News

GCHQ mass surveillance powers violated human rights rules, European Court finds

The case centred on concerns raised about privacy rights in the face of powers given to security services.
The case centred on concerns raised about privacy rights in the face of powers given to security services. The case centred on concerns raised about privacy rights in the face of powers given to security services.

The methods used by GCHQ to carry out the bulk interception of online communications and its regime for the collection of data were “not in accordance with the law”, the European Court of Human Rights has ruled.

The court’s grand chamber ruled that there were deficiencies in the bulk interception regime used by the UK’s spy agencies which broke privacy rules and that it contained insufficient protection for confidential journalistic material.

But it added that the decision to operate such a scheme itself did not violate the European Convention on Human Rights.

It also concluded that the regime for sharing sensitive intelligence with foreign governments was not illegal.

The judgment is the culmination of a legal challenge to GCHQ’s methods around intercepting online communications first brought by privacy rights group Big Brother Watch and other organisations in 2013 in the wake of the Edward Snowden revelations on mass surveillance techniques used by the UK and US.

The case centred on complaints about powers given to security services under the Regulation of Investigatory Powers Act 2000 (Ripa), which has since been replaced by the Investigatory Powers Act 2016.

In its judgment, the court ruled unanimously that the UK’s spy agencies had violated Article 8 of the European Convention on Human Rights, which covers citizens’ rights to have their private life and communications respected, and Article 10, covering freedom of expression.

The court said there were three “fundamental deficiencies” in the methods used: that bulk interception had been authorised by the Secretary of State and not by an independent body; that categories of search terms defining the kinds of communications that would become liable for examination had not been included in the application for a warrant; and that search terms linked to an individual – for example, specific identifiers such as an email address – had not been subject to prior internal authorisation.

The judgment acknowledged that “owing to the multitude of threats states face in modern society”, such regimes were not illegal, but that they had to be subject to “end-to-end safeguards”.

Responding to the ruling, Jim Killock, executive director of the Open Rights Group, one of the organisations which took part in the legal challenge, said: “The court has set out clear criteria for assessing future bulk interception regimes, but we believe these will need to be developed into harder red lines in future judgments if bulk interception is not to be abused.

“As the court sets out, bulk interception powers are a great power, secretive in nature, and hard to keep in check.

“We are far from confident that today’s bulk interception is sufficiently safeguarded, while the technical capacities continue to deepen. GCHQ continues to share technology platforms and raw data with the USA.

“This judgment is an important step on a long journey.”

A Government spokesperson said: “The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world.

“This unprecedented transparency sets a new international benchmark for how the law can protect both privacy and security whilst continuing to respond dynamically to an evolving threat picture.

“The 2016 Investigatory Powers Act has already replaced large parts of the 2000 Regulation of Investigatory Powers Act (RIPA) that was the subject of this challenge. We note today’s judgment.”