Last month, we noted that the UK rights group Privacy International has been at the forefront of the fight against the UK’s disproportionate surveillance activities, to such an extent that the UK government has changed the law just to avoid one of its legal challenges. Those have covered many different aspects of GCHQ’s activities. In July 2014, Privacy International filed a complaint with the UK’s spy watchdog, the Investigatory Powers Tribunal (IPT), over GCHQ’s surveillance tools. In September 2014, it tackled GCHQ’s involvement in the “Five Eyes” system. And now it has come at things from yet another angle:
Privacy International today filed a legal complaint demanding an end to the bulk collection of phone records and harvesting of other databases, from millions of people who have no ties to terrorism, nor are suspected of any crime.
The complaint, filed in the UK’s Investigatory Powers Tribunal, is the first UK legal challenge to attack the UK Government Communications Headquarters’ (GCHQ) use of “bulk personal datasets” equivalent of the US s.215 bulk phone records metadata program. The s.215 program run by the NSA, which has dominated the US surveillance reform debate since Edward Snowden revealed it, was curtailed just days ago with the passing of the USA Freedom Act.
The latest challenge flows from the publication in March of the IPT report, “Privacy and Security: A modern and transparent legal framework.” Even with its frequent redactions, the report provided important new information on which Privacy International is basing its complaint:
The ISC does not reveal which datasets have been collected by GCHQ, but they are described as being “highly intrusive”, containing “millions” of records, which are then “linked together.” In a startling admission, the datasets were separately described as pertaining “to a wide range of individuals, the majority of whom are unlikely to be of intelligence interest.”
There is no proper legal regime in place, with no restrictions on which datasets can be collected, how long they can be stored, or accessed. The acquisition and subsequent use of datasets is not authorised by a judge, or even a Minister.
It gets even worse:
There are no legal penalties for misuse of this information, and abuse of the data has already happened with the ISC finding that agencies “had disciplined – or in some cases dismissed – staff for inappropriately accessing personal information held in these datasets.” It is not sufficient that misuse is dealt with by individual disciplinary measures. We need much stronger safeguards to prevent misuse occurring in the first place.
Bringing multiple cases before tribunals and courts is one way to achieve that. At the very least, it makes people more aware of what is going on, and increasingly it is leading to small but symbolically important victories too.