GCHQ’s mass data interception violated right to privacy, court rules

By Haroon Siddique,
Published by The Guardian, 25 Mat 2021

Human rights judgment follows legal challenge begun in 2013 after Edward Snowden’s whistleblowing revelations

The UK spy agency GCHQ’s methods for bulk interception of online communications violated the right to privacy and the regime for collection of data was unlawful, the grand chamber of the European court of human rights has ruled.

In what was described as a “landmark victory” by Liberty, one of the applicants, the judges also found the bulk interception regime breached the right to freedom of expression and contained insufficient protections for confidential journalistic material but said the decision to operate a bulk interception regime did not of itself violate the European convention on human rights.

The chamber, the ultimate court of the ECHR, also concluded that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments was not illegal.

The grand chamber judgment is the culmination of a legal challenge to GCHQ’s bulk interception of online communications begun in 2013 by Big Brother Watch and others after Edward Snowden’s whistleblowing revelations concerning the interception, processing and storing of data about millions of people’s private communications by the eavesdropping agency.

The case concerned the interception regime previously operated by GCHQ, which was replaced in 2016 by the Investigatory Powers Act (IPA).

In Tuesday’s ruling, which confirmed elements of a lower court’s 2018 judgment, the judges said they had identified three “fundamental deficiencies” in the regime. They were that bulk interception had been authorised by the secretary of state, and not by a body independent of the executive; that categories of search terms defining the kinds of communications that would become liable for examination had not been included in the application for a warrant; and that search terms linked to an individual (that is to say specific identifiers such as an email address) had not been subject to prior internal authorisation.

Its judgment stated: “In order to minimise the risk of the bulk interception power being abused, the court considers that the process must be subject to ‘end-to-end safeguards’, meaning that, at the domestic level, an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and that the operation should be subject to supervision and independent ex post facto (retrospective) review.”

Liberty’s lawyer Megan Goulding said: “Bulk surveillance powers allow the state to collect data that can reveal a huge amount about any one of us – from our political views to our sexual orientation. These mass surveillance powers do not make us safer.

“Our right to privacy protects all of us. Today’s decision takes us another step closer to scrapping these dangerous, oppressive surveillance powers, and ensuring our rights are protected.”

Liberty said the decision would allow its challenge to the IPA – nicknamed the “snooper’s charter” by critics – to proceed in the UK courts, having been stayed pending the chamber’s decision.

Other applicants stressed that there was still plenty of work to be done to protect privacy, while some of the 17 dissenting judges said the ruling had not gone far enough.

Ilia Siatitsa, acting legal director at Privacy International, said it was “an important win for privacy and freedom for everyone in the UK and beyond” but added: “It is not the end.”

Jim Killock, executive director of the Open Rights Group, said: “The court has set out clear criteria for assessing future bulk interception regimes, but we believe these will need to be developed into harder red lines in future judgments, if bulk interception is not to be abused.”

One of the partially dissenting judges, Paulo Pinto de Albuquerque said the ruling had opened the gates for an electronic “Big Brother” in Europe. Four other judges also partially dissented from the majority opinion, disagreeing with the finding that the regime for sharing sensitive digital intelligence with foreign governments was not illegal. Three of the dissenting judges quoted from George Orwell’s Nineteen Eighty-Four: “There was of course no way of knowing whether you were being watched at any given moment.”

Snowden’s 2013 revelations included details of an operation codenamed Tempora, which tapped into and stored huge volumes of data drawn from fibre-optic cables.

A government spokesperson said: “The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world.This unprecedented transparency sets a new international benchmark for how the law can protect both privacy and security whilst continuing to respond dynamically to an evolving threat picture.

“The 2016 Investigatory Powers Act has already replaced large parts of the 2000 Regulation of Investigatory Powers Act (RIPA) that was the subject of this challenge. We note today’s judgment.”

See: Original Article