Privacy International Back In Court For A Hearing Related To The Collection Of Bulk Personal Datasets And Bulk Communications Data

Press release
Royal Courts of Justice

The Case

Privacy International v Secretary of State for Foreign and Commonwealth Affairs et al. (Bulk Personal Datasets & Bulk Communications Data challenge)

Date: 5-9 June 2017

Time: from 10:00 onwards

Location: Royal Courts of Justice, The Strand, London WC2A 2LL United Kingdom

Hearing overview

Next week’s hearing follows the Investigatory Powers Tribunal’s earlier judgment in October 2016, which ruled that three issues are to be determined:

            a) the impact of EU law; 

            b) the legality of transfer and sharing of data; and

            c) proportionality.

(a) It is Privacy International’s position that the collection of bulk communications data (BCD) and bulk personal datasets (BPD) engages EU law. The mandatory safeguards in Joined Cases C-203/15 and C-696/15 Tele2 Sverige and Watson apply: blanket retention is prohibited, and there must be prior independent authorisation for access, notice provisions, retention in the EU and restrictions on the use of material. Neither the regime under s.94 of the Telecommunications Act 1984 nor the BPD regime (so far as in scope) complies with the requirements of EU law. The Respondents’ submissions to the alternative are untenable: the suggestion that the safeguards identified in Watson do not apply to processing for national security purposes is an argument already fought and lost by the Government. The suggestion that the IPT should ignore a decision of the CJEU is constitutionally unsound.

(b) There appear to be no adequate safeguards governing the transfer of data from the Agencies to other bodies, whether they are other UK law enforcement agencies, commercial companies, or foreign liaison partners.

(c) The s.94 regime and the BPD regime are disproportionate interference with Convention and EU Charter rights. 

Bulk Communications Data (BCD)

Bulk Communications Data (BCD) is the who, when, where, and how of a communication. It includes, but is not limited to, visited websites, email contacts, to whom and where and when an email is sent, map searches, GPS location, and information about every device connected to every WiFi network. BCD can provide vast knowledge about individuals. 

Bulk Personal Datasets (BPDs)

Bulk Personal Datasets (BPDs) are large datasets that are incorporated into ‘analytical systems’. They contain considerable volumes of personal data about individuals, the majority of whom are unlikely to be of intelligence interest. They include biographical details, commercial and financial activities, communications and travel as well as BCD. BPDs contain the content of legally privileged communications.

Case Background

In August 2014 Privacy International filed a case in the Investigatory Powers Tribunal, challenging the legality of the acquisition, use, retention, disclosure, storage, and deletion of Bulk Personal Datasets (BPD) and Bulk Communications Data (BCD) in the UK. The first hearing took place in July 2016 and, in a judgment in October of that year, it was found that communications data had been collected unlawfully, in secret and without adequate safeguards until November 2015.

Privacy International argues that there are insufficient protections governing the sharing of data to other UK law enforcement agencies, commercial companies or foreign partners; and that the collection of BPD and BCD engages EU law. The UK government argues that s.94 directions and the BPD regime do not engage EU law. They neither confirm nor deny whether they share or have agreed to share BPD/BCD with foreign partners, law enforcement, or industry.


Press Contacts

Camilla Graham Wood, Legal Officer, Privacy International – / +44 (0) 20 3422 4321

Press, Privacy International – / +44 (0) 20 3422 4321