The Investigatory Powers Tribunal has ruled that UK intelligence and law enforcement bodies have been unlawfully collecting intelligence for over a decade.
The Tribunal, which is the only one permitted to oversee the work of MI5, MI6 and GCHQ, delivered its judgement on October 17. The judgement stated that intelligence services collected personal data in bulk for over ten years, including large datasets of personal financial data, in breach of the European Convention on Human Rights (ECHR).
Privacy International called this ruling “one of the most significant indictments of the secret use of the Government's mass surveillance powers since Edward Snowden first began exposing the extent of US and UK spying in 2013.”
The case began when Privacy International brought a claim against the Home Secretary and Foreign Secretary as well as the security and secret intelligence services in June 2015. The claim coveredBulk Personal Data sets (BPDs), which were publicly acknowledged to be retained in evidence given to Parliament's Intelligence Security Committee in March the same year.
The ruling states that the intelligence services collected large data sets on individuals as well as intercepting in bulk, communications made over the phone and online.
Also revealed is the fact that the intelligence services collected large sets of financial data, data on “individuals of no intelligence interest,” and had to warn employees not to use the BPDs to snoop on colleagues, friends and family.
The judgment stated that “Interception, even bulk interception, by warrant was sufficiently known about, but this is a long way from Bulk Communications Data (BCD) or BPD”, which involved the bulk collection of any and all information that could be acquired. The collection ofBPD) as well asBCD) was not known to the public or Parliament in the same way.
Consequently there was no adequate oversight, concluded the tribunal, with “no Codes of Practice relating to either BCD or BPD or anything approximating to them."
The judgement concluded that both the BCD and BPD regimes employed by the intelligence services, violated the ECHR. Specifically, Article 8 of the ECHR, which ensures “the right to respect for his private and family life, his home and his correspondence.”
This changed when the existence of such regimes were admitted to Parliament. The BPD regime became lawful in March 2015 in Parliament's Intelligence Security Committee and the BCD regime became lawful in November of that year. By then BPDs had been unlawfully employed for 2006 and BCD collection since 1998.
Too little, too late said Millie Graham Wood, legal officer at Privacy International in a statement: “It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used. The public and Parliament deserve an explanation as to why everyone's data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed."
The charity added that though the ruling is significant, there is still no requirement for judicial or independent authorisation. Furthermore, the large datasets can still be shared with a variety of illegitimate, unelected and foreign bodies.
A government spokesperson said in a statement to SC, "the powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens. We are therefore pleased the Tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes.”
The ruling comes just as the passage of the controversial Investigatory Powers Bill, also known as the Snoopers Charter, comes over the horizon. The bill would formalise the kinds of interceptions, albeit with a warrant, that were deemed unlawful by the tribunal.
Rafael Laguna, CEO of Open-Xchange told SCMagazineUK.com that “this illegally obtained, used and stored data should be deleted immediately for the sake of privacy, legality and security. Without democratic scrutiny and authorisation from Parliament and the judiciary, these bulk data collection powers are the tools of a dictatorship. There's no telling how or why government staff accessed these databases. Unfortunately, much the same applies to the upcoming IP Bill which shows equal disregard for democratic oversight.”The ruling will be subject to another hearing in December.