Mass surveillance and data collection programs used by the UK government breached privacy and don't meet the necessary legal requirements to guarantee rights will be upheld, the European Court of Human Rights (ECHR) has ruled.
The court has concluded that the UK's mass interception programmes breached the European Convention on Human Rights. The case of 'Big Brother Watch and Others v the United Kingdom' was launched by privacy and civil liberties groups in the aftermath of the Edward Snowden revelations, which saw the former US National Security Agency contractor blow the whistle on surveillance and intelligence sharing programs run by intelligence services in the United States and the United Kingdom.
In what represents its first ruling on UK surveillance programmes, the judgement by the EctHR ruled that the GCHQ bulk interception regime violated Article 8 of the Convention of Human Rights -- the right to respect for private and family/life communications -- by five votes to two.
The justification for the ruling states there's "insufficient" oversight on the filtering, search and selection of intercepted communications for examination and that the safeguards were "inadequate". The ruling also states that UK's regime for authorising bulk interception was incapable of keeping the "interference" to what is "necessary in a democratic society".
Bulk interception of data was also ruled to violate Article 10 of the European Convention of Human Rights -- the right to freedom of expression and information -- as there was "were insufficient safeguards in respect of confidential journalistic material".
SEE: IT pro's guide to GDPR compliance (free PDF)
However, the court in Strasbourg also ruled the way GCHQ shared sensitive data with foreign governments not to be illegal, violating neither Article 8 or 10. Nonetheless, the rulings have been welcomed by civil liberties groups.
"This is a major victory for the rights and freedom of people in the UK. It shows that there is -- and should be -- a limit to the extent that states can spy on their citizens," said Megan Goulding, lawyer for Liberty
"Our government has built a surveillance regime more extreme than that of any other democratic nation, abandoning the very rights and freedoms terrorists want to attack. It can and must give us an effective, targeted system that protects our safety, data security and fundamental rights," she added.
Jim Killock, executive director of Open Rights Group, said the ruling means the UK government will have to re-evaluate how it goes about collecting data of citizens -- but that the battle is far from over.
"The decision should help future challenges because it is the first time that the detail of bulk surveillance programmes has started to be questioned," he told ZDNet.
"For the UK government, they will have to think more carefully about how they justify electronic surveillance. Many of the crucial questions are yet to come, but this decision shows how important it is for an external human rights court to have the final word on the UK's approach to privacy and surveillance," he added.
While the court acknowledges that it's important that states are able to carry out secret surveillance to counter terrorism and other threats, going too far with this can also represent a threat to the liberty of citizens.
"The court could not ignore the fact that surveillance regimes have the potential to be abused, with serious consequences for individual privacy," said an ECHR statement.
SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)
Those safeguards must take into account the nature of the offences, defining the categories of people liable to having their communications intercepted, a limit on the duration of interception, the procedure used when examining, using and storing data, precautions taken when sharing data with other parties, and the circumstances in which it must be erased or destroyed.
Despite the ruling, it may not directly impact on UK surveillance legislation -- because many surveillance rules were updated when the Investigatory Powers Act was introduced in 2016.
However, the Court of Appeal -- the highest court in England and Wales -- has previously ruled the act known by critics as the Snoopers' Charter to be unlawful. Despite this, the laws haven't been updated or changed.
Nonetheless, Killock said that Prime Minister Theresa May -- who oversaw the introduction of the Investigatory Powers Act as Home Secretary -- should take notice of the ruling.
"Theresa May should take close note of the judgment, which is the first step towards restrictions on bulk practices. While the judgment does not attempt to forbid these altogether, it also shows that restrictions, limits and accountability will be a feature of future legal discussions about these laws," he said.
READ MORE ON CYBER SECURITY
- End-to-end encryption plan puts Europe on collision course with UK
- House votes to renew surveillance powers revealed by Snowden (CNET)
- Backdoors, encryption and internet surveillance: Which way now?
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web (TechRepublic)
- German police hacking hit by volley of complaints: Can 'state trojan' law survive?