The UK’s programme of bulk surveillance is breaching human rights law, a court has ruled, and threatening the freedom of the press by doing so. That’s the landmark ruling of the European Court of Human Rights at the conclusion of a five-year legal challenge brought by a range of human rights groups and journalistic organisations.

The ruling is itself a result of journalism and campaigning, rather than the supposed safeguards the country has in place to manage its intelligence agencies. It comes as a result of reporting in the Guardian and the Washington Post on classified documents from the NSA whistleblower Edward Snowden.

The UK’s signals intelligence agency GCHQ has a plethora of programmes to collect either the content of messages or its metadata – which can include who it’s to and from, time and date information, and detailed location data – in vast quantities, collecting information on millions of people each day, either from phone and internet companies, or by intercepting the cables that make up the backbone of the internet.

The UK government has long argued this does not intrude on our privacy or our freedom of expression because it only dips into the vast troves of information it collects in a selective way, arguing that it’s only these searches by humans that are relevant to our rights – not the large-scale harvesting itself.

The ECHR has, at least in part, rejected that argument. It has said the UK government’s rationale breaches all of our rights to a private life, because of the lack of oversight and safeguards on how agencies can access the data they select.

It has also ruled there is a particular risk to journalistic freedom and source protection, as there are no effective restrictions on searching for journalists’ sources or emails, versus generalised searches. This, it said, had a “potential chilling effect” on journalism, and on journalists’ confidence that their sources could be protected.

As one of the journalists who worked on the Snowden revelations for the Guardian, I know this risk is not just a theoretical one: in 2015, we published evidence showing that just one set of GCHQ test data had collected emails from some of the world’s top newsrooms.

The sample data included emails from the BBC, Reuters, the Guardian, the New York Times, Le Monde, the Sun, NBC and the Washington Post, all of which had not only been intercepted, but had ended up saved on GCHQ’s intranet, available for thousands of US and UK spies to read at their leisure – from one tap alone. The reports also suggested a hostility towards the role of the press, remarking “journalists and reporters representing all types of news media represent a potential threat to security”.

This hostility has demonstrated itself in practice: despite the Guardian and the Washington Post’s reporting securing the papers the Pulitzer Prize for Public Service, and leading to changes in US surveillance law, the Metropolitan Police still – five years after their release – has an active police investigation into the publication of the Snowden leaks, while far more seriously the whistleblower behind them still relies on Russia for asylum.

This ruling should mark a change, even if it is unlikely to do so. For years, the UK has relied on hiding behind the fig leaf of oversight, pointing out how many internal audits its agencies do, how it has multiple commissions looking into the interception and use of data, how the Investigatory Powers Tribunal and parliament’s Intelligence and Security Committee rigorously oversee intelligence activities.

There is certainly no shortage of acronyms. But there has certainly been a shortage of action. The court today found the UK breached our human rights under the European Convention of Human Rights, which is also enshrined in UK domestic law as the Human Rights Act.

That finding did not come as the result of action from any one of the alphabet suit of organisations and individuals who were supposed to be overseeing the agencies: it came from journalism, it came from campaign groups, and it came from a whistleblower who had to go outside of the system to effect change.

That alone should be grounds for far more than embarrassment – it should be grounds for wholesale change. The ECHR has said oversight and safeguards are inadequate and must be re-examined. That our regulators and MPs have overseen this system and seen nothing wrong is proof of a wider malaise – and of a too cosy system that relies too much on trusting the agencies to do what they will.

This is to say nothing of a string of serious scandals – especially the Spycops case, in which undercover police had relationships and even children with members of activist groups – showing what happens when our security services are under-watched.

This lack of real oversight doesn’t just damage our civil liberties – it damages our safety. The UK’s civil liberties campaigners live in the same country as everyone else, want it to be safe from terrorism and serious crime, and respect the agencies for trying to do that. But any agency that doesn’t have adequate oversight is not just likely to overreach, it’s also likely to make mistakes that go unnoticed, or continue along bad strategies.

The UK should welcome this chance to improve security services and their oversight system, and go for real change, rather than a fig leaf difference hoping to game out the years until another legal challenge can come.

That seems vanishingly unlikely under Theresa May – who has expanded, rather than controlled, agency powers since this case was first brought – especially given the weakness of her government. But it’s a perfect opportunity for opposition parties, who could be on the cusp of government or coalition, to propose real reform. Will they seize it?