Any law allowing the interception of digital communications should be reviewed regularly, according to UK information commissioner Christopher Graham.
“We have to constantly make the case for the necessity and proportionality of anything that invades our privacy,” he told the Joint Committee on the draft Investigatory Powers Bill inquiry.
The draft legislation aims to provide a framework for the use of investigatory powers by law enforcement and security and intelligence agencies, as well as other public authorities.
It includes provisions for the interception of communications, the retention and acquisition of communications data, the use of equipment interference and the acquisition of bulk data for analysis.
The Joint Committee was appointed to consider the draft Investigatory Powers Bill, published on 4 November 2015, and will report in February 2016.
The information commissioner said that if the draft bill is passed, parliament should conduct a regular review to ensure the information that is being retained and exploited is actually being used properly and that its use is proportionate, necessary and helpful.
“I think it would be sensible and wise for parliament to review from time to time how it is working in practice, what use is being made of this great mass of data that will be required to be retained by communications service providers [CSPs],” he said.
Graham suggested that this should be done on annually in the same way that parliament has previously reviewed the Prevention of Terrorism Act.
“If we are saying to CSPs that they have to retain everything for a year and then, under a system of warrants, we reserve the right to look at it – you are building up a risk around data security and privacy, so parliament has got to be pretty sure that it remains justified, that the arrangements remain secure. One way of doing that is to have a rolling sunset arrangement,” he said.
Graham said it was difficult to judge whether the proposed bill gets the balance right between security and privacy because there is no real evidence of how retained data will be used.
“We have always got to be clear that the rules under which information is accessed have integrity and are being followed – but the fact that the state and commercial entities can have access physically to this material is obvious,” he said. “The question is, under what regime should they be allowed access in a good cause?”
According to Graham, there is no real justification in the bill or the supporting documents for requiring the data to be retained for 12 months.
Even if there were some cases where information that was 12 months old was useful, Graham said he would not easily be persuaded that this justified the retention of everyone’s data for 12 months “just in case”.
The commissioner warned that the proposed bill introduced a “huge risk” by requiring vast quantities of data to be retained that otherwise would not be retained.
“When you require CSPs to retain a massive collection of data for a year, it creates a risk,” he said. “It is there. People may do stupid things with it. The committee should not concentrate simply on whether or not use by the forces of law and order is appropriate and appropriately warranted, it also just a whole pile of stuff that can get lost, inappropriately accessed from a criminal point of view, and so on.
“And because that risk is created by the legislation, you have got to have some very powerful safeguards to make sure the legislation is reviewed regularly, that it is being used for what it is meant to be used for, and that it is having the effect that it was intended to have.”
Graham told the committee that the proposed bill should ensure that the Interceptions of Communications Commissioner’s Office is properly funded and resourced.
He also asked for his office’s powers to conduct mandatory audits of public and health sector organisations to be extended to CSPs to enable the Information Commissioner’s Office to conduct audits without delay.
After hearing from the information commissioner, the Joint Committee heard testimony from Jesper Lund, chairman of the IT-Political Association of Denmark; William Binney, former technical director of the US National Security Agency; and James Bruce Robertson, New Zealand commissioner of security warrants.