Advanced Search
Content Type: Long Read
We won our case against the UK’s Security Service (MI5) and the Secretary of State for the Home Department (SSHD). The Investigatory Powers Tribunal (IPT) – the judicial body responsible for monitoring UK’s intelligence and security agencies – held that MI5 acted unlawfully by knowingly holding people’s personal data in systems that were in breach of core legal requirements. MI5 unlawfully retained huge amounts of personal data between 2014 and 2019. During that period, and as a result of these…
Content Type: Long Read
Case: Privacy International v Secretary of State for Foreign and Commonwealth Affairs and others
Last update: December 2022
Summary
The UK Security and Intelligence Agencies (SIAs) – including Government Communications Headquarters (GCHQ), Security Service and Secret Intelligence Service – have been building massive comprehensive datasets of information on each and every individual. They have been collecting and combining information from multiple sources on unclear legal bases and with minimal…
Content Type: News & Analysis
What happened
On 22 July 2021, the Investigatory Powers Tribunal (IPT) issued a declaration on our challenge to the UK bulk communications regime finding that section 94 of the Telecommunications Act 1984 (since repealed by the Investigatory Powers Act 2016) was incompatible with EU law human rights standards. The result of the judgment is that a decade’s worth of secret data capture has been held to be unlawful. The unlawfulness would have remained a secret but for PI’s work.
You…
Content Type: Frequently Asked Questions
On 27 October 2020, the UK Information Commissioner's Office (ICO) issued a report into three credit reference agencies (CRAs) - Experian, Equifax and TransUnion - which also operate as data brokers for direct marketing purposes.
After our initial reaction, below we answer some of the main questions regarding this report.
Content Type: News & Analysis
Privacy International (PI) welcomes today's report from the UK Information Commissioner's Office (ICO) into three credit reference agencies (CRAs) which also operate as data brokers for direct marketing purposes. As a result, the ICO has ordered the credit reference agency Experian to make fundamental changes to how it handles people's personal data within its offline direct marketing services.
It is a long overdue enforcement action against Experian.…
Content Type: News & Analysis
In September 2019, PI published the report Your Mental Health for Sale. Our investigation looked into popular mental health websites and their data sharing practices.
Our findings suggest that, at the time of the research, most websites we looked at were using third party tracking for advertising purposes, sometimes relying on programmatic advertising technologies such as Real Time Bidding (RTB), sharing personal data with potentially thousands of actors. Some websites were also found sharing…
Content Type: News & Analysis
Almost a year and a half ago we complained about seven companies to three data protection authorities in Europe. These companies, ranging from AdTech to data brokers and credit rating agencies, thrive on the collection, exploitation and processing of personal data. They profile and categorise people - without our knowledge and infringing multiple legal requirements.
Now, the French Data Protection Authority CNIL has informed us that they are following the same route and …
Content Type: News & Analysis
In mid-2019, MI5 admitted, during a case brought by Liberty, that personal data was being held in “ungoverned spaces”. Much about these ‘ungoverned spaces’, and how they would effectively be “governed” in the future, remained unclear. At the moment, they are understood to be a ‘technical environment’ where personal data of unknown numbers of individuals was being ‘handled’. The use of ‘technical environment’ suggests something more than simply a compilation of a few datasets or databases.
The…
Content Type: Press release
The Irish Data Protection Commission has today launched an inquiry into the data practices of ad-tech company Quantcast, a major player in the online tracking industry. PI's 2018 investigation and subsequent submission to the Irish DPC showed how the company is systematically collecting and exploiting people's data in ways people are unaware of. PI also investigated and complained about Acxiom, Criteo, Experian, Equifax, Oracle, and Tapad.
PI welcomes this announcement and its focus on…
Content Type: Press release
The Case
Privacy International v Secretary of State for Foreign and Commonwealth Affairs et al. (Bulk Personal Datasets & Bulk Communications Data challenge)
Date: 5-9 June 2017
Time: from 10:00 onwards
Location: Royal Courts of Justice, The Strand, London WC2A 2LL United Kingdom
Hearing overview
Next week’s hearing follows the Investigatory Powers Tribunal’s earlier judgment in October 2016, which ruled that three issues are to be determined:
…
Content Type: Press release
Key points
Bulk Communications Data (BCD) collection, commenced in March 1998, unlawful until November 2015
Bulk Personal Datasets regime (BPD), commenced c.2006, unlawful until March 2015
Everyone’s communications data collected unlawfully, in secret and without adequate safeguards until November 2015
We maintain that even post 2015, bulk surveillance powers are not lawful
As the Investigatory Powers Bill is set to become law within weeks, we argue that the authorisation and…
Content Type: Long Read
On 17 October 2016, the Investigatory Powers Tribunal handed down judgment in a case brought by Privacy International against the Foreign Secretary, the Home Secretary and the three Security and Intelligence Agencies (MI5, MI6 and GCHQ).
The case concerned the Agencies’ acquisition and use of bulk personal datasets (‘BPD’) – datasets that contain personal data about individuals, the majority of whom are unlikely to be of intelligence interest, such as passport databases and finance-related…