The United Kingdom’s controversial surveillance program came to light as part of the 2013 Edward Snowden revelations, in which the former CIA contractor released thousands of classified documents to journalists.
STRASBOURG, France (CN) — Europe’s top rights court found on Tuesday that a bulk data collection program in the United Kingdom violated citizens’ right to privacy.
The European Court of Human Rights held that British intelligence and security organization Government Communications Headquarters, commonly known as GCHQ, illegally intercepted communications data and failed to properly safeguard it.
“The court holds unanimously that there has been a violation of Article 8 of the Convention,” ECHR President Róbert Spanó told an empty courtroom during a virtual hearing. The court was established in 1959 by the European Convention on Human Rights, which protects the civil and political rights of Europeans.
The 17-judge panel found that “there is considerable potential for bulk interception to be abused in a manner adversely affecting the rights of individuals to respect for private life.”
The ruling came in response to a series of complaints about digital privacy and security brought by a coalition of privacy and civil rights groups, including Big Brother Watch, the American Civil Liberties Union and Amnesty International.
British privacy advocacy organization Privacy International applauded the ruling in a statement.
“The Grand Chamber of the European Court of Human Rights has today issued a landmark ruling that the UK’s mass surveillance regime, first exposed by whistleblower Edward Snowden in 2013, violates people’s rights to privacy and freedom of expression. This will have an impact not only in the U.K. but across Europe,” the group said.
During a hearing in 2019, the U.K. argued that the legal framework for bulk data collection had changed and the practice was needed to protect national security. A piece of legislation from 2000 known as the Regulation of Investigatory Powers Act allowed GCHQ to collect massive quantities of data, including metadata from mobile phones and internet traffic. That law was replaced in 2016 by the Investigatory Powers Act, which is currently facing its own legal challenges.
Tuesday’s ruling wasn’t a total win for privacy advocates, however.
“The court accepts that bulk interception is of vital importance to contracting states in identifying threats to their national security,” the Grand Chamber wrote, explicitly permitting countries to engage in bulk data collection under certain circumstances. It also found that the U.K. had not violated the European Convention on Human Rights when it requested intercepted material from foreign governments and intelligence agencies.
However, the court went further than it had in a 2018 ruling in the same case, which the applicants had appealed to the Grand Chamber. The latest decision calls for “end-to-end safeguards” on all data interception. The court also called for an assessment to be made at each stage of the collection process and said it should be subject to an inspection by an independent body.
Several judges argued that Tuesday’s ruling did not go far enough to safeguard privacy. In a partially concurring and partially dissenting opinion, Judge Paulo de Albuquerque wrote: “The exponential increase of surveillance activity in the last decade and the public outcry that it has unleashed warrants stricter oversight of the intelligence agencies’ activities, for the sake of preserving democracy and defending the rule of law. Not the opposite.”
Silkie Carlo, director of Big Brother Watch, voiced similar concerns.
“We welcome the judgment that the U.K.’s surveillance regime was unlawful, but the missed opportunity for the court to prescribe clearer limitations and safeguards means that risk is current and real,” Carlo said.
The court ordered that the U.K. pay 538,500 euros ($660,000) in costs in damages to the 15 groups and individuals who brought the complaints.