The UK’s domestic-facing intelligence agency MI5 – the Security Service – has admitted that it captured and read registered charity Privacy International’s private data as part of its Bulk Communications Data (BCD) and Bulk Personal Datasets (BPD) programmes, which hoover up massive amounts of the public’s data. In further startling legal disclosures, all three of the UK’s primary intelligence agencies – namely MI5, MI6 and GCHQ – also admitted that they unlawfully gathered data about Privacy International or its staff.
According to Privacy International, the intelligence agencies have repeatedly denied that their BPD and BCD programmes are tantamount to mass surveillance of people not suspected of any wrongdoing. Documents published today, however, demonstrate that Privacy International, an international NGO, has been caught up in MI5’s investigations because its data was part of the UK intelligence agencies’ own vast databases.
These revelations came during the course of Privacy International’s challenge to the BPD and BCD powers, which is currently pending before the Investigatory Powers Tribunal (IPT), a court which is set up to hear claims against the UK’s intelligence services. The IPT is required to inquire into any unlawful activity by the UK intelligence agencies, and to provide a summary of such activity to any claimant that comes before it.
Judgement by the ECHR
Today’s news comes in the wake of last week’s judgement by the European Court of Human Rights (ECHR), as reported by Risk Xtra, which found another of the UK’s mass surveillance programmes – the mass interception of Internet communications – to be unlawful. A major aspect of the ECHR’s criticism of the mass interception programmes was the lack of oversight and safeguards surrounding how the data is collected, searched and accessed. The new revelations highlight the danger that can arise from such a lack of safeguards, the absence of which has allowed an intelligence agency to extract data about a Human Rights charity from that massive trove.
As a result, Privacy International has written to the Home Secretary, Sajid Javid, to request that urgent action is taken. In particular, Privacy International is asking that Javid confirms what changes will be made to the Investigatory Powers Act (more commonly known as the Snoopers’ Charter) provisions as a result of last week’s ECHR judgement. Privacy International is also calling on MI5 to provide a full explanation of the circumstances behind its surveillance of the organisation.
Caroline Wilson Palow, General Counsel for Privacy International, said: “Today’s revelations are troubling for a whole host of reasons. The UK intelligence agencies’ bulk collection of communications data and personal data has been shown to be as vast we have always imagined. It sweeps in almost everyone, including Human Rights organisations like Privacy International. Not only was Privacy International caught up in the surveillance dragnet, but its data was actually examined by agents from the UK’s domestic-facing intelligence agency MI5. We do not know why MI5 reviewed Privacy International’s data, but the fact that it happened at all should raise serious questions for all of us.”
Wilson Palow continued: “Should a domestic intelligence agency charged with protecting national security be spying on a Human Rights organisation based in London? Shouldn’t such spying, if permitted at all, be subject to the strictest of safeguards? In an era when Human Rights and democracy are under threat all over the world, the UK should demonstrate leadership by protecting its defenders.”
In conclusion, Wilson Calow stated: “Privacy International urges the Government to critically examine its mass surveillance powers as enshrined in the Investigatory Powers Act 2016. They have now been called into question twice in two weeks, by today’s revelations and by last week’s judgement at the European Court. The UK should be a beacon of light in a world where democracy is under threat. Its refusal to curtail the mass surveillance powers of its intelligence agencies casts a shadow over us all.”
Background to the case
The challenge to the acquisition, use, retention, disclosure, storage and deletion of ‘Bulk Personal Datasets’ (BPDs) and Bulk Communications Data (BCDs) by the UK intelligence agencies was commenced by Privacy International on 8 June 2015 (https://privacyinternational.org/sites/default/files/2018-03/A1.%20Claimant%27s%20re-amended%20statement%20of%20grounds.pdf).
The existence of the BPD and BCD regimes was initially secret. The BPD regime was first publicly acknowledged in March 2015, and the BCD regime in November 2015. Until this case, there was very little public knowledge that GCHQ was gathering information about all citizens through a wide range of databases requisitioned from a wide range of telecommunications operators, companies and public bodies.
In October 2016, the Investigatory Powers Tribunal held that the intelligence agencies had breached the right to privacy enshrined in Article 8(2) of the European Convention of Human Rights in respect of both the BPD and BCD regimes, from their commencement over a decade earlier until their public avowal in 2015. The Tribunal held that, during this period, there was not sufficient foreseeability’ or accessibility of the existence of the BPD and BCD regimes, nor of the nature of controls over them. In consequence, the regimes could not be said to be “in accordance with the law.” (https://privacyinternational.org/sites/default/files/2018-03/Privacy%20International%20v%20Secretary%20of%20State%20for%20Foreign%20And%20Commonwealth%20Affairs%20%26%20Ors%20%28Rev%202%29%20%5B2016%5D_0.pdf)
Outstanding issues to be addressed
A number of outstanding issues remained to be addressed at subsequent hearings between June 2017 and July 2018. The June 2017 hearing (https://privacyinternational.org/sites/default/files/2018-03/IPT%20BULK%20DATA%20ORDER%20FOR%20REFERENCE%20TO%20CJEU.pdf) concerned whether the regimes were in compliance with EU law. On this matter, on 8 September last year, the Investigatory Powers Tribunal decided to refer questions to the Court of Justice of the European Union concerning the collection of BCD by the security intelligence agencies from mobile network operators (https://privacyinternational.org/feature/1695/bpdbcd-reference-cjeu-october-2017).
In the course of proceedings, it was revealed that a GCHQ witness statement contained serious errors. As a result, Privacy International had the unprecedented opportunity to cross-examine a GCHQ witness in open court (https://privacyinternational.org/press-release/1641/press-notice-unprecedented-opportunity-pi-cross-examine-gchq-open-court).
On 23 July this year, the Investigatory Powers Tribunal held that successive Foreign Secretaries wrongly gave GCHQ unfettered discretion to collect vast quantities of BCD from telecommunications companies and, as a result, the BCD regime was not ‘in accordance with the law’ as required under Article 8(2) ECHR until 14 October 2016 (https://www.ipt-uk.com/judgments.asp?id=45).
Whether and what determination the Investigatory Powers Tribunal will make in relation to the intelligence agencies’ holdings of Privacy International’s data is the subject of the current hearing.
*All disclosures and documents can be found at https://privacyinternational.org/legal-action/bulk-personal-datasets-bulk-communications-data-challenge