A major court ruling on Thursday said that the UK had violated European law, serving as a victory to privacy advocates worldwide. The news comes days after five nations charged with global surveillance released a memo urging tech companies to use workarounds to internet encryption.
The Strasbourg-based European Court of Human Rights (ECHR) ruled Thursday that Britain’s Cheltenham-based surveillance bureau, the Government Communications Headquarters (GCHQ), had violated personal privacy laws.
The Big Brother Watch and Others v. the United Kingdom case concerned complaints lodged against GCHQ on the bulk interception of communications, intelligence sharing with foreign governments, and obtaining communications data from communications service providers, a press statement said.
The list of applicants involved 16 entities, including Big Brother Watch, The Bureau of Investigative Journalism, Amnesty International, the American Civil Liberties Union and many others.
The ECHR voted 5-2 in favour of the plaintiffs, stating that the bulk interception regime violated Article 8 of the ECHR, which guarantees the right to respect for private and family life.
It also said that there was “insufficient oversight” from both the selection service providers and “filtering, search and selection of intercepted communications for examination,” the court stated, also accusing GCHQ of improperly selecting “related communications data” for examination.
However the court said that the operation of bulk interception regimes “did not in and of itself violate the Convention,” but recognized that it needed to meet certain criteria via its case-law.
The court also voted 6-1 that the British spy agency’s bulk collection protocols violated Article 8, adding that both its bulk collection and methods of obtaining data from service providers also violated Article 10 because it failed to safeguard confidential material used by journalists. The court agreed that sharing data with foreign governments did not violate either articles.
The court also unanimously rejected complaints from a third group of applicants related to domestic procedures for “challenging secret surveillance measures,” citing Article 6, which guarantees the right to a fair trial and Article 14 prohibiting discrimination.
The Regulation of Investigatory Powers Act of 2000 contains the statutory basis for intercepting data and gathering data from service provider regimes, and the Investigatory Powers Act 2016 will “will make significant changes to both regimes”, the statement read.
However, the court did not consider the 2016 IPA provisions as the Act was not in force at the time.
The court also stated that this was not the first time it had ruled on cases involving bulk interception of data, referencing the June 2018 Centrum För Rättvisa v. Sweden case. Swedish authorities related to signals intelligence did not violate the European Convention on Human Rights (ECHR), a ECHR ruling concluded.
It also mentioned Weber and Saravia v. German and Liberty v. the United Kingdom, two landmark cases involving provisions in the G10 Act.
“However, Big Brother Watch is the first case in which the Court specifically considered the extent of the interference with a person’s private life that could result from the interception and examination of communications data (as opposed to content),” the court’s Q&A read.
The court case began after Edward Snowden, the former US National Security Agency contractor, blew the whistle on Britain’s infamous TEMPORA program, which allowed GCHQ to collect massive amounts of data using bearers, or underwater fiber optic cables used by service providers.
Snowden also exposed America’s the NSA’s data-collecting PRISM and Upstream programs, which US authorities claim was valid under the Foreign Intelligence Service Act (FISA).
The developments also come after the UK, US, Canada, Australia, and New Zealand-collectively called the ‘Five Eyes’-released a memo urging tech companies to use ‘backdoor’ technology to circumvent encryption protection in late August. “Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute,” the Australian Department of Home Affairs statement read.