The UK's bulk data collection and surveillance programme partially violated the European Convention on Human Rights, specifically contravening articles on the right to privacy and freedom of expression.
The surveillance programme, disclosed by Edward Snowden in 2013, did not in itself violate human rights law, according to the grand chamber of the European Court of Human Rights (ECHR), but violations stemmed from a lack of safeguards and protections.
The challenge, which has gone through various stages through the years, was brought forward by a group of privacy rights organisations, including Big Brother Watch, the Open Rights Group (ORG), Amnesty International, and Liberty. Previous judgements have generally concurred that the UK's surveillance regime was unlawful.
"The Court has recognised that Bulk Interception is an especially intrusive power, and that 'end-to-end safeguards' are needed to ensure abuse does not occur," executive director of the ORG, Jim Killock, said.
"The court has show that the UK government's legal framework was weak and inadequate when we took them to court with Big Brother Watch and Constanze Kurz in 2013. The court has set out clear criteria for assessing future bulk interception regimes, but we believe these will need to be developed into harder red lines in future judgments, if bulk interception is not to be abused."
The grand chamber ruled unanimously that the surveillance regime violated Article 8, the right to respect for private and family life/communications, in respect of the bulk interception regime and obtaining communications data from internet service providers (ISPs). Both these data collection practices also violated Article 10, the right to freedom of expression.
There were no violations under Article 8 or Article 10 in respect of the regime for requesting intercepted material from foreign governments and intelligence agencies.
Operating a bulk interception regime does not itself violate the convention, "owing to the multitude of threats states face in modern society", but such a regime must be subject to "end-to-end safeguards". This means that assessments should be made at every stage of the process of how necessary and proportionate the data collection measures are.
The UK's regime fell short because bulk interception had been authorised by the secretary of state and not by a body independent of the government. Applications for warrants to conduct searches also didn't state the categories of search terms that would define the kinds of communications data that would be examined. The use of search terms linked to an individual, including specific identifiers such as email address, had also not been subject to prior internal authorisation.
The judgement will serve as vindication for the applicants who brought the challenge forward, with the UK's surveillance regime deemed not compatible with the law at the time, the Regulation of Investigatory Powers Act (RIPA) 2000. This has since been replaced with the Investigatory Powers Act 2016, also known as the snooper's charter.
The grand chamber's decision to declare bulk surveillance regimes in and of themselves as not incompatible with human rights law, however, may be considered disappointing by privacy rights activists. Groups such as Big Brother Watch and Liberty have sustained longstanding opposition to such regimes out of principle.
"As the court sets out, bulk interception powers are a great power, secretive in nature, and hard to keep in check," Killock continued.
"We are far from confident that today's bulk interception is sufficiently safeguarded, while the technical capacities continue to deepen. GCHQ continues to share technology platforms and raw data with the USA. This judgment is an important step on a long journey."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.