Compatibility of Sharing Bulk Personal Datasets: Judgment on Article 8 ECHR, Schemes and Mind Maps of Law

Download Compatibility of Sharing Bulk Personal Datasets: Judgment on Article 8 ECHR and more Schemes and Mind Maps Law in PDF only on Docsity! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Neutral Citation Number: [2022] EWHC 770 (QB) Case No: CO/4253/2018 IN THE HIGH COURT OF JUSTICE QUEEN’S BENCH DIVISION DIVISIONAL COURT Royal Courts of Justice Strand, London, WC2A 2LL Date: 4 April 2022 Before : PRESIDENT OF THE QUEEN’S BENCH DIVISION MR JUSTICE JOHNSON Between : THE QUEEN on the application of PRIVACY INTERNATIONAL Claimant - and - INVESTIGATORY POWERS TRIBUNAL Defendant -and- (1) SECRETARY OF STATE FOR FOREIGN AND COMMONWEALTH AFFAIRS (2) SECRETARY OF STATE FOR THE HOME DEPARTMENT (3) GOVERNMENT COMMUNICATIONS HEADQUARTERS (4) SECURITY SERVICE (5) SECRET INTELLIGENCE SERVICE Interested Parties Tom de la Mare QC, Ben Jaffey QC and Daniel Cashman (instructed by Bhatt Murphy) for the Claimant Sir James Eadie QC, Andrew O’Connor QC and Richard O’Brien (instructed by Government Legal Department) for the Interested Parties Angus McCullough QC and Adam Straw QC (instructed by the Special Advocates’ Support Office) as Special Advocates Hearing dates: 9 February 2022 – 10 February 2022 Further written submissions: 3 March 2022, 11 March 2022, 15 March 2022, 16 March 2022 Approved Judgment Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment Dame Victoria Sharp P: 1. This is the judgment of the court. 2. This claim concerns the regulation of sharing Bulk Personal Datasets (“BPDs”) by MI5, MI6 and GCHQ (“the Agencies”) with foreign intelligence agencies. 3. In a judgment dated 23 July 2018 (“the 2018 judgment”) the Investigatory Powers Tribunal (“the Tribunal”) concluded by a majority that the regulatory regime was compatible with article 8 of the European Convention of Human Rights (“ECHR”) in the period from 2015 to 2017. In particular, it concluded that adequate safeguards were in place to comply with article 8. The claimant seeks judicial review of that decision. The issue was described by the Tribunal as “a matter of the greatest importance”, in part because BPDs disclosed by the Agencies might be unlawfully used in contexts involving a risk to life (the claimant identified the possibility of rendition operations, or drone strikes). 4. Part of the reasoning of the Tribunal was given “in closed”: that reasoning was not published or disclosed to the claimant (save by way of an “open” summary), because the Tribunal considered that to do so would be damaging to the interests of national security. 5. On 8 October 2019 Supperstone J made case management directions for these proceedings. The directions made provision for the appointment of Special Advocates who could examine all of the material that was put before the Tribunal, and the entirety of the Tribunal’s reasoning, and then represent the claimant’s interests in closed proceedings. The Special Advocates have advanced closed arguments in support of the claimant’s claim. So far as was possible, consistent with the interests of national security, extracts from the Special Advocates’ closed arguments were disclosed to the claimant. Permission to claim judicial review was granted by Swift J on 22 July 2020. 6. We heard open submissions from Tom de la Mare QC on behalf of the claimant, and Sir James Eadie QC on behalf of the Agencies. These submissions addressed, primarily, the question of whether the Tribunal had correctly identified the safeguards that are required by article 8 for the sharing of BPDs with foreign agencies. We heard closed submissions from Angus McCullough QC as Special Advocate, and Sir James Eadie QC on behalf of the Agencies. These submissions addressed the detail of the closed evidence and the Tribunal’s closed judgments, and, in particular, the Tribunal’s assessment that the safeguards in place met the required standards. 7. In this judgment we deal with all of the arguments that have been raised, both in open and in closed, so far as it is possible to do so without disclosing material that the Tribunal treated as closed. Some of our reasoning is set out in a separate closed judgment. 8. Mr McCullough QC confirmed, in the course of the closed hearing, that he did not consider that the closed arguments raise any point of legal principle. Nothing in our closed judgment raises any point of legal principle. Rather, our closed judgment addresses the arguments of the Special Advocates as to the application of the legal principles to the facts. Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment 13. The following facts were agreed between the parties in the proceedings before the Tribunal: “(i) GCHQ, MI5 and MI6 collect and hold BPDs, on their respective analytical systems. (ii) BPDs consist of large amounts of personal data: The majority of individuals whose personal data is contained in a BPD will be of no intelligence interest. (iii) Multiple BPDs are analysed together to obtain search results. (iv) BPD may be acquired through overt and covert channels. (v) BPD can contain sensitive personal data as defined under s2 of the Data Protection Act 1998 and/or information covered by legal professional privilege, journalistic material and financial data. (vi) GCHQ, MI5 and MI6 share BPDs, and BPDs may be shared with their foreign partners and/or may be disclosed to persons outside the agencies, as described in their Handling Arrangements. (vii) MI5, GCHQ and MI6 each acquire BPDs from other Government departments. …GCHQ, MI5 and MI6 do not currently hold and have never held a BPD of medical records, although medical data may appear in BPDs. (viii) There have been instances of non-compliance with BPD safeguards at GCHQ, MI5 and MI6, as disclosed in the various Commissioners’ Reports. (ix) There was no statutory oversight of BPDs by the [Intelligence Services] Commissioner prior to the March 2015 ISC Report. (x) Prior to the publication of that ISC Report, the holding of BPDs was not publicly acknowledged.” 14. It is thus in the public domain that the Agencies use BPDs in the way described. At the time of the hearing before the Tribunal, the Agencies had not stated, in public, whether any of the Agencies had ever shared BPDs with foreign intelligence agencies (agreed fact (vi) only extends to the possibility that this may happen). The true position was revealed to the Tribunal in its closed hearings. The Tribunal considered that this was a legitimate application of the “neither confirm nor deny” (“NCND”) policy (see at [61]). The Tribunal’s 2016 judgment proceeds on the assumption that sharing has taken place. We do likewise (see paragraphs 66 and 77-80 below). The legal regime regulating BPDs 15. The Tribunal set out the regime that regulates BPDs in great detail in appendix B to its 2016 judgment. It also set out, as appendix 2 to its 2018 judgment, (and again in great detail – running to 38 pages) the handling arrangements and other guidance in relation to sharing BPDs outside the Agencies. We summarise the principal features. Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment The Agencies 16. The Agencies may only disclose information where that is necessary for the proper discharge of their functions (here, to protect the interests of national security) – see s2(2)(a) of the Security Service Act 1989 (so far as MI5 is concerned), and ss2(2)(a) and 4(2)(a) of the Intelligence Services Act 1994 (so far as, respectively, MI6 and GCHQ are concerned). These statutory limits apply to the disclosure of information to foreign agencies. 17. The Agencies are each a public authority within the meaning of the Human Rights Act 1998. By s6(1), it is unlawful for the Agencies to act in a way that is incompatible with a Convention right. Article 8 ECHR is a Convention right. Article 8(1) provides that “everyone has the right to respect for his private and family life, his home and his correspondence.” By article 8(2) there must be no interference with this right except where that is “in accordance with the law” and is “necessary in a democratic society” for a specified aim (here, the interests of national security). The Commissioners 18. The offices of the Interception of Communications Commissioner and the Intelligence Services Commissioner (“the Commissioners”) were established by ss57 and 59 of the Regulation of Investigatory Powers Act 2000. These provisions provided that (amongst other matters): (1) Appointments to those offices must be made by the Prime Minister. (2) The Commissioners must hold (or have held) high judicial office. (3) The Interception of Communications Commissioner was required to keep under review (among other matters) the exercise and performance by the Agencies of powers and duties conferred or imposed in respect of the acquisition and disclosure of communications data. (4) The Commissioners must give the Tribunal such assistance as it requires (including by providing an opinion as to any issue falling to be determined by the Tribunal). 19. By s59A of the 2000 Act, the Intelligence Services Commissioner was additionally required, so far as directed by the Prime Minister, to keep under review the carrying out of any aspect of the functions of (among others) the Agencies. On 11 March 2015 the Prime Minister gave a direction under s59A of the 2000 Act – the Intelligence Services Commissioner Additional Review Functions (Bulk Personal Datasets) Direction 2015. This directed the Intelligence Services Commissioner to: “continue to keep under review the acquisition, use, retention and disclosure by the [Agencies] of [BPDs], as well as the adequacy of safeguards against misuse [and to] assure himself that the acquisition, use, retention and disclosure of [BPDs] does not occur except in accordance with [the 1989 and 1994 Acts and to] seek to assure himself of the adequacy of the [Agencies’] handling arrangements and their compliance therewith.” Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment 20. The Intelligence Services Commissioner was Sir Mark Waller in the period 2011-2016. The Interception of Communications Commissioner was Sir Stanley Burnton in the period 2015-2017. The policy, handling arrangements and oversight 21. BPD policy came into force in February 2015. This applies to each of the Agencies and represents the agreed policy for each of the Agencies. The Tribunal explains in its 2016 judgment (at [39]) that the policy sets out “[s]pecific, detailed measures… which are designed to limit access to data to what is necessary and proportionate, to ensure that such access is properly audited, and to ensure that disciplinary measures are in place for misuse.” The policy makes the following provision in respect of the sharing of BPDs: “D. Sharing … When sharing BPD the supplying Agency must be satisfied that it is necessary and proportionate to share the data with the other Agency/Agencies… A log of data sharing will be maintained by each agency; The sharing of BPD must be authorised in advance by a senior individual within each Agency, and no action to share may be taken without such authorisation; … Were BPD to be shared with overseas liaison the relevant necessity and proportionality tests for onwards disclosure under the SSA or ISA would have to be met….” [Underlining in original to denote a ‘gist’] 22. On 4 November 2015 the BPD “handing arrangements” were published. Paragraph 2.6 requires that that any disclosure of BPD has “clear justification, accompanied by detailed and comprehensive safeguards against misuse” and is “subject to rigorous oversight.” Disclosure to a third party may only be made if that is necessary to achieve a defined objective (which may include the interests of national security) and is proportionate to that objective. Prior to any such disclosure, staff must take steps to ensure that the recipient “has and will maintain satisfactory arrangements for safeguarding the confidentiality of the data and ensuring that it is securely handled” or have received satisfactory assurances from the intended recipient. Additional safeguards are in place in the case of disclosure of the whole or a subset of a BPD (as opposed to a single item of data). This requires an application to a senior manager for authorisation. Each Agency is required to have an internal review panel to scrutinise the disclosure of BPD (amongst other matters) to ensure that it is properly justified. Each Agency must have an audit team that monitors the use of BPD in order to detect misuse. 23. The Handling Arrangements also deal with oversight. Each Agency must report its BPD operations to the relevant Secretary of State. The use (including disclosure) of BPDs was overseen by the Intelligence Services Commissioner on a regular six-monthly basis (except where oversight fell within the remit of the Interception of Communications Commissioner). Each Agency must ensure that it can demonstrate that proper judgments have been made on the necessity and proportionality of any disclosure of BPDs. Each Agency is required to satisfy the appropriate Commissioner that its policies and procedures provide adequate safeguards against misuse and are strictly complied with. Each Agency must provide the appropriate Commissioner with all such documents and information as may be required by the Commissioner. Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment The Investigatory Powers Tribunal 27. The Tribunal was established by Part 4 of the Regulation of Investigatory Powers Act 2000. By s65(2) of the 2000 Act, read with s7 Human Rights Act 1998, it is the only appropriate tribunal for determining a claim that the Agencies have acted in a way that is incompatible with a Convention right. The President of the Tribunal must hold (or must have previously held) high judicial office. At the time of the 2018 judgment there was no right of appeal from a decision of the Tribunal. An important part of the raison d’être of the Tribunal is to adjudicate on allegations that the Agencies have acted unlawfully and, where that has happened, to provide a remedy. It is part of the framework to ensure compliance with the legality requirements of article 8 ECHR. Many of its decisions have addressed those requirements. Legality requirement of article 8 ECHR 28. The sharing of BPDs with a foreign agency will almost inevitably interfere with privacy rights guaranteed by article 8. It is therefore unlawful, unless it is justified in any particular case under article 8(2). That requires that the interference is “in accordance with the law” and is necessary for, and proportionate to, a legitimate aim, here the interests of national security. The obligation for any interference with privacy rights to be in accordance with the law requires (a) a sufficient legal framework to regulate the interference, and (b) compliance with that framework. This “addresses supremely important features of the rule of law” so as to ensure that the public is not vulnerable to interference with rights of privacy “by public officials acting [arbitrarily]” - R (Gillan) v Commissioner of Police of the Metropolis [2006] UKHL 12 [2006] 2 AC 307 per Lord Bingham at [34]. 29. The safeguards that are required for the legal framework to be compatible with article 8 are well established and well known. The precise detail of what is required depends on the nature of the interference with privacy rights. In the context of retention of personal data by the police, there must be “clear, detailed rules governing… access of third parties… providing sufficient guarantees against the risk of abuse and arbitrariness… the rules need not be statutory, provided they operate within a framework of law and that there are effective means of enforcing them” – see R (Catt) v Association of Chief Police Officers [2015] AC 1065 per Lord Sumption JSC at [11]. 30. Where interferences take place by the Agencies acting in secret, then “the risks of arbitrariness are evident” (Malone v United Kingdom (1985) 7 EHRR 14 at [67]). That is because any individual who is affected “will necessarily be prevented from seeking an effective remedy of his or her own accord or from taking a direct part in any review proceedings” (Klass v Germany (1979-80) 2 EHRR 214). That impacts on the nature of the regulatory safeguards that are required. In this context, “clear, detailed rules” are essential so as to provide “adequate and effective safeguards and guarantees against abuse” (Zakharov v Russia (2016) 63 EHRR 17). 31. The rules must make sufficient provision for the authorisation and supervision of actions by intelligence agencies that interfere with privacy rights – see Weber v Germany (2008) 46 EHRR SE5 at [106]: “This assessment depends on all the circumstances of the case, such as the nature, scope and duration of the possible measures, the grounds required for Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment ordering them, the authorities competent to authorise, carry out and supervise them, and the kind of remedy provided by the national law.” 32. In carrying out that assessment what is required is (see Klass at [54]): “[a determination] whether the procedures for supervising the ordering and implementation of the restrictive measures are such as to keep the ‘interference’ to what is ‘necessary in a democratic society…’” 33. In Weber the court summarised its previous case-law as to the minimum safeguards that are required to regulate “secret measures of surveillance” (in the specific context of telephone intercept)– see at [95] (with numbering added): “(1) the nature of the offences which may give rise to an interception order; (2) a definition of the categories of people liable to have their telephones tapped; (3) a limit on the duration of telephone tapping; (4) the procedure to be followed for examining, using and storing the data obtained; (5) the precautions to be taken when communicating the data to other parties; and (6) the circumstances in which recordings may or must be erased or the tapes destroyed.” 34. In Kennedy v United Kingdom (2011) 52 EHRR 4 the court concluded that the regulation of telephone intercept under UK law was compatible with article 8. It relied on the system of supervision that was in place, particularly: (1) the role of the Interception of Communications Commissioner (noting that he was “independent of the executive” and had “held high judicial office”, that his annual report was published, that he had access to all relevant documents and could require disclosure of any material he requires, and that he undertook a biannual review of a random selection of specific cases), (2) the role of the Tribunal (which, “[u]nlike in many other domestic systems” could receive applications from anyone and which could require the provision of assistance from the Commissioner and which published its legal rulings), (3) the obligation to maintain proper records by the Agencies, (4) the absence of evidence of any significant shortcomings on the application and operation of the regime. 35. It concluded at [169]: “Having regard to the safeguards against abuse in the procedures as well as the more general safeguards offered by the supervision of the Commissioner and the review of the IPT, the impugned surveillance measures, insofar as they may have been applied to the applicant… are justified under art 8(2).” 36. In Big Brother Watch v United Kingdom (judgment 25 May 2021) the Grand Chamber of the European Court of Human Rights considered the safeguards that are required in the context of bulk interception of communications. It drew on its previous case law, including Klass, Weber, Zakharov and Kennedy. It considered whether there was a need “to develop the case-law” (see at [340]). It recognised (at [348]) that the first two Weber Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment criteria are not applicable to bulk interception (as opposed to targeted supervision). This meant (see at [349]-[350]): “349. …the importance of supervision and review will be amplified, because of the inherent risk of abuse and because the legitimate need for secrecy will inevitably mean that, for reasons of national security, States will often not be at liberty to disclose information concerning the operation of the impugned regime. 350. Therefore, in order to minimise the risk of the bulk interception power being abused, the Court considers that the process must be subject to “end-to- end safeguards”, meaning that, at the domestic level, an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and that the operation should be subject to supervision and independent ex post facto review. In the Court’s view, these are fundamental safeguards which will be the cornerstone of any article 8 compliant bulk interception regime…” 37. The Court addressed the requirement of supervision at [356]: “Each stage of the bulk interception process – including… onward transmission… of the intercept material – should also be subject to supervision by an independent authority and that supervision should be sufficiently robust to keep the “interference” to what is “necessary in a democratic society”. In particular, the supervising body should be in a position to assess the necessity and proportionality of the action being taken, having due regard to the corresponding level of intrusion into the Convention rights of the persons likely to be affected. In order to facilitate this supervision, detailed records should be kept by the intelligence services at each stage of the process.” 38. At [362] the court observed that it had not previously “provided specific guidance regarding the precautions to be taken when communicating intercept material to other parties.” It said that (1) such transmission should be limited to material that has been collected and stored in a Convention compliant manner, (2) the circumstances in which transfers may take place must be set out clearly in domestic law, (3) the transferring State must ensure that the receiving state has in place safeguards capable of preventing abuse and disproportionate interference, (4) the receiving state must guarantee secure storage of the material and restrict onward disclosure, (5) heightened safeguards are required in the case of material “requiring special confidentiality” (such as journalistic material), (6) the transfer of material should be subject to independent control. 39. The court was satisfied that the UK had in place sufficient safeguards in relation to the communication of intercepted material to third parties. In relation to the transfer of such material to foreign agencies, it said, at [396]: “…the transfer… to a foreign intelligence partner… would only give rise to an issue under Article 8 of the Convention if the intercepting State did not first ensure that its intelligence partner, in handling the material, had in place safeguards capable of preventing abuse and disproportionate interference, and Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment 1984 Act is incompatible with EU law. It granted a declaration to that effect. The Tribunal expressly reserved the question as to the consequences of this for the sharing of BPDs with foreign agencies – see at [27]: “At the hearing a point was also raised by Mr de la Mare about the consequences for sharing arrangements with foreign agencies and others. This was a topic which was dealt with by the Tribunal in its [2018 judgment]… Mr de la Mare accepted that this is one of those topics which will have to be considered at a later stage in these proceedings.” The 2018 judgment 50. Leaving aside the impact of EU law, the Tribunal identified 4 issues that remained for resolution from its 2016 judgment. The third of these concerned the sharing of BPDs. That itself gave rise to three sub-issues, the first of which concerned sharing with foreign agencies. It is the Tribunal’s decision on that sub-issue which is under challenge in this claim for judicial review. 51. The Tribunal held open and closed hearings over 8 days between October 2017 and March 2018. It considered a significant amount of written and oral evidence. It was dissatisfied with the way in which the evidence emerged from GCHQ. This involved, on a number of occasions, statements made by GCHQ having “to be subsequently corrected” as a result of “re-thinking or double-checking”. The Tribunal found that GCHQ had breached its duty to make disclosure to the Tribunal under s68(6) RIPA (although, it was satisfied, by the end of the proceedings, that this had been remedied). In these circumstances, the witness was cross-examined by counsel for the Claimant, Mr de la Mare QC. The Tribunal described this as “an exceptional step… because of the concerns about [the witness’ evidence].” It also heard extensive submissions on behalf of the claimant and the Agencies. In the course of these hearings, the claimant made an application to reopen the 2016 judgment insofar as it concluded the oversight of the Commissioners had been adequate. The application was based on a number of different factors. They included that Sir Mark Waller had carried out oversight personally and had not had a team of inspectors (in contrast to Sir Stanley Burnton who appointed a team to assist him). They also included correspondence with IPCO in which “amber warnings” were given and “criticisms” expressed. The Tribunal considered that a sufficient case had been made to justify consideration of reopening the judgment, and so it separately considered that as a fifth issue. The Tribunal commended the claimant’s representatives for their “dedication and hard work… throughout this exercise” and acknowledged that “the public and indeed [the Agencies] owe them a debt of gratitude for their patience and perseverance, as well as their considerable and valuable inquisitiveness.” 52. The Tribunal received evidence as to the safeguards that were in place in relation to the sharing of BPDs with foreign agencies. It also received evidence from a GCHQ witness about the steps that would be taken in the event that BPDs were shared with foreign agencies. The witness said the Agencies would: “● Follow the principles and approach set out in our respective handing arrangements and policy/guidance ● Take into account the nature of the BPD/BCD that was due to be disclosed Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment ● Take into account the nature/remit of the body to which we were considering disclosing the BPD/BCD ● Take into account the approach taken by any other [intelligence agency] who may have shared bulk data and have regard to any protocols/understandings that the other agencies may have used/followed ● Depending on the individual circumstances seek assurances that the BPD/BCD in question would be handled in accordance with RIPA safeguards… ● If relevant to the particular circumstances, seek assurances that its use was in accordance with the UK’s international obligations. ● Any data shared with the organisation would be shared on the basis that it must not be shared beyond the recipient organisation unless explicitly agreed in advance or approved through the Action-on process. Action-on is a process which is used by each of the Agencies.” 53. The Tribunal gave judgment on 23 July 2018 ([2018] UKIPTrib IPT_15_110-CH [2018] 2 All ER 166). 54. The Tribunal rejected the application to reopen its 2016 judgment (see at [95]-[112]). It observed that different Commissioners could legitimately take different views as to “the appropriateness of technical assistance.” Sir Mark Waller had preferred to carry out work himself, so he had personal oversight which was not delegated to others. Sir Stanley Burnton had appointed a team of Inspectors. However, the Tribunal had “no doubt that [Sir Mark Waller] did carry out supervision, with diligence and regularity” which was demonstrated by the detail of his reports and the technical points he had explored with the Agencies. The Tribunal considered that the new regime, under IPCO, which involved a team of experts “may be an improvement… but it does not… evidence prior inadequacy.” The observations that had been made by IPCO did not undermine, but instead exemplified “the nature and adequacy of ongoing oversight.” 55. At [64], the Tribunal referred to its previous judgments in which it had considered the safeguards required by article 8. It emphasised that the sharing of BPDs could only be lawful if there were adequate safeguards against abuse, including sufficient oversight arrangements. It referred (at [68]) to case law that shows safeguards must be “practical and effective” rather than “theoretical and illusory” and that that the safeguards must include “independence, powers and competence which are sufficient to exercise an effective and continuous control, public scrutiny and effectiveness in practice.” 56. The Tribunal therefore recognised that it is not enough for there to be robust safeguards in place. It is necessary that they are operated in a manner that is effective. The Tribunal made it clear at the outset of the open judgment (at [6(iv)]) that the Agencies had identified five serious errors which they had since corrected. It observed that, to the extent that those errors were present in information provided to the Commissioners, “this will have meant that the Commissioners were not overseeing GCHQ on the basis of a complete and accurate picture of what it was actually doing.” This therefore raised in Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment stark form the question of whether the safeguards were effective in practice or whether the errors that had been identified meant that the system was incompatible with article 8. 57. The Tribunal cited Catt at [33] for the proposition that a system of oversight can be satisfactory even if it is “not proof against mistakes”. Against that background it set out its approach as follows (at [69]): “(i) The fact that errors occur in the handling of data does not necessarily establish that safeguards or oversight were not effective; no oversight can be expected to prevent any errors occurring. (ii) The mere fact that errors are reported, or are detected by internal or external audit, may be evidence that the oversight system is working, not that it is defective. (iii) There is a duty on the Agencies… to report to the Commissioner anything that is material for the Commissioner to know in order to perform his oversight function properly; if there has been a failure to report a material use of data of which the commissioner might not be aware… then that is to be treated as a failure… to ensure proper safeguards and oversight. (iv) A Commissioner has a considerable margin of appreciation as to what resources he needs to perform his functions correctly, and there are no grounds for criticism of his decisions as to how he applies those resources; it is not the function of the Tribunal to audit the performance of a Commissioner’s functions; the fact that a new Commissioner might take a different view on an issue does not establish that there were not adequate and effective arrangements before. (v) The question may well be capable of being resolved by reference to whether there has been a systemic failure in oversight arrangements, not whether in particular respects the performance of the Agencies can be criticised.” 58. Applying this approach, the majority concluded that the system for sharing BPDs with foreign agencies was compatible with article 8, notwithstanding the errors that had been identified. There were two dissenting members, Charles Flint QC and Susan O’Brien QC. They each set out their reasons for dissent in a closed judgment. The majority explained in the closed judgment that they shared some of the concerns expressed in the dissenting judgments, but did not consider that they rendered the regime incompatible with article 8. 59. The Tribunal therefore concluded by a majority that the regime in respect of sharing BPDs with foreign agencies complied with article 8 (see at [61]-[71]). This was expressly subject to any question that might arise under EU law - see at [72]: “As for the position under EU law, in relation to transfer of intelligence out of the EU to foreign agencies, that must obviously await the outcome of the Reference to the CJEU.” 60. We have explained above the steps that the Tribunal has since taken in relation the Reference to the CJEU (see paragraphs 47 and 49 above). Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment 69. In respect of the substance of the claim, Mr de la Mare QC made submissions of principle as to the requirements of article 8 in the light of Big Brother Watch, recognising that it would be for the Special Advocates to advance the claimant’s case as to whether there had been a departure from those requirements in the light of the evidence and findings that had not been disclosed to the claimant. He emphasised the practical impact of sharing BPDs on privacy interests. The increasing use of mobile telephones, email and the internet mean that BPDs (and particularly BCDs) allow intelligence agencies to build a detailed picture of a person’s private life. Communication metadata (“the who, where, when and how” of each communication) can be more revelatory and of greater value to the Agencies than the content of communications because the metadata “does not lie.” BPDs can be used to locate targets of interest. That is particularly relevant in the context of the time period covered by this case because of the use of rendition operations (potentially involving torture or inhuman and degrading treatment), and drone strikes, which are known to have taken place. 70. Big Brother Watch was the first occasion on which the European Court of Human Rights had considered the article 8 safeguards that should be applied to the use of bulk data by intelligence agencies. It also dealt “head on” with the question of sharing data. It recognised that because the first two Weber criteria are inapt in the context of bulk data, supervision and review take on amplified importance (see paragraphs 33 and 36 above) – as Mr de la Mare QC put it, they have to do “more of the heavy lifting.” 71. So far as sharing is concerned, the first safeguard identified by the court (see paragraph 38 above) is that the data has been gathered lawfully in the first place. Here, the Tribunal has already found that the gathering of BCD was in breach of EU law. This causes “the whole system to fall down.” Moreover, the court said in terms that there must be independent oversight of data sharing. The court was satisfied, in that case, that the system of supervision and oversight was compatible with the requirements of article 8 (see paragraphs 39 - 40 above), but those assessments were made without the benefit of the identification by the Tribunal in this case of errors that had occurred. 72. Mr de la Mare QC adopted an argument that was advanced by the Special Advocates to the effect that the Tribunal failed to recognise and apply well-known principles as to the “in accordance with the law” requirement of article 8 ECHR. The Tribunal’s explanation of what is required is “generic.” In particular, it does not state whether the supervisory body was in a position to assess the proportionality and necessity of any sharing. Moreover, it is clear (for example from the 2019 IPCO report) that there have been problems as to the degree of oversight that had previously been applied. The report indicates that the whole topic is now approached in an organised, systematic, systemic and procedural fashion, with the implementation of checks and balances to record sharing, caveats, limitations on use and undertakings, and to cross-check that nothing is happening that is inconsistent with those conditions. But that all serves to indicate that the pre-existing regime was deficient. 73. The critical finding of the majority of the Tribunal was that the “episodic” problems it identifies do not demonstrate that there was “systemic failure”. That, however, depends on the closed evidence and findings, and everything would “turn on close examination of the facts by the Special Advocates.” Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment The Agencies’ response to the claimant’s case 74. Sir James Eadie QC submitted that the Tribunal’s summary of the Strasbourg caselaw and the core requirements was “concise” but legally accurate. Rather than repeating all of the requirements, it referred back to its previous judgments which analyse in detail the case law setting out the safeguards that are required. This is a legitimate approach: the Tribunal does not need to “reinvent the wheel” each time it gives judgment in a case concerned with article 8. In considering the application of the safeguards, the Tribunal recognised that a critical element is the ex post facto oversight that is provided by a combination of the Commissioners and the Tribunal itself. Neither the claimant nor the Special Advocates have identified any inaccuracy in the Tribunal’s summary of what is necessary to comply with article 8. 75. The judgment of the Grand Chamber in Big Brother Watch does not undercut any of the principles identified by the Tribunal as applicable to the question of sharing BPDs with foreign agencies. Big Brother Watch was concerned with bulk intercept, which is “a different game, with different issues” compared to cases that have previously been considered. It explains how the principles that were developed in earlier cases should be applied “in the world of big data.” Nothing in Big Brother Watch shows that the domestic regime for BPDs is incompatible with article 8. Critically, there is no suggestion in Big Brother Watch that advance independent authorisation is required (see at [362]) – an ex post facto system of oversight by the Commissioners and the Tribunal can suffice. 76. Insofar as the claimants raised concerns about the legality of acquiring BPDs, that was an attempt to “open up other aspects of the data cycle” which were not the subject of the Tribunal’s 2018 judgment. That judgment (so far as is now challenged) is only concerned with the sharing of BPDs with foreign agencies. Discussion Application of “NCND” to question of whether BPDs have been shared with foreign agencies 77. In the proceedings before the Tribunal, the Agencies refused publicly to admit or deny whether BPDs had been shared with foreign agencies. The application of “NCND” was explained in evidence put before the Tribunal. The Tribunal recognised that “unauthorised and unadmitted disclosures” had been made by Edward Snowden, a former US contractor. It did not consider that those disclosures could be treated as amounting to, or being equivalent to, admission or avowal by the Agencies. The Tribunal was content to permit the Agencies to maintain a public “NCND” stance, whilst conducting the open hearings “on the hypothesis that the fact that such sharing has taken place is to be assumed.” 78. The issue is whether that stance is tenable in the light of IPCO’s 2019 report. That report was published. It must have been carefully vetted by the Agencies before publication took place (see s234(7) of the 2016 Act). We are satisfied that the content of the 2019 report amounts to public avowal that BPDs are shared by GCHQ with foreign agencies. It is not, therefore, tenable for GCHQ to continue to maintain an “NCND” response to the question of whether sharing now takes place. The 2019 report does not, however, state when BPDs were first shared by GCHQ with foreign agencies, and, in particular, does not state whether they were shared by GCHQ during the period considered by the Tribunal. Dame Victoria Sharp P Privacy International v Investigatory Powers Tribunal Approved Judgment 79. We accept the claimant’s submissions as to the undesirability of resolving issues of legal principle in closed judgments. Here, however, all issues of legal principle have been debated in the course of the open submissions and are determined in this judgment. The closed judgment is concerned only with the application of those principles to the factual findings made, in closed, by the Tribunal. We do not consider that this approach is incompatible with the important principle of open justice. The question of NCND had not been raised in the grounds of claim, and it is not necessary to resolve that question in order to determine the grounds of claim. It is a side issue. The balance as to what could be dealt with in open and what had to remain in closed was considered in detail by the Tribunal. We have, so far as is consistent with the unchallenged approach of the Tribunal, dealt with this claim in public proceedings and in this public judgment. That is consistent with the general approach that was sanctioned by the Supreme Court (in the context of reviewing search warrants, where some of the evidence considered by the Magistrates’ Court is sensitive) in R (Haralambous) v Crown Court at St Albans and another [2018] UKSC 1 [2018] AC 236 per Lord Mance DPSC at [59]. 80. It is therefore not necessary or appropriate, on this claim for judicial review, to adjudicate on the claimant’s contention that it is no longer permissible to maintain NCND in respect of that earlier period. That is an issue that is more appropriately determined (if it is necessary to do so) by the Investigatory Powers Tribunal, as a specialist first instance Tribunal, than by us on a claim for judicial review which did not raise this issue until a late stage. We therefore adopt the same approach as the unchallenged approach of the Tribunal of assuming, for the purpose of this open judgment, that sharing was taking place during the period considered by the Tribunal. Role of the Court on claim for judicial review of the Tribunal 81. The consequence of the decision of the Supreme Court in Privacy International is that, notwithstanding s67(8) of the 2000 Act, the Court may review a decision of the Tribunal, exercising its powers under s29 Senior Courts Act 1981. If the Court concludes that the determination of the Tribunal was legally flawed then, on the approach taken by the Supreme Court, “it is no decision at all” and there is no ouster of the Court’s reviewing jurisdiction. 82. The Agencies accept this analysis. They contend that if the Court considers that the decision of the IPT is flawed on public law grounds then the Court may quash the determination and remit the case back to the Tribunal. We agree. We do not accept the submission of the claimant, and the Special Advocates, that it is necessary for us to reach our own view as to whether the Agencies have acted compatibly with Convention rights. 83. We are exercising a reviewing jurisdiction. The appropriate remedy if the Tribunal’s determination is vitiated by error of law is to quash the determination and to remit the matter back to the Tribunal pursuant to s31(5)(a) Senior Courts Act 1981. There is, in narrow circumstances, power for the Court to substitute its own decision (s31(5)(b) read with s31(5A)). That does not seem to us to be appropriate in the circumstances of this case, for two reasons. First, Parliament has provided, by s65(2)(a) and (3)(a) of the 2000 Act, that the Tribunal is “the only appropriate tribunal for the purposes of section 7 of the Human Rights Act 1998 in relation to any proceedings [against any of the intelligence services] under subsection (1)(a) of that section (proceedings for actions incompatible with Convention rights)…” It would be inconsistent with that legislative choice for us to declare that the Agencies have acted incompatibly with Convention rights. Second, the