The large-scale interception and collection of the public’s personal communications data by the UK’s Government Communications Headquarters (GCHQ) and the US’s National Security Agency (NSA) was unlawful, the UK’s secretive Investigatory Powers Tribunal ruled last week.

This is a seminal decision with international implications. The tribunal is the only British court with oversight powers over GCHQ, MI5 and MI6. Never before, in its 15 year history, has it upheld any challenge to the activities of these security agencies.

Whistleblower

The ruling, based entirely on evidence from documents released by whistleblower Edward Snowden, decreed that the sharing of data between GCHQ and the NSA, gathered from sweeping surveillance programmes called Prism and Upstream, was illegal prior to last December.

Prism is the programme that imported data from some of the world’s largest technology companies and their heavily-used internet and social media services, including Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple.

Upstream accessed data in bulk from fibreoptic communications cables, including all the major undersea cables carrying almost all communications between ordinary citizens in Ireland.

Both these programmes have been in place for almost a decade.

The ruling, coming from a deeply conservative oversight body such as the tribunal, is a validation – if such still were needed – of the importance of the document releases from Snowden. Without those leaks, few knew such grotesque violations of the everyday personal privacy of entire national populations, were the norm.

The ruling raises numerous questions that must be addressed by British prime minister David Cameron, who argues that UK spy agencies have sufficient government oversight. Cameron, against all evidence to the contrary, has been vehement on this point from the start and remains a staunch defender of GCHQ.

Bizarrely, last week Downing Street (like GCHQ itself) claimed the ruling as a vindication of GCHQ, noting: “The overall judgment this morning is that the UK’s interception regime is fully lawful. That follows on from the court’s clear rejection of accusations of mass surveillance in their December judgment, and we welcome that.”

Surveillance

Actually, it was the opposite. The court ruled that nearly a decade of mass surveillance was unlawful. However, because during the tribunal case, GCHQ had been forced to reveal the rules governing its data-gathering, it decided that surveillance from January onwards – all of six weeks, set against a decade of such spying – was acceptable because the rules were now public.

Not so fast.

As James Welch, leader of UK civil rights group Liberty, one of the four groups that initiated the complaint to the tribunal, stated, “The intelligence services retain a largely unfettered power to rifle through millions of people’s private communications and the tribunal believes the limited safeguards revealed during last year’s legal proceedings are an adequate protection of our privacy. We disagree, and will be taking our fight to the European court of human rights.”

As other Snowden documents make clear, even the NSA was impressed by how much GCHQ can get away with, how little oversight exists, and how supportive the UK government is for activities that would be seen as clear violations of civil rights in every other democracy.

Not once since Snowden’s disclosures has the UK’s leadership questioned GCHQ’s activities or asked for accountability. This is in stark contrast to open public discussions, congressional debate and formal presidential involvement in the US.

Given recent rulings by the European Court of Justice and the European Court of Human Rights in surveillance, data protection and data retention cases, the UK’s chances of successfully defending GCHQ’s actions at EU level seem as thin on the ground as any convincing evidence that such surveillance is effective.

Frankly, following the tribunal ruling, it’s also difficult to see how the Irish Government can continue to avoid defending the privacy of its own citizens. It needs to take a public stance on years of GCHQ surveillance of Irish telecommunications cables.

There are further Irish implications from the ruling. Dara Murphy, the Minister of State with special responsibility for data protection, and Data Protection Commissioner Helen Dixon should be looking for answers on whether the data of Irish and EU citizens was siphoned to the NSA and GCHQ from the many Prism technology companies that have their European operations here, in violation of EU data protection laws.

In addition, the Minister and commissioner should be investigating whether Irish law enforcement was aware in any way of Prism or Upstream, or if they utilised data obtained from it.

Also, the (in)adequacy of the Irish Government’s data retention oversight regime – consisting of a judge offering a short annual report with little meaningful data (even the UK does better than this) – must be examined.

Surely it is time for an expert panel, not a single judge, to take a oversight role?

Ultimately, the ruling is yet another indication that all EU states need data protection advocacy positioned at ministerial level. Ireland has set an important precedent by appointing the first data protection minister. Whether the Government grants that role real power will be an indication of whether we are serious about data protection and privacy, or just posturing.