Government Surveillance Regime Lacks Oversight

security and privacy data

GCHQ, MI5 and MI6 are sharing mass personal data with mininal privacy safeguards, Privacy International has told a tribunal

The data-sharing practices of government surveillance agencies break privacy law and are not subject to sufficient oversight, a court has heard.

security and privacyPrivacy International, which is pursuing a legal action against the government’s surveillance regime, told the Investigatory Powers Tribunal (IPT) that the system of oversight established by the Regulation of Investigatory Powers (RIPA) Act in 2000 was a “blatant failure”.

No ‘legitimate intelligence interest’

Most of the UK citizens who are targeted for bulk data collection are not of “legitimate intelligence interest”, said Ben Jaffey QC for Privacy International, according to The Guardian.

GCHQ has said it requires foreign intelligence agencies and commercial partners to adopt privacy practices equivalent to its own when processing bulk data, but MI5 and MI6 do not make such requirements, Jaffey said.

“The effect will be the circumvention of the UK legal regimes,” he argued in Southwark crown court.

Even in the case of GCHQ, documents disclosed by Edward Snowden showed that the University of Bristol was given broad access to highly sensitive data, the group said.

That included access to GCHQ’s entire raw unselected datasets, including information on targets’ internet usage, telephone call logs, websites visited, online file transfers and other data.

‘Obvious’ risks

Jaffey said analysts at GCHQ were required to record their reasons for searching bulk datasets, but their statements were not seen by the oversight commissioners, who are usually retired judges.

“The risks associated with these activities are painfully obvious,” said Millie Graham Wood, a solicitor at Privacy International, outside the court.

Privacy International is challenging the government surveillance practices as legitimised by RIPA and last year’s Investigatory Powers (IP) Act as illegal.

A separate challenge brought before the European Court of Justice (ECJ) resulted in a ruling in December that only the “targeted retention of that data solely for the purpose of fighting serious crime” was permissible.

The IPT said in June it was considering referring Privacy International’s case to the ECJ.

Regardless of its EU membership status, the UK may not be able to receive intelligence from other European countries unless its legal regime is aligned with theirs, the advocacy group argued.

Rules overhaul

The government earlier told the IPT the bulk collection of communications data is necessary due to the rise of encryption and in order to reduce the necessity of more intrusive techniques, such as the direct interception of transmissions.

The IPT, itself established under RIPA, hears cases regarding the legality of surveillance and complaints about the intelligence services.

Last week the government initiated a consultation around an overhaul of the rules governing the IPT, including adding a provision that would allow a right of appeal to the court’s decisions.

The right of appeal is expected to come into force by the end of the year.

Privacy International’s hearing continues.

How much do you know about privacy? Try our quiz!