Bulk interception of data: a breach of privacy
28 May 2021
The European Court of Human Rights has ruled that GCHQ’s methods of bulk interception of online communications (under RIPA2000) violated rights to privacy and freedom of expression.
The case came about following Edward Snowden’s whistleblowing in 2013, exposing the UK and USA’s bulk interception and sharing of intelligence (including GCHQ). The applicants’ complaints related to the scope and extent of interception of online communications; receipt of intelligence from foreign intelligence services; and the acquisition of communications data from Communication Service Providers.
The court commented that in relation to bulk interception, “safeguards are pivotal and yet elusive” in a world where digital communications means national borders are somewhat eroded. The court also considered that the degree of interference with individuals’ privacy increases as the process of data interception/examination progresses.
However, the court also recognised that operating a bulk interception regime continued to fall within a state’s margin of appreciation when used to identify threats to national security. A bulk interception regime was not, therefore, incompatible in principle with Article 8’s right to private life (contained within the European Convention on Human Rights)
Following a review of the regimes used by GCHQ pursuant to the Regulation of Investigatory Powers Act 2000 (RIPA) in force at the time of the complaints, the court stated that the bulk interception process “did not contain subject to end-to-end safeguards to provide adequate and effective guarantees against arbitrariness and the risk of abuse”. This included a lack of independent authorisation outside of the UK government, and failure to include the categories of selectors in applying for a warrant. The court took the view that the use of every selector should be assessed and justified by reference to the principles of necessity and proportionality. These deficiencies also apply to communications data. Article 8 was therefore violated.
The court also assessed whether the right to freedom of expression (Article 10) had been violated and concluded there had been a similar violation (for the reasons above) for bulk interception and receipt of communications data.
No violations were found in relation to the receipt of intelligence by the UK intelligence services from their foreign counterpart services.
RIPA2000 has since been replaced by the Investigatory Powers Act in 2016, and the court’s assessment is based upon the legislation which applied at the time. However IPA 2016 is not without controversy (termed the Snooper’s Charter) and contains a number of similar provisions to its predecessor. The challenges to the IPA will now likely resume following a stay in proceedings pending the judgment of the European Court of Human Rights.
Although separate to the European Convention system, MEPs who sit in the EU’s parliament have recently requested the European Commission to revisit its adequacy decisions allowing personal data transfer between the UK and EU. The European Commission published two draft decisions in February this year, stating that the UK’s protections were ‘essentially’ equivalent to the EU’s standards (based on GDPR and the Law Enforcement Directive). If approved, these decisions would initially apply for a period of four years.
MEPs and critics have raised concerns, however, that the UK’s system of bulk interception is not aligned with EU rulings and could lead to indiscriminate access to personal data transferred into the UK (and by extension, potentially shared with the US National Security Agency). This is viewed as a risk to the privacy rights of EU citizens.
The European Court of Human Rights’ decision will likely be welcomed by those seeking revision of the adequacy decisions, but it should be noted that the decision relates to legislation which has been replaced. The principles of the judgment will therefore need to be assessed in light of the current legislation. However, it appears that the MEPs’ concerns have been acknowledged to some extent and it will be interesting to see how this affects the UK’s draft adequacy decisions.
The judgment is therefore likely to have ramifications on the UK’s handling of personal data under GDPR, the Law Enforcement Directive but also the UK’s application to become a part to the Comprehensive and Progress Trans-Pacific Partnership (CPTPP).
If you would like to discuss the details of this article further please contact Mark Gipson.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at May 2021.