disclosed? Would a further application be necessary?
Overall, we welcome the Bill, but we will be probing to ensure that the rights of UK citizens are not infringed and that securing an adequacy certificate from the EU if we leave the European Union will not be jeopardised by these proposals.
4.08 pm