The British intelligence services have for years quietly claimed the right to collect so-called bulk personal datasets (BPDs) about people, most of whom may be innocent of any crime. The practice was only officially acknowledged in 2015, and last year’s Investigatory Powers Act was – for all its draconian elements – supposed to at least ensure proper authorization and safeguards for the use of these datasets.

Well. The latest revelations from the UK’s crusading Privacy International show not only that the GCHQ spy agency has been assembling databases of people’s social media data by gaining access to private companies’ own troves of data, but also that the agencies shared their databases with foreign governments and their law enforcement agencies – without the knowledge of the Investigatory Powers Commissioner, the supposed provider of oversight.

The revelation regarding the social media databases is new. What’s more, when the commissioner’s office (IPCO) found out thanks to Privacy International’s litigation, it delved into the issue and found that certain contractors are given “administrator” access to this wealth of information, without safeguards against misuse.

Privacy International has been suing the government for years over UK government surveillance. It won an important ruling last year from the Investigatory Powers Tribunal, which said that the British intelligence agencies had been breaking European human rights laws up until 2015 by failing to provide proper oversight for their bulk personal dataset and bulk communications data (BCD) schemes.

2015 is when – having been found out – the agencies instituted codes of practice to supposedly stay on the right side of the law. Now the privacy campaign group is litigating at the Investigatory Powers Tribunal to find out how legal the current arrangements really are.

Here’s what Privacy International solicitor Millie Graham Wood had to say on Tuesday:

“The intelligence agencies’ practices in relation to bulk data were previously found to be unlawful. After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments. The risks associated with these activities are painfully obvious. We are pleased the IPCO is keen to look at these activities as a matter of urgency and the report is publicly available in the near future.”

So, what sort of social media information are we talking about here? That’s hard to say with specificity, as all Privacy International has been able to uncover so far are broad categories such as “biographical details”, “travel data”, “commercial and financial activities” and “communications”. The sizes of the databases also remain mysterious for now, but the categories give a pretty good idea of what’s going on.

One of the documents published by Privacy International on Tuesday was an email from the president of the Investigatory Powers Tribunal to the head of IPCO, asking the commissioner’s office to clarify certain findings from its investigation into the datasets.

In particular, IPCO will need to answer the following questions raised by Privacy International in its case – “basic questions” that “do not appear to have been considered”:

“a) How many ‘failed searches’ take place, where data is accessed but no useful intelligence purpose is served? Have the Commissioners examined the failure rate? b) Have the Commissioners considered how the ‘privacy footprint’ of the use of BPD and BCD could be improved, and less data accessed? c) What technical understanding do the Commissioners and the Tribunal have of the search techniques and other data processing techniques carried out by the partners with whom data is shared? Are the searches and algorithms audited? d) How are the Respondents’ artificial intelligence techniques (including, for example, the use of algorithms, ‘machine learning’ techniques, data mining techniques and automated decision making) audited, if at all? e) What examination have the Commissioners made of profiling, where information from multiple datasets is aggregated, in order to build a comprehensive profile about individuals and their activities?”

What’s uncovered next could prove very interesting indeed, or at least tell us what “oversight” really means when it comes to the activities of British spooks.

Incidentally, Privacy International is also suing the government over its use of hacking. If you’d like to donate to support this fight, there’s a crowdfunding page for that.