Privacy International v. Secretary of State for Foreign and Commonwealth Affairs
Privacy International v. Secretary of State for Foreign and Commonwealth
[2016] UKIPTrib 15_110-CH
In the Investigatory Powers Tribunal
Case Number IPT/15/110/CH
Before Justice Burton, President, Justice Mitting, Vice-President, Sir Richard Mclaughlin, Mr Charles Flint QC, and Ms Susan O’Brien QC
Decided on October 17, 2016
Relevance of the case: Validity of bulk data collection exercises by law enforcement and intelligence agencies in the UK
Statutes and Provisions Involved
- The Telecommunications Act 1984 (Section 94)
- The Human Rights Act 1998 (Section 8)
- The Data Protection Act 1998
- The Security Services Act 1989
- The Intelligence Services Act 1994
- The Counter-Terrorism Act 2008
- The Regulation of Investigatory Powers Act 2000 (Section 8(4)) (“RIPA”)
- The Official Secrets Act 1989
Relevant Facts of the Case
- On July 22, 2014, Privacy International filed a complaint challenging UK intelligence agencies’ legality of bulk data collection under Section 94 of the Telecommunications Act 1984.
- GCHQ and MI5 collected and held Bulk Communications Data (BCD), relying on Section 94 of the Telecommunications Act 1984. However, MI6 did not collect or hold BCD.
- GCHQ accessed BCD under the same standards as data obtained under Section 8(4) of the RIPA and stored BCD in the same databases as RIPA data.
- BCD included “traffic data” and “service use information,” potentially containing subscriber information and location data from mobile and fixed telephone lines and internet devices.
- Various Commissioners’ Reports identified non-compliance with internal procedures and safeguards at GCHQ and MI5.
- GCHQ, MI5, and MI6 collected and held bulk personal datasets (BPDs). These BPDs contained large amounts of personal data, with most individuals not being of intelligence interest.
- BPDs could include sensitive personal data, such as legal, journalistic, and financial information, acquired through overt and covert channels.
Prominent Arguments by the Counsels
- The claimant’s counsel argued that:
- The collection of BPDs and BCD violated the right to privacy under Article 8 of the European Convention on Human Rights (ECHR).
- The data collection practices lacked sufficient oversight, transparency, and safeguards to protect individual privacy, making the practices neither necessary nor proportionate to the aims of national security and law enforcement.
- The respondent’s counsel argued that:
- The data collection practices were conducted under existing legal frameworks and necessary safeguards, highlighting the evolving security threats and the critical role these practices played in protecting public safety.
- Using BCD and BPDs are essential tools for national security, counter-terrorism, and crime prevention.
Opinion of the Bench
- It is important to ensure the proportionality and the implementation of adequate safeguards to protect individual privacy. At the same time, there is an operational case for these powers as supported by the “Bulk Powers Review” conducted by Mr David Anderson QC.
- The tribunal recognised the necessity of BCD and BPD for national security, including their roles in counter-terrorism, cyber-security, and preventing serious crimes.
- The BPD regime has complied with Article 8 of ECHR since March 12, 2015. As for the BCD regime, the compliance started on November 04, 2025. These changes have happened due to improved safeguards and oversight. Before these dates, both regimes lacked sufficient legal frameworks and oversight.
Final Decision
- Individuals whose data were retained under these regimes had no actionable complaint unless there was evidence that their data had been accessed and examined.