From Privacy International, this press release of special note:
Key points
- Bulk Communications Data (BCD) collection, commenced in March 1998, unlawful until November 2015
- Bulk Personal Datasets regime (BPD), commenced c.2006, unlawful until March 2015
- Everyone’s communications data collected unlawfully, in secret and without adequate safeguards until November 2015
- We maintain that even post 2015, bulk surveillance powers are not lawful
- As the Investigatory Powers Bill is set to become law within weeks, we argue that the authorisation and oversight regime that was left wanting pre 2015 remains deeply inadequate.
- Judgment will be here shortly: http://www.ipt-uk.com/judgments.asp
In a highly significant judgment released today, The Investigatory Powers Tribunal has found that the UK’s intelligence agencies were secretly and illegally collecting bulk data on people in the UK without adequate safeguards or supervision for over a decade. This is one of the most significant indictments of the secret use of the Government’s mass surveillance powers since Edward Snowden first began exposing the extent of US and UK spying in 2013.
The Tribunal, which is tasked with hearing complaints against the security and intelligence services, concluded that the two regimes, which permitted the collection of vast amounts of communications data (Bulk Communications Data) and large datasets with personal information (Bulk Personal Datasets), were unlawful for over a decade.
The case exposed inadequate safeguards against abuse, including warnings to staff not to use the databases created to house these vast collections of data to search for and/or access information ‘about other members of staff, neighbours, friends, acquaintances, family members and public figures’. Internal oversight failed, with highly sensitive databases treated like Facebook to check on birthdays, and very worryingly on family members for ‘personal reasons’.
The Tribunal ruled that “we are not satisfied that … there can be said to have been an adequate oversight of the BCD system, until after July 2015” with “no Codes of Practice relating to either BCD or BPD or anything approximating to them.” There was no statutory oversight of BPD prior to March 2015 and there has never been any statutory oversight of BCD.
Noting the highly secretive nature of the illegal BCD regime, the Tribunal ruled “it seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to Parliament”.
The judgment does not specify whether the illegally obtained, sensitive personal data will be deleted.
Despite the Tribunal finding the regimes to be lawful after their respective “avowals” in 2015, Privacy International argues that they remain inadequate. There is no requirement for judicial or independent authorisation. Supervision by a member of the executive (i.e. a Government Minister) does not provide the necessary guarantees that surveillance operations that could impact on millions of people are necessary and proportionate. There is no procedure for notifying victims of any use or misuse of bulk communication data so they can seek an appropriate remedy. Entire databases of BCD and BPDs can be shared with foreign partners, ‘industry partners’ and other Government agencies. And the Tribunal has not assessed the necessity and proportionality of gathering such intrusive data about UK residents in bulk.
Mark Scott of Bhatt Murphy Solicitors, instructed by Privacy International in the legal challenge, said:
“This judgment confirms that for over a decade UK security services unlawfully concealed both the extent of their surveillance capabilities and that innocent people across the country have been spied upon.”
Millie Graham Wood, Legal Officer at Privacy International said:
“Today’s judgment is a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale. There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used. The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.”