Bulk Personal Datasets & Bulk Communications Data challenge
Privacy International v Secretary of State for Foreign and Commonwealth Affairs, Secretary of State for the Home Department, Government Communications Headquarters, Security Service and Secret Intelligence Service
Court: Investigatory Powers Tribunal
Case No. IPT/15/110/CH
This case challenges the acquisition, use, retention, disclosure, storage and deletion of bulk personal datasets (BPDs) and bulk communications data (BCD) by the UK Security and Intelligence Agencies (SIAs) – specifically Government Communications Headquarters (GCHQ), Security Service and Secrete Intelligence Service. The existence and usage of such datasets were kept secret for more than a decade, until they were publicly disclosed in March 2015 for BPDs and November 2015 for BCD.
Privacy International first contested the legality of these bulk datasets before the Investigatory Powers Tribunal (IPT) on 8 June 2015. The IPT, in two consecutive judgments, concluded that both BPDs and BCD were operating in violation of Article 8 of the European Convention on Human Rights that protects the right to privacy, for more than ten years. The IPT determined that the legal framework regulating these datasets was not in accordance with law and lacked sufficient safeguards. The Tribunal did not contest the legality of establishing bulk datasets altogether. Questions relating to the compliance of these datasets with EU law are pending before the Court of Justice of the European Union.
In the course of this process, it was revealed that Privacy International’s data were held by all three agencies during the periods that both BPDs and BCD have been assessed as illegal by the IPT. The Security Service had further accessed and examined Privacy International’s held data in a separate database as part of an investigation. The Security Service decided to delete Privacy International’s data before the on-going investigation was completed.