In a landmark ruling, the Investigatory Powers Tribunal has held that UK Intelligence Services, including MI5, MI6 and GCHQ, collected and used personal data in breach of Article 8 of the European Convention on Human Rights (ECHR), in some cases for up to 17 years.

The ruling was given in proceedings brought by the human rights organisation, Privacy International and concerned:

  1. the collection and use of personal data by UK Security and Intelligence Agencies (SIAs) themselves. This was known as ‘Bulk Personal Datasets’ or ‘BPD’ and covered broad categories of data, including biographical, travel, communications and financial data. BPD was acquired and used by GCHQ, MI5 and MI6 pursuant to their general powers to obtain information in support of their functions under the Intelligence Services Act 1994 and the Security Service Act 1989; and
  2. the transfer of communications data, by telecommunications and internet service providers, to MI5 and GCHQ, as required by directions issued by the UK government under s94 of the Telecommunications Act 1984. This was known as ‘Bulk Communications Data’ or ‘BCD’. It included the “who, when and where” of both telephone and internet use, including the location of mobile and fixed line phones from which calls were made or received and the location of computers used to access the internet, but not the content of these communications.

Both BPD and BCD would be searched by the SIAs to discover details about “persons of intelligence interest”. Privacy International contended that the BPD and BCD regimes infringed Article 8 ECHR. Article 8 provides:

Everyone has the right to respect for his private and family life, his home and his correspondence.

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.

The UK government and the SIAs argued in response that the collection and use of personal data was lawful and essential for the protection of national security.

The Tribunal was satisfied that the legislation underpinning the collection and use of both BPD and BCD was lawful but held that Article 8 had been infringed because of the lack of adequate safeguards around this process. The Tribunal highlighted that there were no applicable codes of practice (or anything approximating to them), no statutory oversight and a “fragmented” system of independent Commissioners responsible for monitoring what the SIAs were doing. Furthermore, said the Tribunal, the public had no knowledge of what the SIAs were doing. Not even Parliament was aware, although several opportunities had arisen when it would have been possible to explain this to Parliament.

Accordingly, both the BPD and BCD regimes had not been Article 8 compliant up until 2015 when safeguards had been put in place. This meant that the BPD regime infringed Article 8 for around a decade and the BCD regime for up to 17 years. The Tribunal expressed reservations about whether transfers of BPD and BCD by SIAs to other bodies, such as foreign partners and UK Law Enforcement Agencies, were currently Article 8 compliant. In terms of compensation for affected individuals, the Tribunal said:

It does not follow that a complainant who establishes that his or her complaint falls within the jurisdiction of this Tribunal… but who has no ground to believe that his or her data have been accessed and examined, would have an actionable personal complaint on the grounds that the BCD and BPD regimes under which such data were obtained and retained were, until [2015], non-compliant with Article 8 and therefore unlawful