Following on a ruling nearly two months ago, where the UK’s Investigatory Powers Tribunal — for the very first time — found that GCHQ had broken the law with its surveillance of client/attorney communications, now the IPT has ruled against GCHQ again. The IPT says that GCHQ held emails of human rights activists for too long — but found that the initial collection of those emails was no problem at all.
In respect of the Third Claimant (The Egyptian Initiative for Personal Rights), the Tribunal has found that email communications of the Third Claimant were lawfully and proportionately intercepted and accessed, pursuant to s.8(4) of RIPA. However, the time limit for retention permitted under the internal policies of GCHQ, the intercepting agency, was overlooked in regard to the product of that interception, such that it was retained for materially longer than permitted under those policies.
So, no problem spying on human rights organizations — just make sure you delete the emails within the allotted timeframe. And, of course, the court concludes that this is a pretty minor violation, given that there’s no evidence anyone actually looked at the data after they should have destroyed it:
We are satisfied however that the product was not accessed after the expiry of the relevant retention time limit, and the breach can thus be characterised as technical…
Still, it notes, even a technical breach is a breach and thus slaps GCHQ on the wrist. This seems like pretty weak sauce all around, but at the very least, the IPT is finally recognizing that GCHQ isn’t following the law at times. It’s not nearly enough, and the level of oversight is laughable. And, of course, none of these breaches, technical or otherwise, likely would have come to light at all without Ed Snowden.