Julian Milford KC and John Bethell of 11KBW act in important challenge to MI5’s handling of data


The Investigatory Powers Tribunal (Edis LJ, Lieven J and Charles Flint KC) has handed down its OPEN and CLOSED judgments in the claim concerning MI5’s handling of bulk personal datasets (BPD) and bulk communications data (BCD) within certain parts of MI5’s IT estate (‘TE’, ‘TE2 Area 1’ and ‘TE2 Area 2’): Liberty and Privacy International v Security Service and Secretary of State for the Home Department [2023] UKIPTrib 1. 

The judgments follow a 5-day substantive hearing, sitting in OPEN, in Private and in CLOSED during July 2022. Earlier in the proceedings, MI5 had conceded that between 2016 and 2019 the Service had not complied with retention, review and disposal (RRD) safeguards for authorised data and should have reported this to the Investigatory Powers Commissioner’s Office (IPCO).

In its OPEN judgment the IPT considered, across a 10-year period: the nature, extent and duration of MI5’s non-compliance with legal safeguards; MI5’s reporting of matters to the Home Office; and whether the Home Office should have made further enquiries, based upon what it knew. These questions were relevant, in particular, to the lawfulness of warrants and directions that had been granted by the Home Secretary, during that period, authorising MI5 to obtain data.

The IPT concluded that MI5 unlawfully held data within the TE from late 2014. These matters should have been addressed and disclosed to IPCO at the time. There had been a serious misjudgement, but the Tribunal saw no evidence that MI5 officers had attempted to conceal information about the compliance problems. The IPT drew particular attention to the way in which compliance issues with RRD had been categorised internally as “risks”, when in fact the position was that MI5 was already in breach of statutory safeguards. MI5 had given assurances to the Home Office, about compliance, which were not consistent with the Service’s internal documents, at least from late 2018. The Home Office failed to make adequate enquires of MI5 despite being presented with reports showing compliance risk in the TE from December 2016.

It followed that:

  • Warrants issued under the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Act 2016, and directions and authorisations made under the Telecommunications Act 1984 and the Intelligence Services Act 1994, were unlawful in the period late 2014 to 5 April 2019, due to the existence of RRD errors from this time.
  • The Secretary of State irrationally failed to make adequate enquires as to whether statutory safeguards were being met from December 2016, in breach of the Tameside duty.
  • These warrants etc were governed by the same principles as a without notice application for a search warrant: so, it was particularly important that the Secretary of State was told about any significant non-compliance. Not every breach or potential breach had to be reported by MI5 to the Secretary of State, but serious and longstanding non-compliance had to be raised when seeking such a warrant.
  • MI5 and the Home Office had conceded a corresponding breach of Article 8 ECHR (and thus of the Human Rights Act 1998. It was unnecessary for the Tribunal to determine a separate Article 6 challenge under these circumstances.
  • There was no systemic failure of the statutory scheme and the claim did not bear upon the outcome of Liberty’s ongoing judicial review of the Investigatory Powers Act 2016 (see, e.g., here). MI5’s failure to act in accordance with legal duties was a quite distinct matter. IPCO had acted robustly once alerted to the issues.
  • There was no breach of EU law. In particular, EU law did not confer an absolute right to any particular remedy, such as the quashing of warrants or the deletion of data.

The Judgment is notable for the IPT’s approach to relief. In particular:

  • Although the IPT applied the same principles used by a court in judicial review proceedings, this did not include s.31(2A) of the Senior Courts Act 1981 (the ‘highly likely / not substantially different’ provision), because the IPT had jurisdiction over the whole of the UK and that provision did not apply in Scotland.
  • Only declaratory relief should be granted.
  • It was not appropriate to grant a quashing order. The Tribunal accepted the Respondents’ submissions that quashing warrants etc or ordering the deletion of data would be very damaging to national security. Moreover, it would be disproportionate: it was not the case that MI5 should never have held the material at all, only that some small part of it had been retained for too long; there was no evidence that any individual had been harmed as a result of the unlawfulness; and since material had been used in valuable national security products it was relevant to consider the adverse effects of deleting that material.
  • Events since 2019 showed the effectiveness of IPCO and the current statutory regime.
  • There was widespread corporate failure, but it was not necessary or appropriate to single out any individual at MI5 or the Home Office for blame (having heard MI5 witnesses cross-examined in CLOSED).
  • The Claimants had brought the claim as a matter of public service and no award of compensation, to anyone, was required.
  • The Claimants could apply to re-open an earlier IPT claim, in respect of judgments given between October 2017 to September 2018, on the grounds of a breach of candour by MI5 in its reporting to the Tribunal after June 2019. That breach of candour relates to a failure in the use of BCD, discussed further in the CLOSED judgment.

Julian Milford KC and John Bethell acted for MI5 and the Secretary of State, instructed by the Government Legal Department A copy of the OPEN judgment is available here.