Shutterstock

The UK's security services, including GCHQ, MI5 and MI6, have been unlawfully collecting and using mass datasets of personal information for more than 10 years.

The Investigatory Powers Tribunal has ruled in a judgement published online that the bodies had been collecting data without safeguards or supervision.


UK mass surveillance laws are unlawful, it's official Surveillance UK mass surveillance laws are unlawful, it's official

The setups of 'Bulk Communications Data' (BCD) and 'Bulk Personal Datasets' by the agencies did not comply with the right to privacy (Article 8) in the European Convention on Human Rights. The two schemes "failed to comply" with the ECHR protections until they were admitted and codes of practices were put in place in 2015, the tribunal added.

Read next The NHS Test and Trace app has two flaws: QR codes and people The NHS Test and Trace app has two flaws: QR codes and people

BCD consists of the 'where, when and what' of messages sent between individuals. BPD allow officials to collect mass datasets that could cover health, tax, and electoral information. Both types of datasets have been used as part of criminal investigations, but have been criticised by privacy advocates for being overly intrusive.

The tribunal added that the massive datasets (BPD) "include considerable volumes of data about biographical details, commercial and financial activities, communications and travel".


"While each of these datasets in themselves may be innocuous, intelligence value is added in the interaction between multiple datasets," the court documents state. BPD are used by GCHQ, MI5 and MI6; BCD is only obtained and used by GCHQ and MI5.

Privacy International, a civil liberties group which took the action to court, said the ruling was "highly significant" and it confirmed the bodies were "secretly spying on a massive scale".

When Theresa May, as Home Secretary, introduced the controversial Investigatory Powers Bill – to reform the UK's surveillance laws – in November 2015, it was admitted that the bodies used Section 94 of the Telecommunications Act 1984 to collect data under both the BCD and BPD regimes. The tribunal said a number of opportunities to admit to this before 2015 had not been taken.

Read next These Chrome extensions protect you against creepy web tracking These Chrome extensions protect you against creepy web tracking

The powers put in place in 2015 were deemed lawful by the tribunal. However, it is not known what will happen to data collected under the unlawful regimes.

"In any event it seems difficult to conclude that the use of BCD was foreseeable by the public, when it was not explained to Parliament; and several opportunities arose when legislation or Codes of Practice were being introduced or amended," the tribunal said. It drew particular attention to the passing of S.80 of RIPA in 2000.

The court's ruling comes as the government's Investigatory Powers Bill (IP Bill) is in the final stages of becoming law – it is currently passed through the House of Commons and is being debated by the House of Lords. The Bill has been heavily criticised by numerous committees and officials.


Powers included in the IP Bill include bulk collection of data, the ability to remotely hack mobile phones and computers, and the storing of website history. The law is the first time these powers have been specifically written into law.

In response to the ruling, a government spokesperson said the powers were needed to protect UK citizens. "We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes," the spokesperson said.

"Through the Investigatory Powers Bill, the government is committed to providing greater transparency and stronger safeguards for all of the bulk powers available to the agencies."