GCHQ’s use of mass surveillance of online communications data breached privacy laws and lacked sufficient oversight and safeguards, the European Court of Human Rights ruled.
In a landmark decision the court found that the UK’s mass surveillance programmes did not “meet the quality of law” and were not capable of limiting “interference” to that “necessary in a democratic society”
The court, however, ruled in favour of the government that the UK’s sharing of intercepted material with overseas intelligence agencies, including the US National Security Agency (NSA), was legal under European law, and found no evidence of abuse.
The case – the first significant challenge to the UK’s bulk surveillance regime since the Snowden leaks – follows a five-year legal battle by 11 human rights groups, including Liberty, Amnesty and Privacy International.
Caroline Wilson Palow, general counsel at Privacy International, said: “Today’s judgment rightly criticises the UK’s bulk interception regime for giving far too much leeway to the intelligence agencies to choose who to spy on and when. It confirms that just because it is technically feasible to intercept all our personal communications, it does not mean it is lawful to do so.”
The ruling acknowledges for the first time in the Strasbourg court that the interception of data related to people’s communications – including times and destinations of emails and phone calls, web pages visited and mobile phone location – poses as serious a risk to individuals’ privacy as the interception of phone calls, emails and texts.
The decision is likely to have implications for the Investigatory Powers Act 2016, also known as the snoopers’ charter, which has yet to come fully into force and will introduce significant changes to the UK’s bulk interception regime.
The court looked at three types of surveillance: bulk interception of communications; intelligence sharing; and obtaining the communications data from communications service providers.
It ruled by five votes to two that the UK’s bulk interception regime violated Article 8 of the European Convention on Human Rights, which protects private and family life.
It also held by six votes to one that the methods used by UK government bodies to obtain private data from telephone and internet service providers also violated Article 8
There was insufficient oversight both of the selection of internet bearers – which carry internet traffic – for interception and filtering, and the search and selection of intercepted communications for examination, it said.
And there were no real safeguards to select related communications data for examination, even though this data could reveal a great deal about people’s habits and contacts, the court ruled in a 200-page judgment.
“The court is not persuaded that the safeguards governing the selection of bearers for interception and the selection of intercepted material for examination are sufficiently robust to provide adequate guarantees against abuse. Of greatest concern, however, is the absence of robust independent oversight of the selectors and search criteria used to filter intercepted communications,” it said.
The court said it was not persuaded by the government’s arguments that acquisition of communications data was less intrusive than the acquisition of the content of communications data.
Bulk surveillance could show patterns that could paint an intimate picture of a person by mapping their social networks, location, internet browsing and who a person has been interacting with, the judges found.
Although the court said it had no doubt that communications data was an essential tool for the intelligence services in the fight against terrorism and serious crime, it said it did not consider that the “authorities have struck a fair balance” by “exempting it entirely from the safeguards applicable to the searching and examination of content”.
The court also raised concerns that there were insufficient safeguards to protect journalistic sources or confidential journalistic information.
The judges said they were particularly concerned about the absence of any published safeguards to protect confidential journalistic material from being selected intentionally, or incidentally, for examination – an omission which had a “potential chilling effect”.
The government has introduced safeguards when government agencies specifically sought to identify journalists’ sources by requesting data from telephone and internet service providers.
But the court ruled that the safeguards did not apply in every case when the government sought to access communications data from journalists, or when communications data from journalists was intercepted incidentally.
The case began in 2013, following revelations by Edward Snowden that GCHQ was secretly intercepting, processing and storing data from millions of people’s private communications, even when they were of no intelligence interest.
The mass spying programmes included Tempora, which intercepts data from communications cables, Karma Police, which keeps records of the web browsing activities of every user on the internet, and Black Hole, a huge database containing internet histories, records of email, social media, search engine queries and instant messaging communications.
The Investigatory Powers Tribunal (IPT), the UK’s most secret court, ruled in 2014 that bulk interception and intelligence sharing with foreign governments, were in principle compliant with the UK’s human rights obligations.
The IPT found, however, that the UK intelligence agencies had unlawfully spied on the communications of Amnesty International and South Africa’s Legal Resources Centre.
Speaking after today’s verdict, Megan Goulding, lawyer for Liberty, said the decision was a “major victory for the rights and freedom of people in the UK”.
“Police and intelligence agencies need covert surveillance powers to tackle the threats we face today – but the court has ruled that those threats do not justify spying on every citizen without adequate protections,” she said.
Lucy Claridge, strategic litigation director of Amnesty international, said the judgment sent a strong message to the UK government that its use of extensive surveillance powers is abusive.
“This is particularly important because of the threat that government surveillance poses to those who work in human rights and investigative journalism, people who often risk their own lives to speak out,” she said.
But she said the judgment did not go far enough in condemning bulk surveillance, and gave a green light to vast intelligence sharing between GCHQ and the NSA.
Silkie Carlo, director of Big Brother Watch, said: “Under the guise of counter-terrorism, the UK has adopted the most authoritarian surveillance regime of any western state, corroding democracy itself and the right of the British Public.
“This judgment is a vital step towards protecting millions of law-abiding citizens from unjustifiable intrusion,” she said. “However, since the new Investigatory Powers Act arguably poses an even greater threat to civil liberties, our work is far from over.”
The case was brought by Privacy International, ACLU, Amnesty International, Bytes for All, the Canadian Civil Liberties Association, the Egyptian Initiative for Personal Rights, the Hungarian Civil Liberties Union, the Irish Council for Civil Liberties, the Legal Resources Centre and Liberty. Other parties were Big Brother Watch, Open Rights Group, English PEN, Constanze Kurz, The Bureau of Investigative Journalism and Alice Ross.
Read more on IT for government and public sector
Investigatory Powers Tribunal finds UK spy agencies unlawfully collected personal data
Privacy Shield: US surveillance law reforms essential for EU-US data, says EU parliamentary study
GCHQ bulk interception programme breached privacy rights, Strasbourg court rules
MI5 faces court ruling over unlawful surveillance warrants