For nearly two decades, British spies unlawfully maintained vast troves of people’s private data without adequate safeguards against misuse, a tribunal of senior judges has ruled.

Between 1998 and 2005, electronic surveillance agency Government Communications Headquarters and domestic spy agency MI5 began secretly harvesting “bulk personal datasets” containing millions of records about people’s phone calls, travel habits, internet activity, and financial transactions.

On Monday, the Investigatory Powers Tribunal, a special court that handles complaints related to British spy agencies, found that access to the datasets had not been subject to sufficient supervision through a 17-year period between 1998 and November 2015. The tribunal said that due to “failings in the system of oversight” the surveillance regime had violated Article 8 of the European Convention on Human Rights, which protects the right to privacy.

The case was brought in June 2015 by the London-based human rights group Privacy International, which challenged the legality of the surveillance after the British government publicly admitted using an obscure provision of the 1984 Telecommunications Act to harvest the data.

“Today’s judgment is a long overdue indictment of U.K. surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale,” said Millie Graham Wood, legal officer at Privacy International. “It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used. The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.”

While the tribunal found that the mass collection of data lacked adequate oversight, it did not rule that the surveillance itself was illegal. The judgment found in favor of the government on that front, stating that the use of the Telecommunications Act to harvest the bulk datasets was lawful.

A spokesperson for the U.K. government said in a statement: “The powers available to the security and intelligence agencies play a vital role in protecting the U.K. and its citizens. We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes.”

According to documents that were released earlier this year, the bulk datasets can cover a wide variety of information, potentially revealing details such as people’s political opinions, religious beliefs, union affiliation, physical or mental health status, sexual preferences, biometric data, and spending habits. They may also contain data revealing legally privileged information and journalists’ confidential sources. And the spy agencies have acknowledged that “medical data may appear” in some of the data troves, too, though they claim they do not explicitly harvest people’s medical records.

It is often argued by government officials that mass collection of data is not on its face a violation of privacy, and that privacy is not breached until individual communications are looked at or analyzed by humans.

Notably, the tribunal’s ruling on Monday disagreed with that notion, stating that the privacy protections contained in the European Convention on Human Rights are “engaged by the transfer and storage of communications data even if it is not accessed.” This principle may turn out to be important in a separate case that remains ongoing in the European Court of Human Rights, which is expected to look more closely at the legality of the U.K.’s mass surveillance programs.