The U.K.'s spy agencies breached the European Convention on Human Rights for years by secretly collecting almost everything about British citizens' communications except their content, a U.K. court has ruled.
However, now that the U.K. government has admitted what it is doing, the collection is legal, the Investigatory Powers Tribunal ruled Monday.
It has yet to rule on the issue of proportionality, or whether the agencies' actions were reasonable given the threat they sought to counter.
Responding to a June 2015 complaint by campaign group Privacy International, the tribunal said the secret intelligence agencies had breached the ECHR for years because of the way they gathered bulk communications data (BCD) and bulk personal data (BPD).
The bulk communications data at issue included who contacted whom, when, where and with what equipment, who paid for the call, and how much they paid.
"Just about the only information not included is the content of communications," the tribunal said in its ruling. Legally collecting that content would have required an interception warrant.
In principle, the government may allow the intelligence agencies to collect communications data from network operators under a 1984 law, the tribunal ruled.
However, whether that collection was necessary and proportional is another matter: When the 1984 law was drafted, the tribunal noted, there were no mobile phones and no public internet. Subscriber information was for the most part published in printed directories, so all that network operators could have offered the Security Service and the then officially non-existent Government Communications Headquarters (GCHQ) was subscriber information for unlisted numbers, and call records, the tribunal noted.
The agencies also gathered bulk personal data, including passport databases, telephone directories, and banking records -- even though, the spy agencies acknowledged in a court filing, the majority of the people affected are unlikely to be of intelligence interest.
Rules for collection of bulk personal data are not defined in legislation, the tribunal noted. The bulk data gathering remained secret until March 2015, while the collection of bulk communication data was only admitted by the U.K. government in November 2015.
While it remained a secret, the collection of both types of data was in breach of the ECHR. After the government admitted what it was doing, and set out oversight rules and a code of practice for the data collection, it became "foreseeable," and so legal, as the citizens being spied on could foresee the consequences of their actions, the tribunal ruled.
Following the ruling, Privacy International legal officer Millie Graham Wood said the use of bulk communications data poses huge risks.
"It is unacceptable that it is only through litigation by a charity that we have learned the extent of these powers and how they are used," she said. She called for public confirmation that unlawfully obtained personal data will be destroyed.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.