In Wake Of USA Freedom Act, Privacy International Takes UK Spy Agencies To Court Over Bulk Domestic Spying

Privacy International today filed a legal complaint demanding an end to the bulk collection of phone records and harvesting of other databases, from millions of people who have no ties to terrorism, nor are suspected of any crime.

The complaint, filed in the UK’s Investigatory Powers Tribunal, is the first UK legal challenge to attack the UK Government Communications Headquarters' (GCHQ) use of “bulk personal datasets” equivalent of the US s.215 bulk phone records metadata program. The s.215 program run by the NSA, which has dominated the US surveillance reform debate since Edward Snowden revealed it, was curtailed just days ago with the passing of the USA Freedom Act.

Existence of the practice by GCHQ of acquiring large datasets has been recently confirmed by the Intelligence and Security Committee (ISC) report, “Privacy and Security: A modern and accountable legal framework”. 

The ISC does not reveal which datasets have been collected by GCHQ, but they are described as being "highly intrusive", containing "millions" of records, which are then "linked together." In a startling admission, the datasets were separately described as pertaining "to a wide range of individuals, the majority of whom are unlikely to be of intelligence interest."

There is no proper legal regime in place, with no restrictions on which datasets can be collected, how long they can be stored, or accessed. The acquisition and subsequent use of datasets is not authorised by a judge, or even a Minister. 

There are no legal penalties for misuse of this information, and abuse of the data has already happened with the ISC finding that agencies “had disciplined – or in some cases dismissed – staff for inappropriately accessing personal information held in these datasets.” It is not sufficient that misuse is dealt with by individual disciplinary measures. We need much stronger safeguards to prevent misuse occurring in the first place.

Phone records required to be held by telecommunications companies under the UK's Data Retention and Investigatory Powers Act (DRIPA), including the who, where and when of every phone call made in the UK are thought to have been collected by GCHQ in bulk. However similar powers could be used to target other databases including collecting medical records, travel records, financial records, in bulk. 

Eric King, Deputy Director of Privacy International said:

“Secretly ordering companies to hand over their records in bulk, to be data-mined at will, without independent sign off or oversight, is a loophole in the law the size of a double-decker bus. 

The use of these databases, some volunteered, some stolen, some obtained by bribery or coercion, has already been abused, and will continue to be, until the practice is overhauled, and proper protections put in place. 

That the practice started, and continues without a legal framework in place, smacks of an agency who sees itself as above the law. 

How can it be that the US is so much further ahead on this issue? With the USA Freedom Act now passed, the equivalent NSA power has now been curtailed before the debate this side of the pond has even begun. 

Bulk collection of data about millions of people who have no ties to terrorism, nor suspected of any crime is plainly wrong. That our government admits most of those in the databases are 'unlikely to be of intelligence value' but that the practice has been allowed to continue, shows just how off course we really are.”

An advanced copy of the legal filings can be downloaded here

====

Notes for editors:

This is a separate legal challenge to the claim made by Privacy International, alongside Liberty and Amnesty International, against GCHQ mass surveillance and intelligence sharing practices. Privacy International is currently awaiting a final judgement on those cases, and is pursuing a challenge in the European Court of Human Rights against decisions of 5 December 2014 and 6 February 2015.

This is also a separate challenge to the two complaints Privacy International assisted in filing challenging GCHQ’s widespread hacking. The two complaints, were filed on behalf of Privacy International and seven internet service and communications providers from around the world who are calling on the end for unlawful hacking.