GCHQ’s mass data collection practices breached human rights law, European court rules

The European court of human rights (ECHR) has ruled GCHQ's mass surveillance programmes violated privacy rights, and lacked the necessary safeguards to ensure collected data was protected.

Judges ruled the agency breached Articles 8 and 10 of the European Convention on Human Rights (ECHR), concerning privacy and freedom of expression respectively, in its data collection methods disclosed by Edward Snowden in 2013.

"This landmark judgment confirming that the UK's mass spying breached fundamental rights vindicates Mr Snowden's courageous whistle-blowing and the tireless work of Big Brother Watch and others in our pursuit for justice," said Big Brother Watch director Silkie Carlo.

"Under the guise of counter-terrorism, the UK has adopted the most authoritarian surveillance regime of any Western state, corroding democracy itself and the rights of the British public."

The landmark case, brought by several rights groups including Big Brother Watch, Liberty and Amnesty International, considered three aspects of surveillance: intelligence sharing, obtaining communications data from service providers, and bulk interception of communications.

While the latter two aspects were found to represent a violation of human rights law, judges ruled intelligence sharing with foreign governments did not contravene either Article 8 or Article 10 of the ECHR.

While bulk data collection did not in itself violate the ECHR, according to the judgement, the practice of obtaining communications data from service providers via interception was not in accordance with the law, and therefore was in violation of Article 8.

While representing the privacy rights set out in Article 8, the practice also violated Article 10, freedom of expression, "as there were insufficient safeguards in respect of confidential journalistic material".

The ECHR also concluded there was a "lack of oversight of the entire selection process" and that safeguards were not "sufficiently robust to provide adequate guarantees against abuse".

"The Court has put down a marker that the UK government does not have a free hand with the public's communications and that in several key respects the UK's laws and surveillance practices have failed," said Dan Carey, who represented the applicants in the ECHR.

"In particular, there needs to be much greater control over the search terms that the government is using to sift our communications. The pressure of this litigation has already contributed to some reforms in the UK and this judgment will require the UK government to look again at its practices in this most critical of areas."

The Strasbourg-based court wrapped three separate challenges being made against the UK into one ruling, which was marked by an initial hearing in November 2017. Its final decision represents the most significant challenge to the government's intelligence gathering practices made to date.

The UK government has maintained its mass data collection practices, as revealed in the Edward Snowden leaks, are necessary to fight extremism.

But its Investigatory Powers Act 2016 which legalised many of these practices under domestic law was found to have violated European law in a UK High Court ruling earlier this year. The court gave ministers until 1 November 2018 to make changes to the legislation.

"The Investigatory Powers Act 2016 replaced large parts of the Regulation of Investigatory Powers Act (RIPA) which was the subject of this challenge," a government spokesperson told IT Pro. "This includes the introduction of a double lock' which requires warrants for the use of these powers to be authorised by a Secretary of State and approved by a judge.

"An Investigatory Powers Commissioner has also been created to ensure robust independent oversight of how these powers are used. The Government will give careful consideration to the Court's findings."