MI5 unlawfully collected and held millions of people’s data
Secretive court finds MI5 knowingly acted unlawfully in use of bulk surveillance warrants, and the Home Office continued granting warrants despite information the agency was operating outside the law
UK security service MI5 unlawfully gathered and retained millions of people’s private data, Britain’s most secret court has ruled in a landmark case on mass surveillance.
Human rights organisations Liberty and Privacy International launched a joint case against MI5 in January 2020 to challenge the UK’s surveillance laws – which they say “are not fit for purpose and fail to protect our fundamental privacy rights” – and have a decade of unlawful surveillance warrants quashed.
Under the Investigatory Powers Act, otherwise known as the snoopers’ charter, state bodies such as MI5 are allowed to collect and store a wide range of data on any member of the public.
The Investigatory Powers Tribunal, however, ruled on 30 January 2023 that MI5 broke key legal safeguards by unlawfully retaining and using individuals’ private data gathered via covert bulk surveillance.
Although no information has been disclosed on whose data was mishandled during the case, the human rights groups believe millions of UK citizens could be affected, and that it is likely to include data on many people who are not suspected of wrong-doing, including lawyers and journalists.
The tribunal also found that MI5 failed to disclose its improper storage of data – despite being aware it had no legal right to do so – to the Home Office and other oversight bodies, and that successive home secretaries failed to investigate the intelligence agency – and continued to sign off on surveillance warrants – even after they had received clear indications it was acting unlawfully.
“There were serious failings in compliance with the statutory obligations of MI5 from late 2014 onwards,” said the tribunal in a 50-page judgment. “The holding and handling of data in those circumstances was unlawful on the basis … satisfactory safeguards relating to RRD [retention, review and disposal] were not in place. MI5 accepts that it was in breach of the safeguarding obligations.”
Megan Goulding, Liberty
The tribunal added the Home Office did not make adequate inquiries into the compliance risks, despite issues being reported on several occasions from 2016 onwards. “In those circumstances, the secretary of state did not have grounds to be satisfied that effective safeguards applied to warrants where there had been no assessment or effective investigation into compliance with RRD,” it said.
Responding to the judgment, Liberty lawyer Megan Goulding said MI5’s “deliberate law-breaking” shows that powers granted under the snoopers’ charter do not work for the public.
“We are pleased the tribunal has found that MI5 have been mishandling our data, storing it when they shouldn’t have, and the home secretary has been unlawfully granting warrants. This judgment confirms what we at Liberty, and others, have been saying for years – surveillance safeguards are not fit for purpose and fail to protect our fundamental privacy rights,” she said.
“For years, MI5 knowingly broke the rules and failed to report it, the internal oversight body did not detect it and the government failed to investigate clear red flags. Instead, the Home Office continued to issue unlawful warrants, and MI5 kept information from the authorities about it mishandling our data.”
The tribunal also found that MI5 breached its duty of candour by failing to report its unlawful handling of bulk communications data to the court during a separate case brought by Privacy International, meaning the case could be reopened.
Caroline Wilson Palow, legal director at Privacy International, said the withholding of crucial information called past decisions into question.
“These are not technical breaches. At its highest levels, MI5 systemically disregarded the law, and the Home Office’s failure to do anything green-lighted their activities. Nothing good comes of unchecked power being exercised by government intelligence agencies operating in the shadows. It’s undemocratic and dangerous to our rights to give MI5 a free pass,” she said.
“While we are pleased that the Investigatory Powers Tribunal has recognised MI5’s serious failures, we are disappointed that they did not go further to remedy them. What’s important now, though, is that the government recognises that we are entitled to real protections for our privacy and takes action to safeguard them.”
Caroline Wilson Palow, Privacy International
Despite its findings, the tribunal did not quash the unlawful warrants or destroy all unlawfully retained data, on the basis it “would be very damaging to national security”.
It added that it would be “very difficult” to conduct searches of individual warrants issued over several years, and to identify which were unlawfully issued and to what extent: “Carrying out such an exercise would serve no useful purpose, but would have a deleterious effect on the efficiency of MI5.”
It further added the root of MI5 unlawfulness was its failure to have and apply a proper system for reviewing retention and deletion of data, and not a failure that meant it should never have had the material in the first place.
“It is a failure which means that a small proportion of the material was retained for longer than it should have been. To hold that all of the product of all of the warrants should be destroyed would be disproportionate to the unlawfulness which we have found,” the tribunal said.
“This does not minimise the seriousness of that unlawfulness, which should be obvious to all readers of this judgment.”
Read more about surveillance technology
- Experts concerned over silence around government obligation to review UK surveillance laws: The government is required to review the Investigatory Powers Act, but experts say they are in the dark about its plans. The National Crime Agency’s operation Venetic has highlighted the need for urgent reforms.
- EU fails to protect human rights in surveillance tech transfers: Transfers of surveillance technology from the European Union to African governments are carried out without due regard for the human rights impacts, the European Ombudsman has found after a year-long investigation into the European Commission’s management of an aid fund.
- UK to surveil convicted migrants with facial recognition: A Home Office scheme to biometrically scan the faces of convicted migrants who have already carried out punishments has come under fire from privacy and human rights groups for being discriminatory.