The Investigatory Powers Tribunal (IPT) has ruled that surveillance carried out on UK citizens by the Government Communications Headquarters (GCHQ) over a 17-year period was illegal.
Following a complaint raised by Privacy International, the Tribunal looked into bulk communications data (BCD) collection from March 1998 and bulk personal datasets (BPD) gathered from 2006 and ruled that in both cases GCHQ had stepped outside the law. In the case of BCD, which includes information on whom people were communicating with and when, but not the contents of said communications unless authorised by a court order, the Tribunal ruled that 'we are not satisfied that, particularly given the fragmented nature of the responsibility apparently shared between then Commissioners, there can be said to have been an adequate oversight of the BCD system;
' the Tribunal further ruled that it found 'no Codes of Practice relating to either BCD or BPD or anything approximating to them.
While the ruling appears as a victory for Privacy International, it doesn't spell an end to the activities of GCHQ: the Tribunal also ruled that changes to UK law mean that while BCD and BPD gathering has been illegal, both are now within the law since November 2015 and March 2015 respectively. In other words: GCHQ is free to carry on gathering data as though the ruling had not happened, and does not appear to be required to delete data gathered illegally from before these dates from its systems.
'Today’s judgement is a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale,
' said Privacy International's legal officer Millie Graham Wood of the ruling. 'There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used. The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.
The ruling can be read in full on the Tribunal website
(PDF warning), while PI's analysis can be found on Medium