UK oversight bodies 'were not aware' of spies' data-sharing

Privacy International finds documents alleging widespread GCHQ data-sharing occurred without safeguards

Privacy International has raised concerns that oversight bodies were not aware that GCHQ or MI5 were allegedly sharing people's social media data with foreign intelligence and law enforcement agencies.

The charity claims that GCHQ accessed this information by gaining access to private companies' databases. IT Pro understands that Facebook and Twitter do not provide governments with direct access to user data.

Advertisement - Article continues below

The Investigatory Powers Commissioner's Office (IPCO) now oversees the intelligence agencies' activities, after subsuming both the the Intelligence Services Commissioner's Office, and the Interception of Communications Commissioner. Both these latter bodies, the charity said, were unaware that UK intelligence agencies were sharing massive databases of people's information with foreign governments, law enforcement and industry - potentially for decades.

Inappropriate and uncontrollable sharing with industry third parties may still be ongoing without proper oversight, the privacy campaign group added, saying that there are contractors who have system access rights that could allow them to enter the intelligence agencies' systems, access and extract data and then cover their tracks.

The charity said it has since seen letters from the IPCO raising concerns about the role of private contractors who are given administrator access to the data. The body was worried that there were no systems in place to prevent the misuse of this data by the contractors.

Advertisement - Article continues below
Advertisement - Article continues below

A GCHQ spokesperson said to IT Pro: "We have always operated within the law, co-operated fully with oversight regimes, and all our activities are authorised, necessary and proportionate."

The information the agencies hold is stored in large databases but it remains unclear what data they have, with Privacy International's documents only revealing broad categories like "biographical details", "financial activities", "travel data" and "legally privileged communications".

The group revealed a tranche of documents detailing the data-sharing activities yesterday, and is in Southwark Crown Court until Thursday to uphold its challenge of the UK government's access to private company and/or organisation databases.

The case is a continuation of the charity's challenge to spy agencies' access to data, being heard by the Investigatory Powers Tribunal (IBT). The IBT previously made a landmark ruling that spy agencies had unlawfully collected communications data between 1998 and 2015 after Privacy International's challenge.

The UK government claims that there are effective safeguards in place around data sharing, which Privacy International disputes. Furthermore, the charity will question the government's evidence after the IPCO flagged that part of the government's evidence includes a misleading GCHQ witness statement. The statement details that the former commissioners were briefed about the agencies' use of information on private company and/or organisation databases. The IPCO stated the commissioners were never made aware of this.

Advertisement - Article continues below

Millie Graham Wood, solicitor at Privacy International, said: "The intelligence agencies' practices in relation to bulk data were previously found to be unlawful. After three years of litigation, just before the court hearing, we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments.

"The risks associated with these activities are painfully obvious. We are pleased the IPCO is keen to look at these activities as a matter of urgency and the report is publicly available in the near future."

The IBT ruled last month that a case brought against the UK's spy agencies last month over the legality of mass surveillance should be taken to the European Court of Justice (ECJ). This means the ECJ will have the final say on whether the UK's collection of bulk communications data, granted under the Investigatory Powers Act, is legal.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


Policy & legislation

What is the Investigatory Powers Act 2016?

6 Jul 2020
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020