UK intelligence services have been taking advantage of gaps in the international rules to conduct bulk interception of Internet traffic.  That practice came under scrutiny in the European Court of Human Rights, in a ruling that was released this week.

 The case of Big Brother Watch and Others v the United Kingdom was brought to the Court by human rights activist groups who were concerned about the mass online surveillance being carried out by UK intelligence services. It has resulted in a ruling that lays out essential ground rules for protecting privacy.  

 Specifically, the European Court of Human Rights has  ruled that the bulk intercept practices  of Internet communications by  UK intelligence services were unlawful, and has established that there must be independent oversight  and that the warrants must be specific to a purpose.   

This case is about the intelligence services intercepting people’s  private communications  on the cables that carry Internet traffic around the world.  Bulk intercept means they collect and store our  emails, website visits, app usage, and other communications. They also collect the associated metadata – this is not what you said, but it is about the time you sent the message, who it went to, and the subject. They may do this without any specific target in mind.  It is, in other words,  about the  automated analysis of data points from Internet, phone and app data, sweeping up millions of records  on an exponential scale. 

It resulted from information made public  in 2014 by the whistle blower Edward Snowden, who revealed the existence of mass surveillance programmes carried out by the  National Security Agency (NSA) in the US. These included PRISM, a programme for obtaining data from tech companies, and TEMPORA which involved the bulk storage of Internet data by GCHQ. As aspect of this case considered the exchange of bulk data between the US intelligence services and the UK.

 The ruling is welcome confirmation that the  bulk interception of online communications, as practiced  by UK intelligence services,   was in violation of privacy rights.  The court said that the UK regime fell short of requirements under the European Convention on Human Rights. It made a point of saying that the bulk surveillance orders were made by a government Minister, whereas they should be made an independent judge.  The orders were not sufficiently precise, leaving opportunities for over-reach and abuse of powers. The overall situation meant that individuals could not be sure that their privacy was being protected.

 Given that  the technology is continually evolving, it is right that the safeguards for users' privacy should also be put under regular review.   The Ruling recommended that bulk interception should be accompanied by end-to end privacy safeguards, and subject to independent authorisation, supervision and review.

 The dissenting judgment from Judge Pinto de Albuquerque went further however. He stated that bulk intercept opens up a new balance between privacy rights and national security. He criticised the UK regime, stating that the bulk intercept measures were created to  “bypass safeguards under the existing system of international  mutual assistance treaties”  and to “take advantage of the  lack of regulation”  of new surveillance technologies, which in today’s environment could include facial recognition and other biometrics.

 Bulk intercept powers form part of the armoury of a modern surveillance state. In the current UK situation, where the government is taking powers away from Parliament and  the judiciary, and seeks to weaken  the right to protest, the ruling and the comments of the individual judges in this case are an alarm call. It is more important than ever that surveillance measures are subject to strong  safeguards to protect people's privacy.  We must remain vigilant that  the government will follow the ruling with the necessary legal changes.

 There is also the risk of  knock-on effects for British businesses.   Any failure to comply with the ruling  could  compromise the Data Adequacy decision from the EU. In light of the Schrems  ruling, (CJEU Case C-311/18 of 18 July 2020). Businesses  would have to consider the surveillance regime when making their legal contractual arrangements for transferring data to the UK.    

 The scant regard for privacy safeguards is  repeated again in the Police, Crime,  Sentencing and Courts Bill. The Bill  contains provisions for data evidence gathering from mobile phones, but fails to properly  regulate the amount of data that can be gathered  or who can access it.

---

 Case of Big Brother Watch and Others v the United Kingdom, European Court of Human Rights, Grand Chamber Judgment  and Press release 

Photograph: my own. Copyright Monica Horten 2015. 

I discuss the Edward Snowden revelations in my book The Closing of the Net. 

Iptegrity is made available free of charge. You may  cite my work, with attribution.  If you reference the material in this article, kindly cite the author as Dr Monica Horten, Visiting Fellow, London School of Economics and Political Science , and link back to  Iptegrity.com. 

 About me: I’ve been analysing analysing digital policy for over 13 years. I hold a PhD in EU Communications Policy as well as a Post-graduate diploma in marketing. For many years I was a telecoms journalist, writing for the FT among others.  I was an early adopter of the Internet and followed the introduction of the Single Market in the telecoms sector. I am interested in the effects of Brexit and technology.  Please get in touch if you'd like to know more about my current research.

 If you liked this article, you may also like my book The Closing of the Net  which discusses the backstory to content online policy and it introduces the notion of structural power in the context of Internet communications . Available in Kindle and Paperback from only £15.99!  

• Next >