GCHQ

Investigatory Powers Tribunal finds UK spy agencies unlawfully collected personal data

Campaign groups Privacy International and Liberty are gearing up to bring further legal action after a court found that UK spy agencies unlawfully collected phone and internet records

The UK’s intelligence services unlawfully collected data about the public’s internet and phone use, a court has found.

The Investigatory Powers Tribunal (IPT) found last week that the intelligence agencies’ use of the Telecommunications Act 1984 to harvest communications data about UK residents from phone and internet companies was in breach of EU law.

The court’s declaration is expected be followed by further legal challenges by Liberty and Privacy International to the UK’s surveillance regime.

The IPT’s ruling is the latest in a long-running legal action brought by the campaign group Privacy International challenging the legality of the intelligence services’ collection of bulk communications data and bulk personal data about UK citizens.

Ilia Siatitsa, programme director for Privacy International, said the IPT’s declaration had set the record straight “over the continuous violation of human rights standards by the UK government for many years”.

She added: “From a democratic society and rule of law perspective, it is very important. It sends a clear message to governments that they should always ensure there is an appropriate legal framework, accountability and transparency when using surveillance capabilities.”

The IPT’s decision applies to the surveillance regime under the Regulation of Investigatory Powers Act 2000 (RIPA) until it was replaced by the Investigatory Powers Act in 2016.

Under the regime, UK intelligence agencies used Section 94 of the Telecommunications Act 1984 to collect data on the public’s phone and internet use, a practice that was kept secret from the public and Parliament until 2015.

The data collected does not include the content of emails and phone calls, but can nevertheless be used to build up a detailed picture of an individual, including their contacts and associates, how often they communicate with particular contacts, the websites they visit, and a record of their movements from phone GPS data.

The court said in a declaration last week that following a judgment by the European Court of Justice (CJEU) in October 2020, it was now clear that Section 94 of the Telecommunications Act 1984 was incompatible with EU law.

The CJEU ruled that collection of communications traffic data from telecoms and internet companies was a “particularly serious” interference in privacy rights.

It overturned claims by the UK that “national security” exemptions can override EU privacy law when harvesting people’s data from communications companies.

According to last week’s IPT judgment, the government accepted that the rules governing the scope and application of Section 94 were not sufficiently clear and precise.

It agreed that, contrary to EU law, the UK had no requirement for a court or an independent administrative body to review directions requiring internet and phone companies to supply their customers’ data to intelligence agencies.

Also in breach of EU law, there was no time limit in the legislation governing how long bulk data collection orders should last or any automatic expiry of the orders.

The IPT said that in finding Section 94 of the Telecommunications Act incompatible with EU law, it had not made any decision on the consequences of its declaration, which would be decided by the court in future hearings.

Judicial review

Meanwhile, the campaigning groups Liberty and Privacy International are preparing further legal challenges.

Privacy International has received permission to bring a judicial review seeking the public release of dissenting opinions from IPT judges which have been deemed too sensitive to disclose to the public or lawyers.

Charles Flint QC and Susan O’Brien QC gave dissenting opinions in an IPT judgment on the legality of the UK’s data-sharing agreements with overseas intelligence agencies and other agencies.

The UK government refused to confirm or deny at the hearing whether the UK intelligence agencies share bulk personal datasets and bulk communications data with overseas intelligence.

Bulk communications data

  • GCHQ and MI5 obtained bulk communications data under Section 94 of the Telecommunications Act 1984. That law has since been superseded by the Investigatory Powers Act 2016.
  • GCHQ collects data on email and telecommunications traffic from telephone and internet service providers, which is merged into data obtained from other forms of interception, including, for example, bulk collection from internet cables. GCHQ has been collecting data from telecoms and internet companies since 2001.
  • MI5 has collected communications data from telephone and internet companies since 2005. MI5 argues that the data is of significant intelligence and security value. It retains bulk communications data for one year.
  • The existence of bulk communications data collection remained secret until November 2015, when it was avowed by the government with the introduction of the Investigatory Powers Bill. 

However, the UK and US agreed to share intelligence data in a now-declassified agreement known as UKUSA, signed in March 1946.

The document forms the basis of the reciprocal intelligence-sharing principles between the Five Eyes countries – the UK, the US, Canada, Australia and New Zealand.

The agreements have since been updated, while the number of intelligence agencies that share information – with varying degrees of cooperation – has grown from five to more than 40.

The IPT found by a narrow majority of three to two that the UK’s intelligence agencies’ sharing of bulk communications data and bulk personal datasets with overseas intelligence agencies would not be in breach of Article 8 of the European Convention on Human Rights, which protects the right to privacy.

Two of the five judges, Flint and O’Brien, disagreed with the decision during a closed session of the court, but their reasons for disagreement have never been publicly disclosed.

“Considering the three-to-two majority in which this case was decided, we think it is very important that the decision comes to light,” said Privacy International’s Siatitsa.

Bulk powers appeal

Campaigning group Liberty is bringing a further legal challenge to the government’s use of “bulk powers” under the Investigatory Powers Act.

Liberty will argue in the case – which is expected to be heard next year – that bulk powers violate rights to privacy and freedom of expression.

The group also argues that there are insufficient safeguards in the Investigatory Powers Act to protect journalistic sources and legal material.

At issue is the use of bulk hacking, interception of phone calls, email and phone data, the retention by intelligence agencies of large sets of personal data, and requirements for third parties to retain communications data for access by the government.

A court found against Liberty in June 2019, but the campaigning group is appealing the decision following a ruling by the CJEU that mass data collection and retention practices must comply with EU privacy safeguards.

Telecommunications Act 1984

Privacy International first brought proceedings against the Home Secretary, Foreign Secretary, GCHQ, the Security Service (MI5) and the Secret Intelligence Service (MI6) in June 2015 over the legality of the intelligence services’ use of bulk data.

At that point, the intelligence services’ use of Section 94 of the Telecommunications Act 1984 to compel phone and internet companies to share phone call, email and internet data with the intelligence services was a closely guarded secret, kept from both the public and Parliament.

The practice became public when journalist Gordon Corera disclosed the key role of the Telecommunication Act 1984 in intelligence-gathering in his book Intercept: the secret history of computers and spies. Its use was subsequently avowed by the government.

Privacy International argued that UK law failed to provide the safeguards required by the CJEU in its judgment in a case brought by former Labour politician Tom Watson, known as Watson/Tele2.

In 2017, the IPT referred two questions about the legality of the collection of bulk communications data from the intelligence services from mobile network operators to the CJEU.

The Grand Chamber of the CJEU found that the authority of states to require electronic service providers to forward traffic and location data to intelligence agencies for safeguarding national security fell within the scope of the e-privacy directive.

It also found that the UK could not require communication service provides to carry out “general and indiscriminate transmission” of traffic data and location data to security and intelligence agencies for the purpose of safeguarding national security.

The IPT found last week that given that the CJEU’s judgment was made during the transition period of Brexit, it was binding on the tribunal.

Privacy International vs UK

4 November 2015: The government disclosed the use of Section 94 of the Telecommunications Act 1984 by the intelligence services to gather communications data in bulk on the population. The practice, which had been kept secret from Parliament and the public, had initially been disclosed in a book by a BBC journalist published in the same year.

17 October 2016: The Investigatory Powers Tribunal (IPT) found that intelligence agencies had been collecting personal data unlawfully for over a decade, and in the case of GCHQ, nearly two decades.

8 September 2017: The IPT referred questions about the collection of bulk communications data (BCD) by the secret intelligence agencies from telecoms companies to the CJEU. Privacy International claimed that BCD collection was unlawful as it failed to apply safeguards required by the CJEU under the Watson/Tele2 judgment.

15 December 2017: A witness from GCHQ admitted giving inaccurate evidence in a hearing at the IPT, wrongly claiming that the Foreign Secretary, rather than GCHQ, was responsible for deciding what data GCHQ could collect from telecoms and internet companies. The witness subsequently claimed he had not read the file of relevant documents.

23 July 2018: The IPT found that the Foreign Secretary had unlawfully delegated powers to obtain BCD to GCHQ until 14 October 2016. However, it found there were sufficient safeguards for UK intelligence agencies to share BCD and bulk personal data (BPD) gathered in the UK with overseas intelligence agencies, law enforcement agencies and industry partners. It also found that the acquisition of BPD and BCD were proportionate under Article 8 of the European Convention on Human Rights. The IPT noted a witness from GCHQ had given a number of inaccurate statements to the court and that the intelligence agencies had provided inaccurate information to the tribunal on the number of private sector contractors with access to  privileged user accounts to intelligence IT systems.

25 September 2018: MI5 disclosed that it had unlawfully captured and read private communications data belonging to non-governmental organisation Privacy International at a hearing of the IPT. MI6 and GCHQ also unlawfully spied on Privacy International, the IPT found.

15 May 2019: The UK Supreme Court found that the IPT’s decisions were subject to judicial review in the High Court.

October 2020: The CJEU found that the UK and EU member states must comply with EU privacy laws when harvesting people’s sensitive communications data from telecoms and internet companies.

July 2020: The IPT declared that Section 94 of the 1984 Telecommunications Act, which allows bulk collection of data from telecoms and internet companies, was incompatible with EU law.

Read more on IT for government and public sector