Statewatch News Online
Legal judgment finds successive foreign secretaries unlawfully gave GCHQ free rein to collect our data
Follow us: | | Tweet
Press release issued by Privacy International on 23 July 2018
The Investigatory Powers Tribunal (IPT) today (23rd July 2018), held that, for a sustained period, successive Foreign Secretaries wrongly gave GCHQ unfettered discretion to collect vast quantities of personal customer information from telecommunications companies.
The judgment exposes:
- the error-ridden and inconsistent evidence provided by GCHQ throughout the case;
- the willingness of telecommunications companies to secretly hand over customer data on the basis of mere verbal requests from GCHQ; and
- the inadequacies of the intelligence oversight regime in failing to identify this delegation of power.
Press release continued below
Judgment: Privacy International v Foreign Secretary, Home Secretary, GCHQ, MI5 and MI6 ( UKIPTrib IPT_15_110_CH, 23 July 2018, pdf)
Appendix 1: Open introduction to closed judgment (pdf)
Appendix 2: Handling Arrangements and other guidance in relation to sharing BPD/BCD [Bulk Personal Datasets/Bulk Communications Datasets] outside the SIA (security and intelligence agencies) (pdf)
Press release: continued
The judgment demonstrates the danger of relying heavily on closed hearings in which claimants such as Privacy International cannot see or challenge evidence presented by the government. It was only after sustained and tenacious questioning by Privacy International that the government admitted the errors in the sworn testimony it had previously submitted to the IPT.
Substantial corrections were required to GCHQs own witness evidence, causing the government to change its position mid-case. The government had initially claimed that the Foreign Secretary had direct and full control over what data telecommunications companies had to provide to GCHQ. But upon further information coming to light, it instead argued that the Foreign Secretary could lawfully choose to delegate to GCHQ decisions about what data to acquire from telecommunication companies.
In todays judgment, the IPT stated that granting such unfettered discretion to GCHQ was an unlawful delegation of power from the Foreign Secretary.
The result of the judgment is that a decades worth of secret data capture has been held to be unlawful. The unlawfulness would have remained a secret but for Privacy Internationals work. The Tribunal rightly praised Privacy Internationals legal team for its dedication and valuable inquisitiveness, whilst also noting the constant necessity of both Privacy International and Counsel for the Tribunal to probe and consider fresh problems and lacunae.
The Tribunal considered the safeguards that GCHQ had put in place and concluded that by 4 November 2015 there was in substance no delegation of power from the Foreign Secretary. However, it considered that the unlawful drafting of the directions was only remedied by the revised directions made on 14 October 2016.
Key findings from the judgment:
Secret Section 94 directions
The IPT warned that In theory the agency could have used the general form of such directions to impose on the CSP [telecommunications company] a requirement to produce communications data which extended beyond the scope of any data requirement which had been sanctioned by the Foreign Secretary. In other words, GCHQ could have been able to use a Section 94 request (under the Telecommunications Act 1984) to make carte blanche requests from telecommunications companies.
Criticism of telecommunications companies
The judgment exposes the fact that telecommunications companies, who for decades accepted verbal requests for mass data sweeps, would not have been in any position to question the scope of the requirement communicated.
Sharing of data with foreign governments
On the issue of sharing data with foreign agencies, the ruling includes the first ever public dissent in an IPT judgment. In a 32 decision, with secret dissents, the majority of the IPT disappointingly found that the unregulated sharing of bulk data with foreign governments was compliant with Article 8 the right to privacy. The dissenters reasoning is unavailable because that portion of the judgment remains closed.
External contractors remote access to data held by GCHQ
While the IPT decided that the sharing of bulk data with industry partners was compliant with Article 8, GCHQ was criticised for failing to brief Sir Mark Waller, the former Intelligence Services Commissioner, on the fact that external contractors had remote access to data held by GCHQ. In relation to sharing bulk data with industry partners, the IPT expressed disappointment at inaccurate information provided in relation to the number of contractors with Privileged User accounts, an issue whose significance was highlighted by in witness evidence by Privacy International. The judgment records breaches by contractors identified by Sir Mark.
Millie Graham Wood, Solicitor, Privacy International said:
The history of the case is living proof of the dangers of closed hearings. Without sustained digging, the terms of the directions given to GCHQ to collect our personal data, and the cavalier manner in which it was done, would never have come to light.
The reality was that the unlawful data collection became plain only once we were given first sight of the orders, called directions, and learned that they were drafted so as to provide a broad power to GCHQ itself to decide what bulk data to request. This occurred only after the Tribunal has issued its first judgment in the case, which had found UK surveillance agencies had collected everyones communications data unlawfully for over a decade due to the secretive nature of the bulk data regime. Once the regime was exposed, it then took sustained digging to get to the real facts, including the extraordinary step of cross-examining a GCHQ witness about contradictory and incomplete evidence.
The Foreign Secretary was supposed to protect access to our data by personally authorising what is necessary and proportionate for telecommunications companies to provide to the agencies. The way that these directions were drafted risked nullifying that safeguard, by delegating that power to GCHQ a violation that went undetected by the system of Commissioners for years and was seemingly consented to by all of the telecommunications companies affected. It is proof positive of the inadequacy of the historic oversight system; the complicity of telecommunications companies who instead of checking if requests were lawful, just handed over customers personal data as long as their cooperation was kept secret; and the scale of the task facing the new Investigatory Powers Commissioner, Sir Adrian Fulford.
Media enquiries: email@example.com / 020 3422 4321
Search our database for more articles and information or subscribe to our mailing list for regular updates from Statewatch News Online.
Support our work by making a one-off or regular donation to help us continue to monitor the state and civil liberties in Europe.
We welcome contributions to News Online and comments on this website. E-mail us or send post to Statewatch c/o MayDay Rooms, 88 Fleet Street, London EC4Y 1DH.
Home | News Online | Journal | Observatories | Analyses | Database | SEMDOC | About Statewatch
© Statewatch ISSN 1756-851X. Personal usage as private individuals/"fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.