The Security Service, MI5, faces legal action to force it to disclose details of its “unlawful” access and retention of intercepted communications data.

The case follows revelations that the spy agency misled senior judges when it applied for bulk surveillance warrants to access sensitive data, including records of the population’s phone calls, emails, location and browsing data.

Campaigning groups Privacy International and Liberty have asked the Investigatory Powers Tribunal to quash unlawful surveillance warrants, and to destroy all records of the public’s data that were improperly obtained or retained.

The non-governmental organisations (NGOs) are also seeking a declaration from the court that MI5’s data-handling arrangements amounted to systematic violation of the rights to privacy and freedom of expression under EU law and the European Convention on Human Rights.

Unlawful handling of surveillance data The latest legal challenge follows revelations that the intelligence agency handled surveillance data in an “undoubtedly unlawful manner”, and failed to inform surveillance watchdog the Investigatory Powers Commissioner’s Office (IPCO) of serious failures. Privacy International’s legal director, Caroline Wilson Palow, said that the government had promised robust safeguards under the Investigatory Powers Act – known as the Snooper’s Charter – to ensure that people’s confidential data was not misused, but had failed to deliver them. “For more than a decade, MI5 has been building massive datasets by systematically collecting our personal information. Such practices are a serious interference with our right to privacy and threaten democratic values. We were promised that robust safeguards were in place so that such data would never be abused, yet it turns out that those safeguards were in some cases illusory,” she said. MI5’s breaches were revealed in a series of heavily redacted documents, including correspondence between IPCO and the security service, the home secretary, and reports of inspections carried out by IPCO disclosed in court in 2019. They revealed that senior judges, known as judicial commissioners, issued warrants for bulk surveillance after MI5 wrongly briefed them that it was meeting the data-handling obligations required under the Investigatory Powers Act. The then Investigatory Powers Commissioner, Adrian Fulford, said it was impossible to reconcile MI5’s explanations of the handling arrangements to the judges “with what MI5 knew over a protracted period of time what was happening”. The documents revealed that MI5 failed to protect legally privileged material and other key safeguards, resulting in “serious compliance gaps”, said Fulford. A senior MI5 official told Fulford that personal data collected by MI5 might be stored in “ungoverned spaces”, and a review in 2016 found a “high likelihood” of discovering surveillance material when it should have been deleted. Fulford said that MI5 officials has used “misleading euphemism” to describe the failures. MI5’s historical lack of compliance was of “such gravity” that the IPCO “will need to be satisfied to a greater degree than usual that it is fit for purpose”, Fulford wrote.

MI5 delayed reporting breaches The documents show that MI5 delayed reporting failures to the IPCO. Staff at MI5 first discovered the agency was failing to meet compliance gaps in January 2016. MI5’s board did not become aware of the issue in January 2018 and did not report it to the IPCO until February 2019. “Without seeking to be emotive, I consider that MI5’s use of warranted data... is currently, in effect, in ‘special measures’,” Fulford wrote. ICPO sent a team of inspectors to MI5 for a week-long investigation after discovering the breaches. The then home secretary, Sajid Javid, first confirmed that MI5 had breached the Investigatory Powers Act in its handling and retention of data belonging to the public in a statement to Parliament in May 2019. Javid said the IPCO had concluded that there were serious compliance risks which required mitigation. “The commissioner also expressed concern that MI5 should have reported the compliance risks to him sooner,” he wrote. The IPCO was due to give a response in its annual report. It has published an annual report for 2017, but has yet to publish reports for 2018 or 2019. Javid has commissioned an independent review to report back on what lessons could be learned for the future.