The system that allowed spy agency GCHQ access to vast amounts of personal data from telecoms companies was unlawful for more than a decade, a surveillance watchdog has ruled.
The Investigatory Powers Tribunal said that successive foreign secretaries had delegated powers without oversight.
But it added there was no evidence GCHQ had misused the system.
Privacy International criticised the “cavalier manner” in which personal data was shared.
The group brought the legal challenge and solicitor Millie Graham Wood said it was “proof positive” that the system set up to protect personal data was flawed.
“The foreign secretary was supposed to protect access to our data by personally authorising what is necessary and proportionate for telecommunications companies to provide to the agencies.
“The way that these directions were drafted risked nullifying that safeguard by delegating that power to GCHQ – a violation that went undetected by the system of commissioners for years and was seemingly consented to by all of the telecommunications companies affected.”
Under security rules introduced after the attacks on 11 September 2001, the UK’s foreign secretary had the power to direct GCHQ to obtain data from telecoms companies, with little oversight of what they were subsequently asking for.
The Investigatory Powers Tribunal (IPT) – set up to investigate complaints about how personal data is handled by public bodies – ruled that most of the directions given between 2001 and 2012 had been unlawful.
The tribunal was critical of the way the government handed on requests to GCHQ, partly because phone and internet providers “would not be in any position to question the scope of the requirement” because they “would have no knowledge of the limited basis upon which the direction had been made”.
“In form, the general direction was a carte blanche. In practice, it was not treated as such and there is no evidence that GCHQ ever sought to obtain communications data which fell outside the scope of data which had been sought in the submission to the foreign secretary,” the IPT ruled.
It added that a series of improvements had been made and were in force “from at least 2014” that ensured “great care” was now taken to ensure the foreign secretary approved any changes to the information being demanded from telecoms companies.
A government spokesman said: “We welcome today’s judgment that the security and intelligence agencies’ powers are proportionate and comply with the European Convention on Human Rights.
“The security and intelligence agencies are subject to a strict legal framework and robust independent oversight.
“We are proud of the work they do to keep the UK safe within these parameters.”