The Joint Committee, made up of both MPs and Peers, said that the draft Communications Data Bill should be amended in order to better regulate the way 'communications data' could be used by the police, intelligence services and other bodies. It said that the way the Bill is currently drafted would see individuals' privacy disproportionately impinged on and that the Government may also have underestimated the cost burdens that would be imposed by its proposals.
"Our overall conclusion is that there is a case for legislation which will provide the law enforcement authorities with some further access to communications data, but that the current draft Bill is too sweeping, and goes further than it need or should," the Committee said in a report on the Government's proposals.
"We believe that, with the benefit of fuller consultation with CSPs (communications service providers) than has so far taken place, the Government will be able to devise a more proportionate measure than the present draft Bill, which would achieve most of what they really need, would encroach less upon privacy, would be more acceptable to the CSPs, and would cost the taxpayer less," it said.
In June the Home Office published the draft Communications Data Bill in a bid to close a gap it said exists in the current framework through which law enforcement bodies can monitor communications.
Under the Bill the Home Secretary could issue an order forcing any business that transmits "communications by any means involving the use of electrical or electro-magnetic energy" to store communications data in the form of "traffic data, use data or subscriber data" relevant to communications sent over their networks, such as by email or the internet, generally for up to a year. The data does not include the content of those communications.
Business caught by the proposed legislation must disclose information "without undue delay" to law enforcement bodies and other listed public authorities that ask for it. Those bodies can only request the information if it is to be used for a "permitted purpose" and if "designated senior officers" at those bodies believe it is "necessary to obtain the data" and that the action is "proportionate to what is sought to be achieved."
The 'permitted purposes' include where it is in the interests of national security, where the purpose is for the prevention or detection of crime, to prevent disorder and where it is in the interests of the economic well-being of the United Kingdom or in the interests of public safety, among others.
The Bill contains a number of "safeguards", including requirements that collected communications data is deleted after a year in storage.
The Government has said that 25% of communications cannot be accessed due to limits in existing powers, but the Joint Committee said that it was "of the strong view" that the quoted figure was "unhelpful and potentially misleading", since it was not clear how it had been calculated.
In its report the Committee said that the draft Bill should be revised to prevent the Home Secretary from being able to order CSPs to store additional forms of data in the future without first gaining Parliamentary approval to those plans.
"Clause 1 would give the Secretary of State sweeping powers to issue secret notices to communications service providers (CSPs) requiring them to retain and disclose potentially limitless categories of data," the Committee said. "We have been told that she has no intention of using the powers in this way. Our main recommendation is therefore that her powers should be limited to those categories of data for which a case can now be made. If in future a case can be made for the power to be increased, this should not be done without effective Parliamentary scrutiny."
In a statement chairman of the Joint Committee, Lord Blencathra, said that the Government should be restrained from "its zeal to future-proof legislation".
"We can see only three types of data that are not currently being collected which we know could aid the work of law enforcement and other agencies: data matching IP addresses to specific users, data showing which internet services a user has accessed and data from overseas communications providers providing services in the UK," he said. "A new Bill should also be drafted in such a way as to give Parliament the opportunity to vote on issues such as whether CSPs should have to collect subscriber data relating to IP addresses and data showing which internet services a user has accessed."
The Committee said that the Government should also work with the Information Commissioner in order to better understand how the watchdog can provide safeguards to the proposed regime. It said all 'Clause 1' notices should be reviewed by the Information Commissioner before being issued.
Information Commissioner Christopher Graham said that he was pleased that the Committee had recognised his concerns "around the adequacy of the proposed safeguards that the ICO would be responsible for regulating" and on the resources his office would need to ensure the security of personal data and its timely destruction.
"The problems are not insurmountable, and we stand ready to work with the Government to discuss how the safeguards can be revised, and how the necessary powers and resources can be provided to make sure that those safeguards are effective in practice," Graham said.
The Committee also said that "statutory force" should be give to the Home Office's "commitment" not to require UK-based CSPs to store "third party data traversing their networks" unless the "original data holder" based overseas has refused to do so and "all other avenues have been exhausted".
The Committee said that the Home Secretary should be allowed to transfer her power to use a new 'request filter' to find information contained in "fragmented communications data" to the soon-to-formed National Crime Agency, but not to other bodies. However, it said that "new safeguards should be introduced" to prevent the search capability from being used for "fishing expeditions," it said.
The Committee also said that the definition of 'communications data' should be able to "stand the test of time" but that current proposed definitions were out of date. The Government should consult on changes, it said.
"The definitions of use, subscriber and traffic data are particularly problematic," the Committee said. "Subscriber data should not be a catch-all for data that does not meet the other definitions. Currently the definition of subscriber data could be read to cover all sorts of data that social networks and other services keep on their customers which can be highly personal and is not traditionally thought of as communications data. A new definition of subscriber data is needed that simply covers the basic subscriber checks that are the most commonly used."
"How to define subscriber data should be a key element of the consultation, but the evidence we have received leads us to suggest that the definition should include checks on the name, date of birth, addresses and other contact information held on the subscriber to a communication service; for each service the customer's unique ID (e.g. mobile number, e-mail address or username); the activation, suspension and termination dates of an account and payment and billing information," it said.
The Committee also said that categories of data should be ranked in terms of how privacy intrusive they are, and that it should be made "clear" that the content of communications "cannot be requested under the provisions of this legislation".
The Committee also said that a new offence of wilful or reckless misuse of communications data should be made a "specific offence punishable in appropriate cases by imprisonment".
Deputy Prime Minister Nick Clegg has said that the Committee's report showed that there needs to be a "fundamental rethink" about the Bill, according to a report by the BBC. However, the Home Office said that whilst it accepts the "substance" of the Committee's recommendations, there could be "no delay" to the Bill being enacted.