Government agrees bulk surveillance powers fail to protect journalists and sources

Campaign group Liberty to launch legal appeal that will call for journalists to receive stronger legal protections from state surveillance

The government has agreed that the UK’s mass surveillance laws do not provide adequate protection to confidential journalistic material and sources.

It conceded the Investigatory Powers Act 2016, widely known as the Snoopers’ Charter, fails to provide adequate safeguards to protect confidential journalistic material from surveillance by intelligence services.

The admission was revealed in a High Court decision last week, giving the campaign group Liberty permission to bring an appeal to challenge the lawfulness of the UK’s “bulk surveillance powers”.

Liberty argues that the UK’s bulk surveillance regime allows intelligence agencies to “scoop up private communications and internet data of swaths of the [British] population” without adequate legal safeguards.

The Security Service MI5 and GCHQ can also hack into the public’s computers, phones and tablets to create “vast personal datasets” of information on the population, with no cause for suspicion, it says.

The High Court, in a decision on 8 April 2022, gave Liberty permission to appeal a 2019 court decision in the light of a landmark ruling by the European Court of Human Rights (ECHR).

The ECHR found in May 2021 that GCHQ’s bulk interception programme breached the privacy rights of UK citizens and provided inadequate protection for journalists and confidential journalistic material.

The government has also acknowledged that there are inadequate safeguards to protect the privacy rights of individuals when intercepted data is searched in a way that can identify people.

Katy Watts, a lawyer at Liberty, said: “We should have control over our personal information, and we should have a government that respects our right to privacy and our freedom of expression. But the government has admitted it is failing these basic requirements.”

Bulk communications data, which includes details of an individual’s phone and email contacts, websites visited and their mobile phone location, can be used to build highly detailed profiles of people. This could include their personal relations, contact with doctors or therapists, their physical movements and location, participation in protests and political views.

In an eight-page decision on 8 April 2022, the High Court gave Liberty permission to appeal a 2019 court ruling which refused the non-governmental organisation (NGO) access to a judicial review to seek a declaration of incompatibility between the Investigatory Powers Act and the Human Rights Act.

Liberty, the Home Department, and the Foreign and Commonwealth Office agreed to delay the appeal application, which was finally heard last week, until after the European Court of Human Rights gave a judgment in the case of Big Brother Watch vs UK and further legal arguments were held in the Investigatory Powers Tribunal.

Liberty will appeal on five grounds (see box below). It will argue that there are a lack of adequate safeguards for journalists and sources and lawyer client communications in the UK’s surveillance regime.

The appeal will also raise questions over the lawfulness of bulk personal datasets – population-sized databases containing financial information, travel records, and other highly personal data about UK citizens.

Liberty will also argue that there is a lack of safeguards to protect personal data the UK shares with overseas intelligence agencies.

Protection for journalists and sources

The government has accepted that the Investigatory Powers Act does not provide journalists with the protection required by Article 10 of the European Convention on Human Rights.

Liberty says the existing definitions of “journalistic material” and “confidential journalistic material” in the UK’s surveillance regime do not go far enough to protect the privacy rights of journalists and confidential sources.

It argues that a judge or an independent regulator should give prior approval to intelligence services before they conduct searches of intercepted communications data that are likely to find confidential journalistic material or identify journalists’ sources.

Read more about Liberty’s court battles over surveillance

Prior approval from an independent regulator should also be given for search terms that are known to be connected to journalists or news organisations. Searches of journalistic material should only be carried out when “justified by an overriding requirement in the public interest” and should only be used if less intrusive methods are not available.

Liberty argues that there should be no exclusion for journalistic protection for material “created…with the intention of furthering a criminal purpose”, a phrase that could include government documents leaked to a journalist.

Under current rules, a leaked document disclosing misconduct by a senior government official would not benefit from journalistic confidentiality, according to the campaign group.

Lawyer-client privilege

Liberty will also argue that the privacy protections given to journalists and confidential sources should also extend to lawyers and their clients.

Ben Jaffey QC, writing in legal submissions for Liberty, stated: “Lawyers’ clients expect, and depend upon, communications with their lawyer being confidential (just as journalists’ sources do for their communications with journalists).

“The important role lawyers play in enabling clients to defend and exercise their rights would be frustrated if their communications were not adequately protected.” 

The campaign group says the law should require independent authorisation before the intelligence services examine legally privileged material, and that access by the intelligence services to legally privileged material should only be justified by an “overriding requirement in the public interest”.

Blurring lines between communications and content

The Regulation of Investigatory Powers Act 2000 made a distinction between the “content” of emails and other electronic messages and “communications data”, the latter being who sent a message, who received it, the length of the message, the location of the sender and recipient, and the time it was sent.

Liberty argues that under the Investigatory Powers Act 2016, the distinction between “content” and “communications data” has become blurred without proper legal justification. This means that intelligence services are able to access “content” from citizens in the British Isles, with fewer safeguards.

The UK government has accepted that under the Investigatory Powers Act, the full URL of websites visited by people, including specific articles they have read or webpages visited, is no longer regarded as “content”.

Similarly, the full directory structure of a computer, file names and modification dates, and the time, data and location a photograph was taken, are regarded as “communications data”, which means they can be accessed by intelligence services with fewer legal safeguards.

Liberty lawyer Watts said: “Bulk surveillance powers allow the state to collect data that can reveal a huge amount about any one of us – from our political views to our sexual orientation. These mass surveillance powers do not make us safer; they breach our privacy and undermine core pillars of our democracy.

“Our right to privacy protects all of us. It is vital that dangerously broad mass surveillance powers are reined in and the government must create proper safeguards that protect our rights,” she added.

The case is expected to be heard this year.

Liberty’s appeal arguments

Safeguards for journalists and sources

The government agrees that the safeguards in the Investigatory Powers Act 2016 do not protect the confidentiality of journalists, their sources, or confidential journalistic material.

Liberty argues that stronger safeguards should be introduced to project journalistic material and sources in line with a landmark court ruling in the European Court of Human Rights in 2021, in a case brought by Big Brother Watch.

A judge or an independent regulator should approve any searches of intercepted communications data by the intelligence services that are likely to find confidential journalistic material, identify journalists’ sources, or make use of search terms that are known to be connected to journalists or news organisations.

Lack of safeguards in bulk data collection

The UK government has agreed that existing safeguards fail to protect citizens privacy when intercepted data is searched in a way that can identify people.

Non-governmental organisation (NGO) Liberty argues that the search terms, known as “selectors”, used by intelligence agencies to search intercepted data should be independently authorised.

The NGO believes the use of “strong selectors” – search terms linked to identifiable individuals – should be subject to internal authorisation and an assessment whether they are proportionate before they are used, and intelligence services should keep a record of the justification for their use.

Sharing data overseas

The secretary of state has discretion to share bulk surveillance data collected from the population with overseas intelligence services, without the legal safeguards provided for by the Investigatory Powers Act 2016.

Codes of Practice developed for the Investigatory Powers Act 2016 offer weaker protection for surveillance data shared with overseas intelligence agencies than the codes of practice under the earlier Regulation of Investigatory Powers Act 2000 (RIPA).

There are no requirements to ensure that third countries have procedures to safeguard intercept material, to limit its disclosure and distribution, or to return or security delete intercepted communications data when it is no longer needed.

There are no requirements in the codes of practice for the UK to obtain an explicit agreement that a country receiving intercept material will not share it further.

Bulk personal datasets

Liberty argues there are no statutory requirements to limit the data on the population held in databases, known as bulk personal datasets (BPDs).

BPDs hold personal data which might include financial records, medical information, records of emails, phone calls and text messages, location data and other information. The datasets hold records of the entire population – the majority of which are not of interest to the intelligence services.

Liberty argues that state-held databases of private information should be sufficiently defined to allow citizens to foresee what information is likely to be retained.

The campaign group states that, contrary to European case law, there are no restrictions in codes of practice to safeguard BPDs shared with intelligence agencies in other countries.

Lack of safeguards for lawyer-client communications

Liberty argues that independent authorisation should be required before the intelligence services examine legally privileged material and that access should be justified by an “overriding requirement in the public interest”.

Read more on Regulatory compliance and standard requirements

Data Center
Data Management