After U.S. Freedom Act, U.K. Spy Agencies Face Fresh Legal Challenge Over Domestic Dragnets

Last week the U.S. Freedom Act was passed by the Senate — aka the first step in reforming the NSA’s surveillance programs since Edward Snowden’s revelations. The bill shifts bulk harvesting of Americans’ phone records to telephone companies, with government intelligence agencies then having to request access via FISA court.

In the wake of U.S. surveillance reform, civil liberty group Privacy International has filed a legal challenge to the GCHQ U.K. intelligence agency’s ongoing domestic bulk data collection — which includes telephone records of U.K. citizens and bulk harvesting of other datasets.

The legal complaint has been filed today in the IPT, the court that oversees GCHQ’s activities. Earlier this year the IPT ruled GCHQ had acted illegally in sharing data with the NSA, the first such ruling against U.K. intelligence agencies in the court’s 15 year history.

In its latest complaint, Privacy International asserts:

The regime governing the acquisition, use, retention, disclosure, storage and deletion
of Bulk Personal Datasets is not sufficiently accessible to the public, nor does it
contain adequate safeguards to provide proper protection against arbitrary conduct.
The context is that Bulk Personal Datasets contain information, which may be
extremely intrusive and sensitive, about very large numbers of people, the majority
of whom are of no legitimate intelligence interest whatsoever

It goes on to note that the existence and use of bulk datasets by U.K. intelligence agencies was only disclosed following a year-long U.K. parliamentary inquiry into domestic spy agencies’ operations — itself triggered by the Snowden revelations. And also points out there are currently no legal penalties for the misuse of this information. Yet the parliamentary committee revealed that all U.K. intelligence agencies have dealt with cases of inappropriate access of bulk datasets.

“There is no proper legal regime in place, with no restrictions on which datasets can be collected, how long they can be stored, or accessed. The acquisition and subsequent use of datasets is not authorised by a judge, or even a Minister,” Privacy International notes in a press release today.

It’s asking the court to rule that GCHQ’s use of bulk personal datasets is unlawful and to order the destruction of any unlawfully obtained material. It also wants the IPT to grant an injunction preventing the intelligence agencies from continuing with bulk collection.

Commenting on the legal action in a statement, Privacy International’s deputy director Eric King, condemned GCHQ as acting as if it is “above the law”.

“Secretly ordering companies to hand over their records in bulk, to be data-mined at will, without independent sign off or oversight, is a loophole in the law the size of a double-decker bus,” he said. “The use of these databases, some volunteered, some stolen, some obtained by bribery or coercion, has already been abused, and will continue to be, until the practice is overhauled, and proper protections put in place.

“That the practice started, and continues without a legal framework in place, smacks of an agency who sees itself as above the law. ”

At the time of writing the IPT could not be reached for comment.

Other ongoing legal actions against U.K. intelligence agencies’ surveillance activities include challenges to GCHQ’s data-sharing activities — Privacy International says it is currently awaiting a final judgement on those cases, and is pursuing a challenge in the European Court of Human Rights against decisions on 5 December 2014 and 6 February 2015. And on unlawful hacking.

On the latter point it emerged last month the U.K. government had quietly amended anti-hacking laws to exempt GCHQ from prosecution, rewriting the Computer Misuse Act on 3 March 2015 without any public debate of the legislative changes.