British spy agencies broke privacy rules by secretly and illegally collecting massive amounts of UK citizens’ confidential personal information for more than 10 years, top judges have ruled.

Responding to a complaint brought by Privacy International, the Investigatory Powers Tribunal (IPT) has ruled that the collection of bulk personal data – conducted by GCHQ, MI5 and MI6 between 1998 and 2015 – was unlawful.

Read more

It ruled that surveillance of individuals’ phone and web use had been taking place without adequate safeguards or supervision for more than a decade.

It also says some instances of data collection were in breach of Article 8 of the European Convention on Human Rights (ECHR), which ensures all citizens have the right to a private life and that any interference with personal data must be lawful and necessary.

Its collection of ‘Bulk Communications Data’ (BCD) and ‘Bulk Personal Datasets’ (BPD) by the agencies “failed to comply” with ECHR protections until codes of practices were put in place in 2015, the tribunal added.

BCD consists of the ‘where, when and what’ of messages sent to individuals. BDP allows officials to collect information that could cover health, tax and electoral information.

“While each of these datasets in themselves may be innocuous, intelligence value is added in the interaction between multiple datasets,” the court documents state.

The tribunal revealed the collection of financial data was also of particular concern.

“The fact that [MI5] holds bulk financial, albeit anonymised, data is assessed to be a high corporate risk, since there is no public expectation that the service will hold or have access to this data in bulk.

“Were it to become widely known that the service held this data, the media response would most likely be unfavourable and probably inaccurate.”

The tribunal also reveals internal warnings to the staff of security agencies not to use databases to search for information “about other members of staff, neighbours, friends, acquaintances, family members and public figures.”

Read more

Privacy International’s legal officer Millie Graham Wood said the ruling was “a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale.”

Privacy International added that the judgment did not specify whether the unlawfully obtained and sensitive personal data would now be deleted.

Commenting on the ruling, the Home Office said: “The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens.

“We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes.

“Through the investigatory powers bill, the government is committed to providing greater transparency and stronger safeguards for all of the bulk powers available to the agencies.”