(London) – Reports that the United Kingdom’s intelligence agency has intercepted and collected vast amounts of Internet and phone data raise serious concerns that the government has breached the privacy rights of millions of people in the UK and elsewhere.

The government should explain to the public the scope and magnitude of the alleged surveillance by the Government Communications Headquarters (GCHQ) as well as the authority and limitations under which it is conducted, Human Rights Watch said. The government should also create a more robust and transparent oversight authority that reports to Parliament. This agency should be mandated to disclose as much information to the public as possible, consistent with the requirements of national security and public order.

“If these allegations are true, the British government has been snooping on millions of people inside and outside the country,” said Benjamin Ward, deputy director of the Europe and Central Asia division at Human Rights Watch. “We need clear answers from the government about the scale of its surveillance and an informed debate about how to strengthen privacy protections and oversight over this type of incursion into people’s lives.”

Information revealed by the Guardian on June 21, 2013 suggests that since 2011, GCHQ has been intercepting fibre-optic cables carrying Internet data in and out of the UK in an operation called “Tempora.” According to these reports, GCHQ has access to enormous amounts of the data traveling from North America to and through the UK to other countries and is sharing that data with the United States National Security Agency (NSA). This data is said to include recordings of phone calls, email content, and data on the use of websites and social media.

The Guardian reported that the UK intelligence agency has tapped more than 200 cables linking the UK to the global Internet. Intercepted content is stored for up to three days, and metadata, which for the Internet includes information identifying users, their locations, and their searches, for up to 30 days. According to the reports, hundreds of analysts for GCHQ and the NSA then filter through the data, searching for information of interest to them.

Because of the UK’s location, the majority of transatlantic Internet traffic may flow through the cables the government has access to, including traffic flowing to and from servers of major US-based Internet companies implicated in media reports relating to similar alleged programs operated by the NSA.

The allegations suggest that the legal framework in the UK that regulates such an interception and oversight mechanism is inadequate to protect against wholesale breaches of privacy rights, Human Rights Watch said.

“The UK government has a duty to protect national security and prevent crime,” Ward said. “But there is a big difference between taking steps that are necessary and proportionate to achieve those aims, and indiscriminately collecting and searching the communications of millions of people who are under no suspicion whatsoever.”

The government also needs to clarify how much data on people located outside British territory is being gathered and how it is being stored, used, or shared with third parties, particularly since the legal protections for such interception is weaker under UK law.

Justice Minister Sabine Leutheusser-Schnarrenberger of Germany wrote to the British government on June 25 asking to what extent the program targeted German citizens, and called for the issue to be discussed at the European Union level.On June 26, Viviane Reding, the EU commissioner for justice, fundamental rights and citizenship, said she had asked Foreign Secretary William Hague for clarifications, stressing that if the allegations are true, they could have a serious impact on the rights of individuals in the EU.

Hague has defended intelligence sharing between the UK and the US, saying that in both countries intelligence work operates under the rule of law. “In some countries secret intelligence is used to control their people – in ours it only exists to protect their freedoms,” he said. In a statement to the UK Parliament on June 10, he said he would “not be drawn into confirming or denying any aspect of leaked information,” referring to the “policy of successive British Governments not to comment on the detail of intelligence operations.”

“It’s completely unreasonable for the UK foreign secretary to try to close down debate by saying he will notcomment on intelligence operations,” Ward said. “Ordinary people in the UK and people in other countries who may have been targeted – people with no conceivable involvement in crime or terrorism – have a right to know whether their privacy has been violated.”

GCHQ appears to have been acting under the Regulation of Investigatory Powers Act 2000 (RIPA). That law allows a senior government minister– a “secretary of state” in the UK– to issue a warrant at the request of a senior intelligence or police official. The warrant authorizes the interception of communications for which the sender or intended recipient is in the United Kingdom, if the secretary of state believes intercepting the information is necessary and proportionate.

The grounds for granting a warrant under the law are extremely broad. In addition to permitting a warrant if it is “necessary” in the interests of national security, the law permits a warrant if it is “necessary” for preventing or detecting serious crime or safeguarding the economic well-being of the United Kingdom.

Section 8(4) of the law also allows a senior government minister to issue a certificate that allows granting a warrant to intercept communications sent or received outside the “British Islands”– the UK, plus Jersey, Guernsey, and the Isle of Man– without specifying a named person or premises. The Guardian suggests that the foreign secretary has relied on that provision to justify intercepting fibre-optic communications since these cables carry traffic from abroad. In issuing the certificate, the secretary of state must confirm that the interception is “necessary” for a legitimate purpose under the law and provide a description of the material it is necessary to examine. However, it is unclear how specific the description contained in the certification must be.

In addition, because a significant portion of Internet traffic between two people in the UK may be routed abroad, such traffic could also be intercepted through the Tempora program under the lower standard for communication outside the UK.

Once the communications have been intercepted, RIPA provides very weak safeguards for the use of material that relates to people located outside the “British Islands.” Oversight under RIPA is neither transparent nor comprehensive. The interception of a communications commissioner has oversight of the government’s power to intercept, but the prime minister, not the parliament, appoints the commissioner. The commissioner examines a number of interception warrants after the fact and assesses whether they comply with the criteria of necessity and proportionality, but does not reveal how many warrants are inspected. The commissioner’s annual report– for which the prime minister must approve the content– suggests that the selection is largely made at random.

A person who believes one of the intelligence agencies has breached their right to privacy this way can file a complaint before the Investigatory Powers Tribunal, a judicial body. The tribunal can quash the interception warrant and order the records collected to be destroyed or award compensation. But if it doesn’t uphold the person’s claim, it doesn’t let the person know whether an interception took place, and the tribunal’s decisions cannot be challenged in court.

“In the 13 years since the UK’s law on intercepting communications was introduced, technology has evolved in ways that could never have been predicted back then,” Ward said. “The allegations of mass surveillance highlight the need to bring the law up to date.”

Under the European Convention on Human Rights, and the UK’s Human Rights Act, which incorporates the convention into domestic law, the UK must respect the right to private life. Any interference with this right must be “in accordance with the law,” “necessary in a democratic society,” and proportionate. The greater the potential impact on rights of the exercise of executive discretion, the greater the authorities’ duty to ensure there is adequate oversight to guard against abuse.

After the media disclosed information about GCHQ’s involvement in US secret surveillance programs, Hague told Parliament that warrants he and other senior ministers grant for GCHQ operations “are legally required to be necessary, proportionate and carefully targeted, and we judge them on that basis.” The revelations by the Guardian would appear to directly contradict this assertion.

If the government wants the British people to have confidence in the work of the intelligence agencies and in their “adherence to the law and democratic values,” it needs to give a clear explanation about these claims and about how the law is being applied, Human Rights Watch said.

Any new legislation should ensure that communications data is intercepted only in exceptional circumstances and that any decision authorizing such interception is subjected to independent scrutiny by a judicial authority. The law needs to be clear on what is authorized and for what purpose, and avoid broad categories such as “the interests of national security” or the economic well-being of the United Kingdom.

In a recent report, the UN special rapporteur on the right to freedom of expression and opinion, Frank La Rue, urged countries to regard communications surveillance as “a highly intrusive act that potentially interferes with the rights to freedom of expression and privacy and threatens the foundations of a democratic society.” He warned that “[i]nadequate national legal frameworks create a fertile ground for arbitrary and unlawful infringements of the right to privacy in communications and, consequently, also threaten the protection of the right to freedom of opinion and expression.”

The UK government is also a member of the Freedom Online Coalition, a group of governments that have “committed to collaborating to advance Internet freedom.”

“The UK’s moral credibility as a leader on Internet freedom is in peril unless it ensures that privacy is protected along with security,” Ward said. “The government should immediately provide a full account of these surveillance programs and rights safeguards.”