Spy agencies need ‘independent authorisation’ to access telecoms data, say judges

The High Court has ruled that UK intelligence agencies should seek independent authorisation before accessing phone and internet records during criminal investigations

The security and intelligence services will have to obtain independent authorisation before accessing citizens’ private phone and internet records during criminal investigations following a landmark High Court decision.

Two High Court judges have ruled that MI5, MI6 and GCHQ have been unlawfully given permission to access individuals’ communications data for the prevention or detection of serious crime under the Investigatory Powers Act 2016, known as the Snoopers’ Charter.

Lord Justice Singh and Justice Holgate found that the ability of the UK’s intelligence services to authorise their own access to the private communications data of the public for investigating crime is incompatible with EU laws that have been retained by the UK legal system after Brexit.

The case brought by the campaign group Liberty represents a partial victory for the civil society group, which began its first legal challenge against the lawfulness of the state’s bulk surveillance powers five years ago in 2017.

“The court has agreed that it’s too easy for the security services to get their hands on our data. From now on, when investigating crime, MI5, MI6 and GCHQ will have to obtain independent authorisation before having access to our communications data,” said Megan Goulding, lawyer for Liberty.

The Investigatory Powers Act 2016 allows the intelligence services and other government agencies to access the private communications and personal information of UK citizens irrespective of whether there is any evidence of wrongdoing.

The court found, however, in a 35-page judgment, that there was no reason for the intelligence services not to be subject to the same safeguards as the police when gathering surveillance data to investigate or prevent crime.

The “mere fact” that GCHQ, MI5 and MI6 generally operate in the field of national security does not make them exempt from the safeguards that apply to the police when investigating crime, the judges found.

“The court has agreed that it’s too easy for the security services to get their hands on our data. From now on, when investigating crime, MI5, MI6 and GCHQ will have to obtain independent authorisation before having access to our communications data”
Megan Goulding, Liberty

“When the security and intelligence agencies act for an ordinary criminal purpose, we cannot see any logical or practical reason why they should not be subject to the same legal regime as the police,” they wrote.

The case is the latest in a long-running legal battle between Liberty, the Home Department and the Department of Foreign and Commonwealth Affairs over the UK’s bulk surveillance powers.

Ben Jaffey QC, representing Liberty, argued during a two-day hearing that the Investigatory Powers Act allowed intelligence agencies “general and indiscriminate” access to records of people’s private phone an internet activity, contrary to EU law.

The judges rejected the argument on the grounds that the IPA does not impose a blanket requirement on telecoms and internet companies to retain communications data.

All applications to exercise bulk surveillance powers require a warrant from the secretary of state, who must be satisfied the request is necessary and proportionate, according to the High Court judgment. Use of the bulk surveillance powers is also subject to approval by an independent judicial commissioner.

The Office of the Investigatory Powers Commissioner and the Investigatory Powers Tribunal also provide an oversight role, the judges said.

The judges dismissed arguments from Liberty that the automated processing of bulk communications data by the UK intelligence services was incompatible with EU law retained after Brexit.

Singh and Holgate found there was no absolute requirement under EU law to notify people whose communications had been monitored once investigations had been completed.

It was sufficient that an individual who suspects they have been subject to surveillance can make a complaint to the Investigatory Powers Tribunal, which has the power to make legally binding decisions.

The judges said that under a code of practice, public authorities had a duty to report any mistaken access or disclosure of communications data to the surveillance watchdog, the Investigatory Powers Commissioner.

The commissioner must inform anyone affected by errors made by public authorities under the IPA 2016, if the error is serious and it is in the public interest to disclose it.

Journalists’ sources

The judges dismissed arguments by Liberty that bulk interception does not provide sufficient safeguards to protect journalistic material and sources.

They wrote that the government has accepted a decision by the European Court of Human Rights that safeguards are required for journalistic material and has announced plans to legislate to introduce greater protection for journalists in the UK.

Any surveillance requests to identify or confirm a journalistic source must be approved by a judicial commissioner and can only be authorised if there is an “overriding” public interest, according to the judgment.

Liberty’s legal arguments

The UK’s bulk surveillance powers are incompatible with EU law because:

  • They allow the “general and indiscriminate” retention and access to communications data and are not limited to national security.
  • Surveillance powers used for national security purposes do not meet the requirements of retained EU law because they fail to provide adequate privacy safeguards for automated data processing.
  • Outside of national security, the UK has failed to implement safeguards identified by the Court of Justice of the European Union in the Tele2/Watson case. It has failed to require prior authorisation for accessing bulk data, failed to require subjects of surveillance to be notified where operationally possible, and failed to require intercepted data to be kept in the UK or the EU.
  • Bulk surveillance powers do not comply with Articles 8 and 10 of the European Convention on Human rights, particularly for journalistic communications.

Following the judgment, Liberty said it would apply for permission to appeal several points, including the question of whether the bulk surveillance powers authorised by the IPA permit “general and indiscriminate” data collection which requires higher safeguards in UK law.

Liberty is also seeking an appeals court decision over whether state agencies are required to obtain independent authorisation each time they access stored communications data.

The civil society group is bringing a wider case against the IPA in the Court of Appeal, which is expected to be heard later this year.

Liberty said it believes the powers of the IPA are too broad and that legal safeguards in the act fail to protect individuals’ rights of privacy and free expression. They also fail to adequately protect journalists and their sources.

“Mass surveillance powers do not make us safer; they breach our privacy and undermine core pillars of our democracy,” said Liberty lawyer Megan Goulding. “[This ruling] represents a huge landmark in reigning in our mass surveillance powers, and we hope now the government creates proper safeguards that protect our rights.”

Liberty’s legal battle against bulk surveillance powers

2015: The hitherto secret acquisition of bulk communications data from internet and phone companies by the UK intelligence agencies and law enforcement is publicly disclosed for the first time.  

28 February 2017: Liberty begins legal proceedings against the Home Department and the Department for Foreign and Commonwealth Affairs, challenging the legality of the state’s bulk hacking, bulk interception and bulk collection of internet and phone data.      

27 April 2018: The High Court gives the government six months to rewrite the Investigatory Powers Act 2016, known as the Snoopers charter, after finding it incompatible with EU law. The court found that the IPA is incompatible with fundamental rights in EU law in the area of criminal justice because it does not limit access to communications data to the purpose of combatting “serious crime”, and access to communications is not subject to prior review by a court or administrative body.

1 November 2018: Government amends the Investigatory Powers Act by issuing a statutory instrument, the Data Retention and Acquisition Regulations. The regulation changes the definition of serious crime from crimes that could attract a sentence of six months to those that could attract 12 months.

27 November 2018: Judges give Liberty permission to bring a judicial review over the Investigatory Powers Act 2016.

29 July 2019: High Court refuses an application from Liberty to declare the IPA incompatible with the European Convention on Human Rights. The court found that bulk surveillance powers did not breach people’s rights to free expression and contained sufficient safeguards to protect journalistic and legally-privileged communications. Liberty applied for permission to appeal.

6 October 2020: European Court of Human Rights rules that the UK’s bulk surveillance programme breaches citizens’ privacy rights. The court found that the collection of communications traffic data from telecoms and internet companies is a “particularly serious” interference of privacy rights under European law. It said that UK and EU member states cannot use “national security” exemptions to override EU privacy law when harvesting people’s data from communications companies, following cases brought by Privacy International and La Quadrature Du Net. 

31 December 2020: Liberty files an amended ‘statement of facts’ taking into account the 25 May decisions by the European Court of Human Rights in Big Brother Watch and Privacy International.

19 February 2021: The secretaries of state for the Home Department and the Foreign and Commonwealth Affairs serve “detailed grounds of resistance” in response to Liberty.

28 May 2021: European Court of Human Rights finds that the UK’s bulk interception of communications data, including data about telephone calls and emails, unlawfully breached the privacy rights of UK citizens, following a complaint brought by 11 civil society groups led by Big Brother Watch. The decision paved the way for greater protection for journalist's sources and journalistic material by requiring independent prior approval before journalists’ communications are intercepted.

22 July 2021: The Investigatory Powers Tribunal finds that the Telecommunications Act 1984, which legalised bulk communications data collection, is incompatible with UK law.

31 March 2022: Home secretary Priti Patel announces plans in Parliament to introduce safeguards to the Investigatory Powers Act, in the wake of the judgment in the case of Big Brother Watch and others versus UK.

8 April 2022: High Court gives Liberty permission to appeal after the government disclosed in legal papers that the safeguards in the Investigatory Powers Act (IPA) do not comply with human rights laws, as they fail to protect journalistic confidentiality and allowed intelligence agencies to search intercepted data in a way that identifies individuals without proper authorisation.

24 June 2020: High Court rules that UK’s intelligence agencies should seek independent authorisation before accessing phone and internet records during criminal investigations following a case brought by Liberty but rejects Liberty’s other legal arguments. Liberty plans to appeal on a number of points where the court found against it.

Read more on Privacy and data protection

Data Center
Data Management