GCHQ’s methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights (ECHR) has ruled in a test case judgment.
But the Strasbourg court found that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments was not illegal.
It is the first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden’s whistleblowing revelations.
The long-awaited ruling is one of the most comprehensive assessments by the ECHR of the legality of the interception operations operated by UK intelligence agencies.
The claims, which had already been heard by the UK’s investigatory powers tribunal, were brought by a coalition of 14 human rights groups, privacy organisations and journalists, including Amnesty International, Liberty, Privacy International and Big Brother Watch.
The judges considered three aspects of digital surveillance: bulk interception of communications, intelligence sharing and obtaining of communications data from communications service providers.
By a majority of five to two votes, the Strasbourg judges found that GCHQ’s bulk interception regime violated article 8 of the European convention on human rights, which guarantees privacy, because there were said to be insufficient safeguards, and rules governing the selection of “related communications data” were deemed to be inadequate.
The regime for sharing intelligence with foreign governments operated by the UK government did not, however, violate either article 8 or article 10.
The legal challenge was triggered by revelations made by Snowden in 2013, which showed GCHQ, the UK’s Government Communications Headquarters, was secretly intercepting, processing and storing data about millions of people’s private communications, even when those people were of no intelligence interest. In one of the operations, called Tempora, GCHQ was tapping into cables and communication networks to obtain huge volumes of internet data.
“The United Kingdom authorities have neither confirmed nor denied the existence of an operation codenamed Tempora,” the ECHR judgment notes.
The case concerned the interception regime previously operated by GCHQ. New regulations are in the process of coming into force under the the Investigatory Powers Act 2016. The Strasbourg court did not examine the new legislation.
In accompanying notes to the main judgment, which runs to more than 500 paragraphs, the court said it recognised the severity of the threats of terrorism, online sexual abuse and other crimes faced by European states. Advancements in technology had made it easier for terrorists and criminals to evade detection on the internet, the judges acknowledged.
Bulk interception regimes can be legal if countries deem them to be necessary in the interests of national security but certain minimum safeguards are required.
Those safeguards include that the law must indicate “the nature of offences which may give rise to an interception order; a definition of the categories of people liable to have their communications intercepted; a limit on the duration of interception; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which intercepted data may or must be erased or destroyed”.
The judgment was critical of interception warrants obtained under section 8(4) of the Regulation of Investigatory Powers Act. Such warrants do not need to name or describe the person subject to interception or the premises involved.
The judges said: “While the court does not doubt that related communications data is an essential tool for the intelligence services in the fight against terrorism and serious crime, it does not consider that the authorities have struck a fair balance between the competing public and private interests by exempting it in its entirety from the safeguards applicable to the searching and examining of content.”
Megan Goulding, a lawyer for Liberty, said: “This is a major victory for the rights and freedom of people in the UK. It shows that there is – and should be – a limit to the extent that states can spy on their citizens.
“Police and intelligence agencies need covert surveillance powers to tackle the threats we face today – but the court has ruled that those threats do not justify spying on every citizen without adequate protections.
“Our government has built a surveillance regime more extreme than that of any other democratic nation, abandoning the very rights and freedoms terrorists want to attack. It can and must give us an effective, targeted system that protects our safety, data security and fundamental rights.”
Lucy Claridge from Amnesty International, said: “Today’s ruling represents a significant step forward in the protection of privacy and freedom of expression worldwide. It sends a strong message to the UK government that its use of extensive surveillance powers is abusive and runs against the very principles that it claims to be defending.”
Dan Carey of Deighton Pierce Glynn, the solicitor representing some of applicants, said: “The court has put down a marker that the UK government does not have a free hand with the public’s communications and that in several key respects the UK’s laws and surveillance practices have failed. In particular, there needs to be much greater control over the search terms that the government is using to sift our communications.”
Jim Killock, executive director of Open Rights Group, said: “Viewers of the BBC drama the Bodyguard may be shocked to know that the UK actually has the most extreme surveillance powers in a democracy. Since we brought this case in 2013, the UK has actually increased its powers to indiscriminately surveil our communications whether or not we are suspected of any criminal activity. In light of today’s judgment, it is even clearer that these powers do not meet the criteria for proportionate surveillance and that the UK government is continuing to breach our right to privacy.”