Investigatory Powers Tribunal escalates lawsuit to the EU

Tribunal notes that scrapping bulk data collection could 'cripple' UK spy agencies

Surveillance

The Investigatory Powers Tribunal (IBT) has ruled that a case brought against the UK's spy agencies over the legality of mass surveillance should be elevated to the European Court of Justice (ECJ).

The decision means that the ECJ will have the final say as to whether the UK's collection of bulk communications data, granted under the Investigatory Powers Act, is legal. 

Privacy International, the UK-based privacy and online rights charity, first brought a case against MI5, GCHQ and MI6 in 2014 in an attempt to strike down the ability for agencies to use blanket hacking warrants, a key element of the Investigatory Powers Bill.

The group previously argued that the collection of bulk communications data (BCD) had no basis in UK law, and that spy agencies had breached articles eight and 10 of the European Convention on Human Rights (ECHR), which guarantee the rights to privacy and free speech.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Since then, numerous cases have been heard relating to the legality of mass surveillance, which often includes the collection of personal web histories and mobile communications.

Privacy International lawyers argued last week that UK citizens were subject to some of the most wide-reaching surveillance, and that the right to privacy, guaranteed by the constitution, should limit the powers of security agencies.

Friday's decision, in a battle that has seen rulings in favour of both sides of the argument, will see the case referred to the ECJ, stating that "both parties either agreed or saw the necessity for a reference to the Grand Chamber, and the need for it is, we suggest, obvious from this judgment".

Part of the court's responsibility will be to consider a case brought against the agencies in December 2016 by Labour MP Tom Watson.

The subsequent ruling by the ECJ said that powers afforded by the Data Retention and Investigatory Powers Act, the previous UK law governing the collection of data, were unlawful. It also added that data collected in bulk should only be accessible for the purposes of detecting and preventing serious crime.

The IBT also ruled in October 2016 that GCHQ, MI5 and MI6, through the use of BCD, had breached UK privacy laws and illegally collected data between 1998 and 2015 - this only applied during that period, however, prior to the agencies publicly announcing the tactic.

Advertisement - Article continues below

However, Friday's ruling did acknowledge the importance of surveillance for UK spy agencies, adding that BCD was "essential to the protection of the national security of the United Kingdom". It also said that applying the Watson decision to UK law "would effectively cripple the security and intelligence agencies' bulk data capabilities".

"We welcome the tribunal's recognition that collecting bulk personal data and communications data are vital national security capabilities," said a government spokesperson, speaking to the Guardian. "As litigation is ongoing, it would not be appropriate to comment further."

The case will now decide whether EU laws apply, particularly the Charter of Fundamental Rights of the European Union, which enshrines political and social rights into EU legislation. However, the tribunal decided not to expedite the case, and it is therefore likely that it will be several years before a decision is made by the ECJ, beyond the date set for the UK to leave the European Union.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/policy-legislation/33407/what-is-the-investigatory-powers-act-2016
Policy & legislation

What is the Investigatory Powers Act 2016?

8 Aug 2019
Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020