The Joint Committee on the Draft Communications Data Bill produced its report yesterday (available here) and it’s a devastating piece of work, writes Paul Bernal. It rips the bill, and process through which it was drafted, to shreds. As tweeter @EinsteinsAttic put it, the committee concludes that the bill is ‘overreaching, poorly drafted, ill-defined, not based on evidence or proper consultation, and misleadingly costed.’ And yet I’m sure I won’t be the only privacy advocate who is a little disappointed by the final result – though I’m probably asking too much! I have not yet been through the piece with a fine-tooth comb, and will write more when I have, but these are my initial thoughts.
- Pic from haakonnilsen.
Fanciful and misleading
One of the best turns of phrase in the report is the description of the some of the cost-benefit analysis provided by the Home Office as ‘fanciful and misleading’ – but it would have been good to see such a comment broadened to cover the entire basis of the ‘case’ made by the Home Office, not just the costs. Instead, there seems to be an assumption that this case, regardless of the lack of evidence and lack of consultation with experts, is a reasonable one. There has not even been ‘private’ evidence given by the Home Office and intelligence services to the committee – though the committee has seen the recommendations of the Intelligence and Security Committee, who have been given evidence by the intelligence services.
The way that any evidence in support of the bill is hidden is something which, though understandable, seems to be wrong. It seems to me that given the seriousness of the infringements on privacy, free speech, free association, free assembly and other human rights, we have the right to know more. A bill like this needs public support – and that means we need to know more.
Having said this, the report is pretty devastating. In privacy terms, it is quite clear:
“[W]e believe that the draft Bill pays insufficient attention to the duty to respect the right to privacy, and goes much further than it need or should for the purpose of providing necessary and justifiable official access to communications data”
That conclusion is what people like me have been saying from the very start – and it is very good to see that the Committee did take it on board and, ultimately, believed us more than it believed the Home Office, despite sustained attacks, culminating in Theresa May’s suggestions last week that: “Anybody who is against this bill is putting politics before people’s lives.”.
Far too broad
The biggest problem with the bill is Clause One – the very essence of the bill – and the committee recognises that. The clause as drafted effectively allows the Home Office to require any communications provider to gather pretty much whatever data the Home Office asks for – with the one ill-defined exception of ‘content data’. This the committee effectively rejects, suggesting instead a much more restricted set of powers – limiting the types of data that can be gathered to ‘those categories of data for which a case can now be made’.
In the opinion of people like me, this would actually mean reducing the amount of data gathered from what is currently gathered, though one suspects that the final result will be something rather different. Even so, this is a very welcome suggestion. The report also recommends, crucially, that expansions into new areas and new data types would require proper parliamentary oversight, either through primary legislation or a ‘super-affirmative procedure which would guarantee fuller Parliamentary consideration than a standard affirmative order’. This would at least provide some protection from function creep – not enough, in my view, but a great deal better than the current plan.
There is some additional protection suggested – the committee recommends that the bill ‘should provide for wilful or reckless misuse of communications data to be a specific offence punishable in appropriate cases by imprisonment.’ As a deterrent this might also help – but it remains to be seen how effective it might be – and whether it would actually be used if it was included in the bill.
Where data exists it is vulnerable
What is missing, at least from my first review, is a recognition that the warranting process should – or at the very least could – take place before the gathering of data, rather than before the filtering of data. It means that, sadly, the committee is still suggesting that all of us could be snooped on all the time, and that data (though less limited data than that originally suggested) could be gathered and held about all of us. There is a small amount of attention paid to the vulnerability of this data – and a recognition that the current bill doesn’t pay sufficient attention to the security of data, or how much ensuring that security would cost – but it seems to me that it doesn’t pay enough attention to this issue. It is a fundamental: where data exists, it is vulnerable. That point means that even a new, amended bill on the basis of this report would still create new risks, new vulnerabilities…
The report makes admirable suggestions about limiting who can access the data gathered, requiring first of all that they be specified in the Bill itself, and secondly that the number of public bodies getting access be reduced:
‘Any public authorities which make a convincing business case for having access to communications data should, like the six we have specified in paragraphs 128 and 129, be listed on the face of the Bill. We expect this to be a greatly reduced number when compared to the authorities currently listed in the Regulation of Investigatory Powers (Communications Data) Order 2010.’
This does deal with one of the key issues with RIPA – and, in practice, could well reduce the level of abuse. I hope so.
The report also attacks the breadth of the reasons suggested as to why data might be accessed – but pulls its punches a little. Effectively it says that the scope is too broad, but doesn’t say how to narrow it:
‘We are concerned that the long list of permitted purposes for which communications data can be requested adds to public disquiet about the breadth of the Bill. While we do not make specific recommendations about how this list could be shortened, we recommend that the Government should consult on whether all the permitted purposes are really necessary.’
I would have hoped for something a lot clearer – and that when the Government consults about this, they consult properly…. something which they conspicuously failed to do in the run up to the drafting of the bill in the first place.
A proper consultation…
This is the area in which the report is the strongest, from my perspective. It makes it very clear that the Home Office ‘consultation’ was feeble at best. As the report suggests:
‘Before re-drafted legislation is introduced there should be a new round of consultation with technical experts, industry, law enforcement bodies, public authorities and civil liberties groups. This consultation should be on the basis of the narrower, more clearly defined set of proposals on definitions, narrower clause 1 powers and stronger safeguards which are recommended in this report.’
That’s what we really need. A proper consultation. Where the experts are given the opportunity to make their views heard. Overall, I’d say the committee did a good job in the circumstances – but those circumstances were far from ideal. The consultation period (for written evidence) was short, over a summer, when many people have little time to contribute – and it was a consultation ‘after the fact’, with the bill already drafted. We needed – and deserved – much more time. The committee says so, and says so loud and clear.
Will the Home Office listen?
That’s the big question – and one that many of us observing have been wondering for a while. This report is pretty devastating, at least in the detail – and the Home Office should get the message pretty clearly. There’s a lot that I haven’t covered in this post – the fanciful and misleading cost-benefit analysis, for example, and the technical details – but the overall conclusion is pretty clear. What they’ve done has simply not been good enough – and they need to go back and think again.
Number 10 seems to be saying now that they will ‘accept’ the criticism (see here, for example) but how much they will ‘accept’ remains to be seen. I hope they listen – but if they don’t, or just pay ‘lip service’ to the issue, they need to know that they have a fight on their hands. This report gives us a pretty good weapon to use in that fight.
And what of the Labour Party?
The final part of the equation is the Labour Party. The Liberal Democrats have come out firmly against the bill, which is important, and my own MP, Julian Huppert, in particular, needs to be given a lot of credit for that – but if the Labour Party fails to oppose it, that may not be enough. I’m looking forward to hearing what they have to say. I have heard noises that Yvette Cooper is going to make what I would think of as the right call, and a report in the Guardian suggests that she will, and this good piece by Nick Brown in the Independent gives me hope that the Labour Party is finally finding its way on this issue. Let us hope so! It would be good to have some kind of all-party consensus on this issue. Privacy, in general, is not a party political issue – there are groups within all parties that support it, and groups within all parties that see it as something that is of little importance in relation to security and other related issues. One of the things that has been most interesting about the struggle against the Communications Data Bill has been the way it has drawn together allies from all parts of the political spectrum. In the end, that has to be a good thing.
Start all over again
My overall view is clear – this bill doesn’t just need a few tweaks, it needs abandoning entirely. Nick Clegg has suggested going back to the drawing board – I agree. We should start from a totally different premise – we should be cutting down on internet surveillance rather than expanding it, and working towards the repeal of the Data Retention Directive and its implementation in the UK. The issues discussed in this damning report are equally applicable to existing law, which already compromises privacy in an excessive manner. Let’s start again – and put people’s privacy first.