GCHQ breached privacy rights of IT professional and security researcher, human rights court rules

The European Court of Human Rights in Strasbourg finds UK intelligence services breached the privacy rights of two overseas nationals – an IT professional and a security researcher

Britain’s spy agencies violated the privacy rights of two foreign nationals living outside the UK as part of the country’s programme of bulk surveillance, the European Court of Human Rights has ruled.

The court upheld a complaint from an IT professional and a security and privacy researcher living outside the UK that GCHQ had breached their privacy rights under its bulk interception programme.

The ruling has established that the UK can be held accountable for breaches of human rights if it unlawfully spies on the electronic communications of people living outside the UK’s borders.

Joshua Wieder, a US-based IT professional, and Claudio Guarnieri, an Italian privacy and security researcher based in Berlin, complained to the Strasbourg court that their privacy rights had been breached. They made the complaint after the UK’s Investigatory Powers Tribunal refused to investigate their case, leaving them with no right of redress in the UK.

The human rights court found – based on a previous ruling by the court in 2021, which found that GCHQ’s bulk surveillance regime had operated unlawfully – that there had been a violation of Wieder and Guarnieri’s privacy rights. Because their communications had been interfered with in the UK, their rights to privacy also fell within the territorial jurisdiction of the UK, the court found.

Commenting on the case, Ilia Siatitsa, senior legal officer at campaign group Privacy International, said the court’s ruling meant states would be held accountable for surveillance beyond their borders.

“States can no longer assume digital surveillance comes without consequences or that they can evade accountability by targeting people outside their borders,” she said. “[The ruling] emphatically underscores that security and intelligence agencies must be held responsible for the effects of their actions no matter where they occur.”

Snowden revelations sparked complaint

Wieder and Guarnieri argued that their communications were unlawfully intercepted and accessed by UK intelligence agencies in a complaint submitted to the European Court of Human Rights in November 2016.

They made the allegations following revelations by whistleblower Edward Snowden over the extent of surveillance programmes run by the US National Security Agency and the UK’s GCHQ. The complainants said they “reasonably believed” that their communications had been intercepted or processed by the UK intelligence agencies.

Wieder describes himself as an IT professional and independent researcher. According to his website, he identified malicious scripts embedded in leaked documents from the defence contractor Stratfor, on the WikiLeaks website.

Guarnieri has received bylines on two articles covering the Snowden papers, and the capabilities of GCHQ and the NSA published by The Intercept and Der Speigel.

The UK government claimed that Wieder and Guarnieri did not have a case before the European Court as they had not exhausted all the domestic remedies in the UK by failing to seek a judicial review of the Investigatory Powers Tribunal’s decision not to investigate their case.

The UK claimed the interception of communications did not fall in the UK’s jurisdiction when either the sender or the recipient complaining about a breach of their privacy rights was outside the UK.

Wieder and Guarnieri claimed there was no rational basis for the government’s arguments in view of the fact that the “proliferation of online communications had deprived national borders of their meaning”.

They were supported by Media Defence, an international human rights organisation, which presented written legal arguments.

Privacy violations occurred in UK

The court rejected the UK government’s arguments, finding that the applicants’ privacy had been breached in the UK, even though they were living overseas. It drew an analogy between interference in people’s privacy rights through surveillance and interference with their personal property.

“It could not be seriously suggested that searching a person’s home would fall out of jurisdiction if a person was abroad when the search took place,” it said.

The court found, in a 35-page judgment, that in the light of its ruling in Big Brother Watch and others v UK in 2021, there had been a breach of Wieder and Guarnieri’s privacy rights under Article 8 of the European Convention on Human Rights. The court found their communications had been interfered with in the UK and that their rights to privacy must also fall within the territorial jurisdiction of the UK.

In Big Brother Watch and others v UK, the human rights court ruled that the bulk surveillance regime under the Regulation of Investigatory Powers Act (RIPA) 2000 was applied unlawfully until the government avowed it during the court proceedings. RIPA has since been replaced by the Investigatory Powers Act 2016, also known as the Snoopers’ Charter.

The applicants made no claim for damages, stating that a public finding that the European Convention on Human Rights had been breached would be just satisfaction. The court awarded them costs and expenses of €33,155, to be paid for by the UK government.

Read more on Privacy and data protection

Data Center
Data Management