Ever since Edward Snowden’s leaks came to light, UK spy agencies have responded to accusations of surveillance overreach with a common boilerplate statement: that their activities are lawful, necessary and proportionate. However, they can’t always use that justification any more. The Investigatory Powers Tribunal has ruled that key GCHQ, MI5 and MI6 bulk data collection programs violated privacy protections in the European Convention on Human Rights. Both a Bulk Communications Data effort (which covers data such as visited websites, email metadata and GPS locations) and a Bulk Personal Datasets initiative (covering biographical details like your communications and financial activities) didn’t have proper oversight until 2015, when some safeguards came into place. That’s particularly damning when BCD was had been in place since 1998, and BPD since 2006.
There weren’t sufficient codes of practice covering either program, the Tribunal says. Moreover, there isn’t enough evidence to suggest that there was “effective independent oversight.” Commissioners had an inherently limited ability to verify how spies collected, stored and destroyed data, and didn’t conduct detailed audits. Also, the public didn’t know or expect that these surveillance systems were in place — you can’t consent to a program when you don’t realize it exists.
The Tribunal is “satisfied” that the newer protections are following European Convention rights. However, the watchdog group Privacy International (which launched litigation to reveal these flaws) isn’t happy. It believes that authorization and oversight are still “deeply inadequate,” and that the government “barely touched” on its data collection practices even when given a chance. We’d add that the timing of the ruling is ironic, too. The Tribunal is accusing agencies of violating rights just as they’re about to get expanded powers under the Investigatory Powers Bill — while this includes explicit oversight, many are concerned that the UK’s privacy intrusions are only going to worsen.