UK spy agency violated Snooper's Charter with 'unlawful' data retention
Turns out even MI5 has to comply with retention rules
An independent tribunal has blasted British spy agency MI5 for "serious failings in compliance" and "unlawful" data collection of British subject dating back to 2014.
In its January 30 judgment [PDF], the Investigatory Powers Tribunal sided with data privacy advocates Liberty and Privacy International, which sued the intelligence agency over its mass surveillance practices in January 2020.
The Investigatory Powers Tribunal is an independent panel of judges that hears complaints against government bodies accused of illegally spying on UK citizens.
Liberty and Privacy International have long fought what the watchdog groups describe as "unlawful surveillance warrants" by government security services. This particular lawsuit centers around the Regulation of Investigatory Powers Act (RIPA) 2000 and the Investigatory Powers Act (IPA) 2016, also known as the Snooper's Charter.
While the laws give state agencies including MI5 the legal authority to collect and retain personal information belonging to private citizens, they do put certain restrictions around how the data should be handled. According to the tribunal's ruling, between 2014 and 2019 MI5 retained personal data longer than it legally should have.
"The holding and handling of data in those circumstances was unlawful on the basis that under the relevant provisions of RIPA and IPA satisfactory safeguards related to RRD were not in place," the judgment stated.
Additionally, the UK Home Office failed to exercise adequate oversight despite repeated high "risk register flags" that MI5 was not complying with the data-handling laws, according to the ruling.
The tribunal did not blame any specific individuals at MI5 or the Home Office, however. "There was a widespread corporate failure," it noted. "It would be unfair to single out individuals who have been identified in these proceedings."
It also declined to quash any warrants that had already been issued by the Home Office or direct MI5 to destroy all the unlawfully detained data, a move the tribunal said "would be very damaging to national security."
- UK spy agencies sharing bulk personal data with foreign allies was legal, says court
- MI5 still risks breaking the law on surveillance data through poor controls – years after it was first warned
- Whistleblowers have come to us alleging spy agency wrongdoing, says UK auditor IPCO
- UK spy overseer: Snooper's Charter cockups are still getting innocents arrested
Both Liberty and Privacy International praised the tribunal's finding that MI5 broke the Snooper's Charter data rules — but also said the decision didn't do enough to prevent mass surveillance and protect privacy rights.
"At its highest levels, MI5 systemically disregarded the law, and the Home Office's failure to do anything green-lighted their activities," Caroline Wilson Palow, legal director at Privacy International, said in a statement.
"Nothing good comes of unchecked power being exercised by government intelligence agencies operating in the shadows," she continued. "It's undemocratic and dangerous to our rights to give MI5 a free pass."
MI5 and the Home Office did not immediately respond to The Register's requests for comment ®.