GCHQ’s mass data collection practices breached human rights law, European court rules

Surveillance methods disclosed by Edward Snowden in 2013 ruled illegal in landmark ruling

Aerial shot of GCHQ's building

The European court of human rights (ECHR) has ruled GCHQ's mass surveillance programmes violated privacy rights, and lacked the necessary safeguards to ensure collected data was protected.

Judges ruled the agency breached Articles 8 and 10 of the European Convention on Human Rights (ECHR), concerning privacy and freedom of expression respectively, in its data collection methods disclosed by Edward Snowden in 2013.

"This landmark judgment confirming that the UK's mass spying breached fundamental rights vindicates Mr Snowden's courageous whistle-blowing and the tireless work of Big Brother Watch and others in our pursuit for justice," said Big Brother Watch director Silkie Carlo.

"Under the guise of counter-terrorism, the UK has adopted the most authoritarian surveillance regime of any Western state, corroding democracy itself and the rights of the British public."

The landmark case, brought by several rights groups including Big Brother Watch, Liberty and Amnesty International, considered three aspects of surveillance: intelligence sharing, obtaining communications data from service providers, and bulk interception of communications.

While the latter two aspects were found to represent a violation of human rights law, judges ruled intelligence sharing with foreign governments did not contravene either Article 8 or Article 10 of the ECHR.

While bulk data collection did not in itself violate the ECHR, according to the judgement, the practice of obtaining communications data from service providers via interception was not in accordance with the law, and therefore was in violation of Article 8.

While representing the privacy rights set out in Article 8, the practice also violated Article 10, freedom of expression, "as there were insufficient safeguards in respect of confidential journalistic material".

The ECHR also concluded there was a "lack of oversight of the entire selection process" and that safeguards were not "sufficiently robust to provide adequate guarantees against abuse".

"The Court has put down a marker that the UK government does not have a free hand with the public's communications and that in several key respects the UK's laws and surveillance practices have failed," said Dan Carey, who represented the applicants in the ECHR.

"In particular, there needs to be much greater control over the search terms that the government is using to sift our communications. The pressure of this litigation has already contributed to some reforms in the UK and this judgment will require the UK government to look again at its practices in this most critical of areas."

The Strasbourg-based court wrapped three separate challenges being made against the UK into one ruling, which was marked by an initial hearing in November 2017. Its final decision represents the most significant challenge to the government's intelligence gathering practices made to date.

The UK government has maintained its mass data collection practices, as revealed in the Edward Snowden leaks, are necessary to fight extremism.

But its Investigatory Powers Act 2016 which legalised many of these practices under domestic law was found to have violated European law in a UK High Court ruling earlier this year. The court gave ministers until 1 November 2018 to make changes to the legislation.

"The Investigatory Powers Act 2016 replaced large parts of the Regulation of Investigatory Powers Act (RIPA) which was the subject of this challenge," a government spokesperson told IT Pro. "This includes the introduction of a double lock' which requires warrants for the use of these powers to be authorised by a Secretary of State and approved by a judge.

"An Investigatory Powers Commissioner has also been created to ensure robust independent oversight of how these powers are used. The Government will give careful consideration to the Court's findings."

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Most Popular

350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
Samsung Galaxy Note might be discontinued in 2021
Mobile Phones

Samsung Galaxy Note might be discontinued in 2021

1 Dec 2020