The UK’s intelligence services unlawfully collected data about the public’s internet and phone use, a court has found.
The Investigatory Powers Tribunal (IPT) found last week that the intelligence agencies’ use of the Telecommunications Act 1984 to harvest communications data about UK residents from phone and internet companies was in breach of EU law.
The court’s declaration is expected be followed by further legal challenges by Liberty and Privacy International to the UK’s surveillance regime.
The IPT’s ruling is the latest in a long-running legal action brought by the campaign group Privacy International challenging the legality of the intelligence services’ collection of bulk communications data and bulk personal data about UK citizens.
Ilia Siatitsa, programme director for Privacy International, said the IPT’s declaration had set the record straight “over the continuous violation of human rights standards by the UK government for many years”.
She added: “From a democratic society and rule of law perspective, it is very important. It sends a clear message to governments that they should always ensure there is an appropriate legal framework, accountability and transparency when using surveillance capabilities.”
The IPT’s decision applies to the surveillance regime under the Regulation of Investigatory Powers Act 2000 (RIPA) until it was replaced by the Investigatory Powers Act in 2016.
Under the regime, UK intelligence agencies used Section 94 of the Telecommunications Act 1984 to collect data on the public’s phone and internet use, a practice that was kept secret from the public and Parliament until 2015.
The data collected does not include the content of emails and phone calls, but can nevertheless be used to build up a detailed picture of an individual, including their contacts and associates, how often they communicate with particular contacts, the websites they visit, and a record of their movements from phone GPS data.
The court said in a declaration last week that following a judgment by the European Court of Justice (CJEU) in October 2020, it was now clear that Section 94 of the Telecommunications Act 1984 was incompatible with EU law.
The CJEU ruled that collection of communications traffic data from telecoms and internet companies was a “particularly serious” interference in privacy rights.
It overturned claims by the UK that “national security” exemptions can override EU privacy law when harvesting people’s data from communications companies.
According to last week’s IPT judgment, the government accepted that the rules governing the scope and application of Section 94 were not sufficiently clear and precise.
It agreed that, contrary to EU law, the UK had no requirement for a court or an independent administrative body to review directions requiring internet and phone companies to supply their customers’ data to intelligence agencies.
Also in breach of EU law, there was no time limit in the legislation governing how long bulk data collection orders should last or any automatic expiry of the orders.
The IPT said that in finding Section 94 of the Telecommunications Act incompatible with EU law, it had not made any decision on the consequences of its declaration, which would be decided by the court in future hearings.
Judicial review
Meanwhile, the campaigning groups Liberty and Privacy International are preparing further legal challenges.
Privacy International has received permission to bring a judicial review seeking the public release of dissenting opinions from IPT judges which have been deemed too sensitive to disclose to the public or lawyers.
Charles Flint QC and Susan O’Brien QC gave dissenting opinions in an IPT judgment on the legality of the UK’s data-sharing agreements with overseas intelligence agencies and other agencies.
The UK government refused to confirm or deny at the hearing whether the UK intelligence agencies share bulk personal datasets and bulk communications data with overseas intelligence.
However, the UK and US agreed to share intelligence data in a now-declassified agreement known as UKUSA, signed in March 1946.
The document forms the basis of the reciprocal intelligence-sharing principles between the Five Eyes countries – the UK, the US, Canada, Australia and New Zealand.
The agreements have since been updated, while the number of intelligence agencies that share information – with varying degrees of cooperation – has grown from five to more than 40.
The IPT found by a narrow majority of three to two that the UK’s intelligence agencies’ sharing of bulk communications data and bulk personal datasets with overseas intelligence agencies would not be in breach of Article 8 of the European Convention on Human Rights, which protects the right to privacy.
Two of the five judges, Flint and O’Brien, disagreed with the decision during a closed session of the court, but their reasons for disagreement have never been publicly disclosed.
“Considering the three-to-two majority in which this case was decided, we think it is very important that the decision comes to light,” said Privacy International’s Siatitsa.
Bulk powers appeal
Campaigning group Liberty is bringing a further legal challenge to the government’s use of “bulk powers” under the Investigatory Powers Act.
Liberty will argue in the case – which is expected to be heard next year – that bulk powers violate rights to privacy and freedom of expression.
The group also argues that there are insufficient safeguards in the Investigatory Powers Act to protect journalistic sources and legal material.
At issue is the use of bulk hacking, interception of phone calls, email and phone data, the retention by intelligence agencies of large sets of personal data, and requirements for third parties to retain communications data for access by the government.
A court found against Liberty in June 2019, but the campaigning group is appealing the decision following a ruling by the CJEU that mass data collection and retention practices must comply with EU privacy safeguards.
Telecommunications Act 1984
Privacy International first brought proceedings against the Home Secretary, Foreign Secretary, GCHQ, the Security Service (MI5) and the Secret Intelligence Service (MI6) in June 2015 over the legality of the intelligence services’ use of bulk data.
At that point, the intelligence services’ use of Section 94 of the Telecommunications Act 1984 to compel phone and internet companies to share phone call, email and internet data with the intelligence services was a closely guarded secret, kept from both the public and Parliament.
The practice became public when journalist Gordon Corera disclosed the key role of the Telecommunication Act 1984 in intelligence-gathering in his book Intercept: the secret history of computers and spies. Its use was subsequently avowed by the government.
Privacy International argued that UK law failed to provide the safeguards required by the CJEU in its judgment in a case brought by former Labour politician Tom Watson, known as Watson/Tele2.
In 2017, the IPT referred two questions about the legality of the collection of bulk communications data from the intelligence services from mobile network operators to the CJEU.
The Grand Chamber of the CJEU found that the authority of states to require electronic service providers to forward traffic and location data to intelligence agencies for safeguarding national security fell within the scope of the e-privacy directive.
It also found that the UK could not require communication service provides to carry out “general and indiscriminate transmission” of traffic data and location data to security and intelligence agencies for the purpose of safeguarding national security.
The IPT found last week that given that the CJEU’s judgment was made during the transition period of Brexit, it was binding on the tribunal.