Q&A: Our challenge with Liberty against MI5 and the Home Secretary (2023)

We won our case against the UK’s Security Service (MI5) and the Secretary of State for the Home Department (SSHD). The Investigatory Powers Tribunal (IPT) – the judicial body responsible for monitoring UK’s intelligence and security agencies – held that MI5 acted unlawfully by knowingly holding people’s personal data in systems that were in breach of core legal requirements. MI5 unlawfully retained huge amounts of personal data between 2014 and 2019. During that period, and as a result of these breaches, warrants issued by the SSHD (which authorised bulk data collection & targeted interception by MI5) were unlawful. This amounted to a breach of our right to privacy; it also impacts the privacy of millions of people whose data is handled within these systems.

On 30 January 2023, the IPT issued a decision in case brought by Privacy International and Liberty against MI5 and the SSHD. Following on from our initial reaction, we answer some key questions about the judgment below.

Note: This post reflects our initial response to the judgment and may be updated.

Liberty and Privacy International v the Security Service and Secretary of State for the Home Department [2023] UKIPTribl IPT/20/01/CH.

What’s the ruling all about?

This case was about the limits on MI5’s power to retain and use personal and highly sensitive data about millions of people, as well as the consequences which must flow when MI5 breaches laws and safeguards that have been put in place by Parliament specifically to protect people’s fundamental rights.

The judgement is related to previous challenges we have brought against the UK’s intelligence and security agencies’ surveillance powers. In this case, alongside our co-applicants, Liberty, we were able to reveal and prove long-standing breaches of statutory obligations, and equally as important, their cover-up by MI5 at the highest levels.

You can find out more by heading to our detailed case page about this challenge (Liberty and Privacy International v the Security Service and Secretary of State for the Home Department [2023] UKIPTribl IPT/20/01/CH).

What did the Tribunal decide?

In its judgment of 30 January 2023 the IPT found that:

1. MI5 acted unlawfully by knowingly holding and handling people’s personal data in systems that were in breach of important legal requirements. Specifically, the Tribunal held that “from late 2014, there were serious failings in compliance with review, retention and deletion policies which required urgent action to be taken by the Management Board of MI5” (§§66, 79, and 160). Despite knowing about issues with non-compliance, at the most senior level, MI5 made a positive decision not to report its non-compliance to oversight bodies (§§82, 135, and 147).
2. The warrants, authorisations, and directions which had been issued by the SSHD permitting MI5 to obtain personal data and process it in certain “technical environments” between late 2014 and April 2019 were unlawful. The warrants did not meet the safeguarding requirements imposed by the applicable legislation (that is Regulation of Investigatory Powers Act 2000 (RIPA) and Investigatory Powers Act 2016 (IPA)). This was the result of MI5’s unlawful conduct and, at least from 2016, the Secretary of State’s failure to make adequate enquiries “as to whether the statutory safeguards…were being met” (§§125-126).
   
   “Given the reports of long-standing compliance risks, it was irrational of the SSHD to fail to make enquiries as to the scale and nature of the non-compliance.”
    
3. Additionally, and relatedly, in its role as an oversight body, the SSHD and Home Office failed to make adequate enquiries as to the longstanding compliance risks which had been reported to the Home Office on several occasions (§107).
4. Given that the warrants that MI5 used to interfere with people’s right to privacy and collect personal and sensitive data were unlawful, MI5’s surveillance activities were not undertaken “in accordance with the law” as required by Article 8 of the European Convention on Human Rights. Therefore, this unlawfulness amounted to a breach of our fundamental right to privacy (§§138-139).
5. MI5’s failure to disclose its non-compliance in the course of previous litigation amounted to a breach of its duty of candour. That means that, in the course of a separate case PI brought which challenged MI5’s mass surveillance powers MI5 failed to disclose evidence that it was under an obligation to disclose.

6. MI5 had a duty to provide “full and frank disclosure” to the SSHD when applying for warrants to carry out surveillance activities which require warrants or authorisation (§134-135).

What exactly was MI5 doing wrong?

The judgment found that MI5 failed to comply with requirements related to proper retention, review and disposal (RRD) of the personal data of millions of people (in accordance with the IPA 2016 and RIPA 2000). These failures occurred within specific technology environments used by MI5, code-named “TE” and “TE2 Areas 1 and 2” (see below for more on what the TE is). In other words, MI5 had two seemingly core systems which should have, but did not, have automatic deletion, resulting in the unlawful retention of very large amounts of data, including that harvested using bulk powers.

The judgment was clear in finding that "MI5 had not been forthcoming on the nature, scale and seriousness of the compliance risks referred to in meetings with the Home Office (§104).

While the judgment found that MI5 had been in breach of its obligations since 2014, MI5 only admitted that as early as 2016, the agency “was aware…of a very high risk that it was in breach of its statutory obligations” (§34). That is a full three years before MI5 reported its failings to its oversight bodies.

During the same period in which MI5 was found, in this case, to be in breach of its statutory obligations to implement review, retention and deletion safeguards (2014-2019), MI5 was a party to litigation brought by PI (Privacy International v Secretary of State for Foreign and Commonwealth Affairs and others IPT/15/110/CH). In the course of these proceedings, which took place in 2017, MI5 did not disclose documents or information related to these failures, even though MI5 was aware that these issues existed and that they were relevant to that case. As a result, the IPT in this case found that MI5 breached its duty of candour in those proceedings. The IPT invited PI to submit an application to reopen this case.

And what did the Home Office do wrong?

In summary, the SSHD failed to make adequate enquiries into the longstanding compliance risk which had been reported to the Home Office on several occasions. The IPT found that the Home Secretary had acted irrationally by failing to make these enquiries (§125) while still continuing to grant warrants and authorisations to MI5 to continue collect personal data that may be handled in the relevant environments.

“The error in the approach of the Home Office was to accept the references to serious risks…as not having any consequences for MI5’s compliance with its statutory obligations. Statements in the form of risk factors could not be relied upon as excusing any actual compliance breaches.” (§106)

So what is MI5’s technical environment?

Based on the information that became public in the course of the case, we understand that the ‘technical environment’ is a system which holds a vast amount of intelligence material on potentially millions of people. We understand it to be a federated system which is used for data analysis, and the use of ‘technical environment’ suggests something more than simply a compilation of a few datasets or databases.

What sort of data are we talking about here?

The judgment relates to MI5’s handling of data held in specific ‘technology environments’ which store and analyse personal data that is obtained by MI5 through warrants and authorisations (§32). These systems held material obtained through targeted surveillance and interception, as well as data obtained from use of bulk powers such as the acquisition of bulk communications data (BCD). Practically, what this means is that the data potentially includes everything from the the content of intercepted communications, to data which is obtained from targeted acquisitions of communications data from telecommunications systems (such as traffic data, location data, subscriber data, and any other data surrounding a communication).

As we’ve said before, communications data can yield information about contacts, as well as the who, what, when, and where of our communications. For example, communications data can reveal map searches, visited websites, location information, as well as information about every device connected to a network.

So is it all good news?

The IPT’s findings in this case represent a major win for the right to privacy, the importance of the rule of law and the accountability of agencies - such as MI5 - which have wide, sweeping statutory powers to interfere with our privacy.

At the same time, the IPT stopped short of finding that the safeguards contained in the UK’s IPA 2016 are ineffective in practice.

We argued - and still argue - that the fact that oversight bodies such as the Investigatory Powers Commissioner and the Home Office did not find out about MI5’s compliance failures until 2019, after they had been ongoing since (at least) 2016, illustrates that existing safeguards for the protection of our rights are not adequate or effective. In our view, they are therefore not compatible with the fundamental right to privacy. In summary, the safeguards currently in place have systematically failed to provide effective oversight and restraint to prevent unlawful interferences with people’s fundamental rights.

We are also disappointed that the IPT refused to grant further relief including the quashing of warrants issued during the period of unlawful handling and the Home Office’s failed oversight, destruction of data, and damages. Effective oversight and accountability need to include concrete consequences when core safeguards are not followed. The government should take this into consideration during the ongoing Investigatory Powers Act 2016’s review.

How did we get here?

Back in 2015, during a critical political moment when the public was asking a lot of questions about the legal powers that the UK’s security and intelligence agencies (SIA) have to access our most personal and sensitive data, the SIAs publicly disclosed, for the first time, that they were acquiring, using, and sharing bulk data – this includes bulk personal datasets and bulk communications data.

The important thing about this type of “bulk” surveillance is that, by the SIA’s own admission, the majority of people whose data is caught in these bulk datasets are unlikely to be threats to national security. So, back in 2015, PI challenged the lawfulness of these powers.

In that case, the IPT found a violation of the law was ongoing up until the use and existence of these bulk surveillance powers was disclosed to the public. However, in relation to the the period after this was disclosed, the Tribunal found that the UK SIA’s bulk surveillance powers were lawful under domestic law and in accordance with the European Convention, precisely because the safeguards that agencies like MI5 claimed they had in place and complied with were found to be adequate and effective to protect people’s fundamental right to privacy & protect against arbitrary or abusive use of the powers of bulk data collection.

So, when it came to light that, in fact MI5 had not been complying with legal safeguards for handling personal and communications data which they collect and hold, we joined this challenge against MI5 and requested that the IPT re-open our case on bulk surveillance, on the basis that the Tribunal had been misled in relation to how MI5 implements safeguards for handling data.

Ok, so what happens next?

As part of this case, PI has an opportunity to submit an application to re-open our challenge related to how bulk personal datasets and bulk communications data is handled by MI5 and other security agencies.

Intelligence and investigation agencies can play a vital role in protecting the public from serious harm and threats to life. At the same time, it is a basic principle of democratic governance that the way in which intelligence agencies operate should be subjected to robust and effective safeguards and oversight. Litigation which challenges unlawful action by intelligence agencies is one way to ensure the public understands how these institutions are handling our personal and sensitive data. Our ability to take on these kinds of cases to uncover information that the public should know about depends on your support.

Nice. How can I help?

Having strong laws and technology which protect privacy is incredibly important, but the most important thing is that people are aware of the issues and are able to influence powerful companies and governments. You can read more about the case, how such surveillance works, and some of the issues it raises by checking ou our long-read.

To keep up to date on the case and all our work, you can sign up to our mailing list - don’t worry, you can choose the topics you are most interested in… and we take proper care of your data!

As we are a charity with limited funds, any support you can give us through a donation would be most appreciated.

To reiterate however, to really ensure that we don’t sleepwalk into a world of ubiquitous state and corporate surveillance, it is essential that people put pressure on governments and corporations - so if there’s one thing you can do, it’s make your voice heard!