GCHQ’s methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights has ruled in a test case judgment.
But the Strasbourg court found that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments was not illegal.
It is the first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden’s whistleblowing revelations.
The long-awaited ruling is one of the most comprehensive assessments by the ECHR of the legality of the interception operations operated by UK intelligence agencies.
The claims, which had already been heard by the UK’s investigatory powers tribunal, were brought by a coalition of 14 human rights groups, privacy organisations and journalists, including Amnesty International, Liberty, Privacy International and Big Brother Watch.
The judges considered three aspects of digital surveillance: bulk interception of communications, intelligence sharing and obtaining of communications data from communications service providers.
By a majority of five to two votes, the Strasbourg judges found that GCHQ’s bulk interception regime violated article 8 of the European convention on human rights, which guarantees privacy, because there was said to be insufficient safeguards and rules governing the selection of “related communications data” were deemed to be inadequate.
The regime for sharing intelligence with foreign governments operated by the UK government did not, however, violate either article 8 or article 10.
The legal challenge was triggered by revelations made by Snowden in 2013 which showed that that GCHQ, the UK’s Government Communications Headquarters, was secretly intercepting, processing and storing data about millions of people’s private communications, even when those people were of no intelligence interest. One of the operations was called Tempora, in which GCHQ was tapping into the cables and communication networks on the internet to obtain huge volumes of data
“The United Kingdom authorities have neither confirmed nor denied the existence of an operation codenamed Tempora,” the ECHR judgment notes.
The case concerned the interception regime previously operated by GCHQ. New regulations are in the process of coming into force under the the Investigatory Powers Act 2016. The Strasbourg court did not examine the new legislation.
In accompanying notes to the main judgment, which runs to more than 500 paragraphs, the court said it recognised the severity of the threats of terrorism, online sexual abuse and other crimes faced by European states. Advancements in technology had made it easier for terrorists and criminals to evade detection on the internet, the judges acknowledged.
Bulk interception regimes can be legal if countries deem them to be necessary in the interests of national security but certain minimum safeguards are required.
Those safeguards include that the law must indicate “the nature of offences which may give rise to an interception order; a definition of the categories of people liable to have their communications intercepted; a limit on the duration of interception; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which intercepted data may or must be erased or destroyed”.