The European Court of Human Rights (ECHR) has ruled that the UK’s bulk data collection and surveillance regime partially violated the European Convention on Human Rights. The program was disclosed by Edward Snowden in 2013. However, the Court has opined that the surveillance program did not by itself violate human rights law, but violations stemmed from a lack of safeguards and protections.
Investigatory Powers Act, 2016
The Act required telecommunication companies and ISPs to retain personal data on ongoing basis, to be able to assess it as and when required by law enforcement agencies. It also allowed transmission of the retained data to public authorities.
Last year, the European Court of Justice (CJEU) had declared that laws such as the Investigatory Powers Act cannot legally require a service provider to indiscriminately retain traffic and location data for national security purposes.
The judgment ruled that the practice is incompatible with the fundamental rights of privacy, freedom of expression, as well as the e-Privacy directive and GDPR.
The challenge to the surveillance program was initiated by a group of privacy rights organisations. These include the Big Brother Watch, the Open Rights Group (ORG), Amnesty International, and Liberty.
The grand chamber of the ECHR ruled unanimously that the surveillance regime violated multiple rights. The regime was intercepting bulk data and obtaining communications data from internet service providers. It violated Article 8 of the convention, the right to respect for private and family life/ communications. It also violated Article 10, the right to freedom of expression.
However, the court noted that the bulk data interception regime does not violate the convention by itself, “owing to the multitude of threats states face in modern society”, but such a regime must be subject to “end-to-end safeguards”. Hence, assessments at every stage of the process, as to how necessary and proportionate the data collection measures are very important.
In case of UK, the bulk interception had been authorized by the secretary of state and not a body independent of the government. Further, applications for warrant to conduct searches failed to adequately define the kind of communications data that would be examined. The mechanism also didn’t need a prior internal authorization for use of search terms linked to an individual.
Speaking to IT Pro, executive Director of ORG said:
“The Court has recognised that Bulk Interception is an especially intrusive power, and that ‘end-to-end safeguards’ are needed to ensure abuse does not occur… “The court has shown that the UK government’s legal framework was weak and inadequate when we took them to court with Big Brother Watch and Constanze Kurz in 2013. The court has set out clear criteria for assessing future bulk interception regimes, but we believe these will need to be developed into harder red lines in future judgments, if bulk interception is not to be abused.”
It must be noted that there were not violations of law in respect of the regime for requesting intercepted material from foreign governments and intelligence agencies.