GCHQ's mass surveillance regime ruled unlawful
The ECHR has ruled that the UK's bulk collection and ISP data interception programmes breached human rights law
The UK's bulk data collection and surveillance programme partially violated the European Convention on Human Rights, specifically contravening articles on the right to privacy and freedom of expression.
The surveillance programme, disclosed by Edward Snowden in 2013, did not in itself violate human rights law, according to the grand chamber of the European Court of Human Rights (ECHR), but violations stemmed from a lack of safeguards and protections.
The challenge, which has gone through various stages through the years, was brought forward by a group of privacy rights organisations, including Big Brother Watch, the Open Rights Group (ORG), Amnesty International, and Liberty. Previous judgements have generally concurred that the UK's surveillance regime was unlawful.
"The Court has recognised that Bulk Interception is an especially intrusive power, and that 'end-to-end safeguards' are needed to ensure abuse does not occur," executive director of the ORG, Jim Killock, said.
"The court has show that the UK government's legal framework was weak and inadequate when we took them to court with Big Brother Watch and Constanze Kurz in 2013. The court has set out clear criteria for assessing future bulk interception regimes, but we believe these will need to be developed into harder red lines in future judgments, if bulk interception is not to be abused."
The grand chamber ruled unanimously that the surveillance regime violated Article 8, the right to respect for private and family life/communications, in respect of the bulk interception regime and obtaining communications data from internet service providers (ISPs). Both these data collection practices also violated Article 10, the right to freedom of expression.
There were no violations under Article 8 or Article 10 in respect of the regime for requesting intercepted material from foreign governments and intelligence agencies.
Operating a bulk interception regime does not itself violate the convention, "owing to the multitude of threats states face in modern society", but such a regime must be subject to "end-to-end safeguards". This means that assessments should be made at every stage of the process of how necessary and proportionate the data collection measures are.
The UK's regime fell short because bulk interception had been authorised by the secretary of state and not by a body independent of the government. Applications for warrants to conduct searches also didn't state the categories of search terms that would define the kinds of communications data that would be examined. The use of search terms linked to an individual, including specific identifiers such as email address, had also not been subject to prior internal authorisation.
The judgement will serve as vindication for the applicants who brought the challenge forward, with the UK's surveillance regime deemed not compatible with the law at the time, the Regulation of Investigatory Powers Act (RIPA) 2000. This has since been replaced with the Investigatory Powers Act 2016, also known as the snooper's charter.
Cost of a data breach report 2020
Find out what factors help mitigate breach costsDownload now
The grand chamber's decision to declare bulk surveillance regimes in and of themselves as not incompatible with human rights law, however, may be considered disappointing by privacy rights activists. Groups such as Big Brother Watch and Liberty have sustained longstanding opposition to such regimes out of principle.
"As the court sets out, bulk interception powers are a great power, secretive in nature, and hard to keep in check," Killock continued.
"We are far from confident that today's bulk interception is sufficiently safeguarded, while the technical capacities continue to deepen. GCHQ continues to share technology platforms and raw data with the USA. This judgment is an important step on a long journey."
Consumer choice and the payment experience
A software provider's guide to getting, growing, and keeping customersDownload now
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email securityDownload now
Business in the new economy landscape
How we coped with 2020 and looking ahead to a brighter 2021Download now
How to increase cyber resilience within your organisation
Cyber resilience for dummiesDownload now