Orders to snoop on private data unlawful, tribunal finds
Directions for the collection of bulk communications data issued to the Government's GCHQ snooping agency over a period of more than a decade were unlawful, a tribunal has found.
Under security arrangements introduced after the 9/11 terror attacks in 2001, successive foreign secretaries have had the power to direct GCHQ to obtain data from communications companies.
But the Investigatory Powers Tribunal (IPT) found that in practice, this power was unlawfully delegated to the Cheltenham-based agency, allowing spies unfettered discretion on what data to demand.
The ruling came after a legal challenge by the charity Privacy International, which said it amounted to "proof positive" of the inadequacy of the oversight system formerly in place to safeguard personal privacy.
However, the IPT found that although many of the directions - including most of those made between 2001 and 2012 - were unlawful, in practice GCHQ's demands for data under the system were "clearly necessary in the interests of national security and proportionate".
The tribunal did not quash any of the directions made by successive foreign secretaries, and made no recommendations for further action on the issue.
"In theory the agency could have used the general form of such directions to impose on the CSP (communications services provider) a requirement to produce communications data which extended beyond the scope of any data requirement which had been sanctioned by the Foreign Secretary," the tribunal said in its judgment.
Phone and internet providers "would not be in any position to question the scope of the requirement communicated because the CSP would have no knowledge of the limited basis upon which the direction had been made".
But the IPT added: "In form, the general direction was a carte blanche. In practice, it was not treated as such and there is no evidence that GCHQ ever sought to obtain communications data which fell outside the scope of data which had been sought in the submission to the Foreign Secretary."
The tribunal unanimously ruled against challenges to the Government's procedures for sharing bulk data with law enforcement agencies and industry partners.
But it was split 3-2 in its rejection of Privacy International's challenge to the regime for sharing such information with foreign agencies.
Privacy International said that its questioning had forced GCHQ to make "substantial corrections" to its evidence and led to the "extraordinary" step of one of the agency's officials being cross-examined over "contradictory and incomplete evidence".
Privacy International solicitor Millie Graham Wood said: "The Foreign Secretary was supposed to protect access to our data by personally authorising what is necessary and proportionate for telecommunications companies to provide to the agencies.
"The way that these directions were drafted risked nullifying that safeguard, by delegating that power to GCHQ - a violation that went undetected by the system of commissioners for years and was seemingly consented to by all of the telecommunications companies affected.
"It is proof positive of the inadequacy of the historic oversight system; the complicity of telecommunications companies who instead of checking if requests were lawful, just handed over customers' personal data as long as their co-operation was kept secret; and the scale of the task facing the new Investigatory Powers Commissioner Sir Adrian Fulford."
The tribunal found that "most of the relevant directions made between 29 November 2001 and 7 November 2012 were not lawfully made", and that some of these remained in place for years afterwards.
But it said that a range of improvements had been made to the oversight of the system, with the effect that from at least 2014, "great care" was being taken to ensure the Foreign Secretary approved of any changes to the information being demanded from communications companies.
Any arbitrary use of directions was now "most unlikely" to escape scrutiny.