GCHQ’s bulk interception of communications data, including data about telephone calls and emails, unlawfully breached the privacy rights of UK citizens, the European Court of Human Rights ruled today.
The court found that the UK’s regime of intercepting bulk communications data and obtaining data from phone and internet companies breached citizens’ rights to privacy.
The decision follows an eight-year legal battle by 11 non-governmental organisations (NGOs) including Liberty, Privacy International and Amnesty.
They brought the case in the wake of revelations about the UK’s involvement in mass surveillance following leaks by former US National Security Agency (NSA) contractor Edward Snowden in 2013.
Judges found the UK’s bulk interception programme did not contain adequate protections for confidential journalist material, including their confidential sources.
However, they rejected claims that the UK lacked sufficient safeguards to prevent abuse when Britain’s spy agencies requested intelligence from overseas intelligence agencies, such as the NSA.
Megan Goulding, a lawyer at Liberty, said the court’s findings showed that the UK’s bulk interception powers had breached the public’s right to privacy and freedom of expression for decades.
“Our right to privacy protects all of us. Today’s decision takes us another step closer to scrapping these dangerous, oppressive surveillance powers, and ensuring our rights are protected,” she said.
The court ruling applies to the surveillance regime of the Investigatory Powers Act 2000 which has since been replaced by Investigatory Powers Act 2016, also known as the snoopers’ charter.
Goulding said the court’s decision would clear the way for a further legal challenge against surveillance powers under current surveillance laws, with a case expected to be heard in the Court of Appeal later this year.
Bulk interception regime lacked safeguards
The court found, in a 200-page judgment, that because of the proliferation of threats faced by the UK countries, the decision of the UK to operate a bulk interception regime did not, in itself, violate privacy rights.
However, it found the UK’s bulk interception regime had shortcomings which meant it was incapable of limiting the “interference” of citizens’ rights to a private life to that “necessary in a democratic society”.
Megan Goulding, Liberty
Surveillance had to be subject to end-to-end safeguards, including an assessment at each stage of the necessity and proportionality of the measures taken, and to supervision and independent review.
It found that UK intelligence services had failed to include in warrant applications search terms defining the kinds of communications that would be liable for examination after interception, and the search terms linked to an individual had not been subject to prior internal authorisation.
The court found that bulk interception had been wrongly authorised by the secretary of state, rather than an independent body.
Judges said that the Interception of Communications Commissioner (since replaced by the Investigatory Powers Commissioner’s Office) had provided “valuable oversight” and the Investigatory Powers Tribunal provided a robust judicial remedy for people who alleged their communications had been wrongly interfered with.
But the safeguards did not go far enough to offset the shortcomings of the bulk surveillance regime.
Greater protection for journalists’ sources
The judges found that the regime allowing the UK intelligence services and government agencies to access records held by phone and internet companies was incompatible with Article 8 of the European Convention on Human Rights, which guarantees a right to privacy.
The operation of the regime was not “in accordance with the law”, they said.
The decision paves the way for greater protection for journalist sources by requiring independent prior approval before journalists’ communications are intercepted.
Judges said they were concerned that the UK surveillance law did not require that the use of search terms known to be connected to a journalist should be authorised by a judge or an independent decision-making body.
There were no safeguards to ensure that confidential journalist material obtained incidentally through bulk collection would only be stored and examined if subject to independent approval.
Receiving data from overseas intelligence agencies
The judges found that the UK had sufficient safeguards in place to prevent abuse when UK intelligence agencies requested intercept material from foreign intelligence agencies.
It found there were sufficient safeguards in place to protect how the material should be examined, used and stored.
There was adequate supervision from the Interception of Communications Commissioner and the Investigatory Powers Tribunal, the court found.
And the UK had not used requests for foreign governments as a means of circumventing its duties under domestic law and the European Convention of Human Rights.
First case to address UK mass surveillance
The case is the first time the court in Strasbourg has been asked to rule whether surveillance undertaken on a mass scale by the UK and other governments is lawful.
The court also addressed what minimum safeguards were needed to ensure the privacy of individuals – the majority of no intelligence value – caught up in electronic surveillance.
The campaigning groups challenged the UK’s right to intercept in bulk and store the contents of any communication that passes through the UK on telecommunications networks and subsea cables, including emails and web browsing records.
The groups, which include the Bureau of Investigative Journalism, argued that the government was likely to have spied on their communications, violating their rights to privacy and freedom of expression, and jeopardising journalistic confidential sources and whistleblowers.
Today’s ruling follows a landmark decision by the European Convention of Human Rights in September 2018, which found that GCHQ’s use of mass surveillance of online communications data breached privacy laws and lacked sufficient oversight and safeguards.
The Strasbourg court then acknowledged that interception of data related to people’s communications – including times and destinations of emails and phone calls, web pages visited and mobile phone location – posed as serious a risk to individuals’ privacy as the interception of phone calls, emails and text messages.
Today’s case centres around surveillance programmes exposed by the former NSA contractor Edward Snowden.
They include Tempora, a UK government programme that allows GCHQ to store internet traffic entering the UK through fibre-optic cables for “retrospective analysis”.
GCHQ also has access to communications data collected by the US government through a series of programmes called Upstream, which collects vast amounts of data from taps on internet cables passing through the US.
Another programme, Prism, run by the NSA and also accessible to GCHQ, collects emails, chats, videos, images and communications data from at least nine large US technology companies, including Microsoft, Apple, Yahoo!, Google, Facebook, Skype and YouTube.
The UK’s most secret court, the Investigatory Powers Tribunal (IPT), revealed in a ruling in June 2015 that GCHQ had unlawfully spied on Amnesty International and South Africa’s Legal Resources Centre.
Jim Killock, executive director of the Open Rights Group, which is one of the organisations challenging the UK’s activities before the European Court of Human Rights, said: “The court has recognised that bulk interception is an especially intrusive power, and that ‘end-to-end safeguards’ are needed to ensure abuse does not occur.”
He said the Open Rights Group was far from confident that the current bulk interception regime had sufficient safeguards. “This judgment is an important step on a long journey,” he said.
Jim Killock, Open Rights Group
Ilia Siatitsa, acting legal director at Privacy International, said: “Today, the court reiterated that intelligence agencies cannot act on their own, in secret and in the absence of authorisation and supervision by independent authorities.”
She said the court had recognised, for the first time, that bulk interception consisted of a series of processes that required different levels of privacy protection.
“The court has established a sliding scale of interference to privacy. It has recognised that not all parts of the bulk interception have the same degree of interference. We cannot treat it as one and the same, and different steps need stronger protection,” she said.
The case was brought by Privacy International, ACLU, Amnesty International, Bytes for All, the Canadian Civil Liberties Association, the Egyptian Initiative for Personal Rights, the Hungarian Civil Liberties Union, the Irish Council for Civil Liberties, the Legal Resources Centre and Liberty. Other parties were Big Brother Watch, the Open Rights Group, English PEN, Constanze Kurz, The Bureau of Investigative Journalism and Alice Ross.