Thames House, Offices of MI5. Photo Credit: Wikimedia Commons

MI5 collected Privacy International’s private data and examined it

GCHQ, MI5, and MI6 unlawfully collected data relating to UK charity Privacy International

Privacy International has written to the UK's Home Secretary demanding action against spy agencies

Disclosures come less than a fortnight after UK laws on mass surveillance ruled unlawful at European Court of Human Rights

The UK's domestic-facing intelligence agency, MI5, today admitted that it captured and read Privacy International's private data as part of its Bulk Communications Data (BCD) and Bulk Personal Datasets (BPD) programmes, which hoover up massive amounts of the public's data. In further startling legal disclosures, all three of the UK's primary intelligence agencies - GCHQ, MI5, and MI6 - also admitted that they unlawfully gathered data about Privacy International or its staff.

The intelligence agencies have repeatedly denied that their BPD and BCD programmes are tantamount to mass surveillance of people not suspected of any wrongdoing. Documents published today demonstrate that Privacy International, an international NGO, has been caught up in MI5's investigations because its data was part of the UK intelligence agencies vast databases.

These revelations came during the course of Privacy International's challenge to the BPD and BCD powers, which is currently pending before the Investigatory Powers Tribunal (IPT), a court which is set up to hear claims against the UK intelligence services. The IPT is required to inquire into any unlawful activity by the UK intelligence agencies, and to provide a summary of such activity to any claimant that comes before it.

Today's news comes in the wake of last week's judgment by the European Court of Human Rights which found another of the UK's mass surveillance programmes - the mass interception of internet communications - to be unlawful. A major aspect of the Court's criticism of the mass interception programmes was the lack of oversight and safeguards surrounding how the data is collected, searched, and accessed. Today's revelations highlight the danger that can arise from such a lack of safeguards, the absence of which has allowed an intelligence agency to extract data about a human rights charity from that massive trove.

As a result, Privacy International has today written to the UK's Home Secretary, Sajid Javid MP, to request urgent action. In particular, Privacy International is asking that he confirms what changes will be made to the Investigatory Powers Act (more commonly known as the Snoopers' Charter) provisions as a result of last week's ECHR judgment. Privacy International is also calling on MI5 to provide a full explanation of the circumstances behind their surveillance of Privacy International.

Caroline Wilson Palow, General Counsel Privacy International said:

"Today's revelations are troubling for a whole host of reasons. The UK intelligence agencies' bulk collection of communications data and personal data has been shown to be as vast we have always imagined - it sweeps in almost everyone, including human rights organisations like Privacy International.

“Not only was Privacy International caught up in the surveillance dragnet, its data was actually examined by agents from the UK's domestic-facing intelligence agency - MI5. We do not know why MI5 reviewed Privacy International's data, but the fact that it happened at all should raise serious questions for all of us. Should a domestic intelligence agency charged with protecting national security be spying on a human rights organisation based in London? Shouldn't such spying, if permitted at all, be subject to the strictest of safeguards? In an era when human rights and democracy are under threat all over the world, the UK should demonstrate leadership by protecting human rights defenders.

“Privacy International therefore urges the UK government to critically examine its mass surveillance powers, as enshrined in the Investigatory Powers Act 2016. They have now been called into question twice in two weeks - by today's revelations and by last week's judgment from the European Court of Human Rights. The UK should be a beacon of light in a world where democracy is under threat. Its refusal to curtail the mass surveillance powers of its intelligence agencies casts a shadow over all of us."

- ENDS -

Privacy International press office on 020 3422 4321 / press@privacyinternational.org

Notes to Editors

Background to the case

https://privacyinternational.org/sites/default/files/2018-03/A1.%20Claimant%27s%20re-amended%20statement%20of%20grounds.pdf The challenge to the acquisition, use, retention, disclosure, storage and deletion of ‘Bulk Personal Datasets’ (BPDs) and Bulk Communications Data (BCDs) by the UK Intelligence Agencies was commenced by Privacy International on 8 June 2015.

The existence of the BPD and BCD regimes was initially secret.

The BPD regime was first publicly acknowledged in March 2015, and the BCD regime in November 2015.

Until this case, there was very little public knowledge that GCHQ was gathering information about all of us through a wide range of databases that they requisition from a wide range of telecommunications operators, companies and public bodies.

https://privacyinternational.org/sites/default/files/2018-03/Privacy%20International%20v%20Secretary%20of%20State%20for%20Foreign%20And%20Commonwealth%20Affairs%20%26%20Ors%20%28Rev%202%29%20%5B2016%5D_0.pdf In October 2016 the Investigatory Powers Tribunal held that the Intelligence Agencies had breached the right to privacy enshrined in Article 8(2) of the European Convention of Human Rights in respect of both the BPD and BCD regimes, from their commencement over a decade earlier, until their public avowal in 2015. The Tribunal held that, during this period, there was not sufficient foreseeability or accessibility of the existence of the BPD and BCD regimes, nor of the nature of controls over them; in consequence, the regimes could not be said to be “in accordance with the law.”

A number of outstanding issues remained to be addressed at subsequent hearings between June 2017 and July 2018.

https://privacyinternational.org/sites/default/files/2018-03/IPT%20BULK%20DATA%20ORDER%20FOR%20REFERENCE%20TO%20CJEU.pdf) https://privacyinternational.org/feature/1695/bpdbcd-reference-cjeu-october-2017 The June 2017 hearing (concerned whether the regimes were in compliance with EU law. On this matter, on 8 September 2017, the Investigatory Powers Tribunal decided to refer questions to the Court of Justice of the European Union concerning the collection of BCD by the Security Intelligence Agencies from mobile network operators:

https://privacyinternational.org/press-release/1641/press-notice-unprecedented-opportunity-pi-cross-examine-gchq-open-court In the course of proceedings, it was revealed that a GCHQ witness statement contained serious errors. As a result, PI had the unprecedented opportunity to cross examine a GCHQ witness in open court.

https://www.ipt-uk.com/judgments.asp?id=45 On 23 July 2018, the Investigatory Powers Tribunal held that successive Foreign Secretaries wrongly gave GCHQ unfettered discretion to collect vast quantities of BCD from telecommunications companies and as a result the BCD regime was not 'in accordance with law' as required under Article 8(2) ECHR until 14 October 2016.

Whether and what determination the Investigatory Powers Tribunal will make in relation to the intelligence agencies' holdings of PI data is the subject of the hearing today.

All disclosure and documents can be found here: https://privacyinternational.org/legal-action/bulk-personal-datasets-bulk-communications-data-challenge. Today's disclosures can be found here: https://privacyinternational.org/legal-case-files/2282/n-bpdbcd-september-2018-hearing-bundle.

About Privacy International

Privacy International (PI) is a registered charity that works at the intersection of modern technologies and rights. PI is based in London and works internationally.

We shine a light on overreaching state and corporate surveillance, with a focus on the sophisticated technologies and weak laws that enable serious incursions into privacy. We investigate, litigate, advocate, and educate, all with one aim - for people everywhere to have greater security and freedom through greater personal privacy.

We work with experts all over the world to build the global privacy movement.