Picfair gives every photographer on its marketplace their own store

Picfair, the photo marketplace that competes with Getty and Shutterstock by giving photographers a fairer deal, is adding a major update to its offering today. The London-based startup is launching Picfair Stores, giving the 35,000 photographers on its marketplace the ability to create their own free independent online store. Customers who buy from a Picfair Store can choose a licensed digital copy or a physical print.

“We’re moving beyond being just a new generation stock image marketplace,” Picfair founder Benji Lanyado, who used to be a journalist at The Guardian, tells me. “With stores, and prints, and more… we’re becoming a fully featured commercial ecosystem for photographers. At the heart of it all: the principle that anyone should be able to make money from their images, simply and fairly”.

In addition, every image on a photographer’s individual Picfair Store will also be available simultaneously on Picfair’s marketplace, which Lanyado likens to “thousands of local image stores across the globe, with a central Amazon-style megastore they all feed in to”.

He also says it is the first time anyone has combined a marketplace, with the added control of website builders, such as Wix or Squarespace, and the on-demand print functionality of Smugmug or Zenfolio, all built with amateur photographers in mind (although the line to amateur and professional is becoming increasingly blurred).

“Picfair is uniting all of this. The control of a website builder. The commercial structures of an e-commerce platform. The exposure of a marketplace, with added price control and fair royalty splits,” Lanyado says.

Less tech-driven but perhaps equally significant, Picfair has recently launched a photo agency unit, building on top of its bread and butter business of selling image licenses to editorial and marketing companies. It came about slightly accidentally, says Lanyado, after brands and creative agencies started approaching the company asking if it could help them find photographers across the globe.

Initially we just introduced the photographers to the clients directly, like idiots,” he tells me. “Then we started acting like non-idiots and offered our services as a photographer-finder agency, with a very hand black book of 35,000 photographers around the world. We’ve already worked with Google, VisitBritain, Ogilvy and a few other big brands too. The cool bit: all of our leads have come from our community. Most of our photographers aren’t professionals, and their jobs cover the creative gamut: production people in creative agencies, marketing folk etc. The marketplace is generating leads for the agency!”.

Meanwhile, Picfair has just closed a $540,000 equity crowdfunding round. This saw many of its photographers take part, meaning that the company is now part photographer-owned. It adds to a £1.5 million seed round raised a year ago.

Cleo, the ‘digital assistant’ that replaces your banking apps, picks up $10M Series A led by Balderton

When Cleo, the London-based ‘digital assistant’ that wants to replace your banking apps, quietly entered the U.S., the company couldn’t have expected to be an instant hit. Many better funded British startups have failed to ‘break America’. However, just four months later, the fintech upstart counts 350,000 users across the pond — claiming more than 600,000 active users in the U.K., U.S. and Canada in total — and says it is adding 30,000 new signups each week. All of which hasn’t gone unnoticed by investors.

Already backed by some of the biggest VC names in the London tech scene — including Entrepreneur First, Moonfruit founder Wendy Tan White, Skype founder Niklas Zennström, Wonga founder Errol Damelin, TransferWise founder Taavet Hinrikus, and LocalGlobe — Cleo is adding Balderton Capital to the list.

The European venture capital firm, which has previously invested in fintech unicorn Revolut and the well-established GoCardless, has led Cleo’s $10 million Series A round, in which I understand most early backers, including Zennström, also followed on. One source told me the Series A gives the hot London startup a post-money valuation of around £30 million (~$39.7m), although Cleo declined to comment.

In a call with co-founder and CEO Barney Hussey-Yeo, he explained that the new capital will be used to continue scaling the company, with further international expansion the name of the game. Hussey-Yeo says Cleo will be targeting Western Europe, the Americas, and Australasia, aiming to launch in a whopping 22 countries in the next 12 months, as Cleo bids to become the “default interface” for millennials interacting and managing their money.

Primarily accessed via Facebook Messenger, the AI-powered chatbot gives insights into your spending across multiple accounts and credit cards, broken down by transaction, category or merchant. In addition, Cleo lets you take a number of actions based on the financial data it has gleaned. You can choose to put money aside for a rainy day or specific goal, send money to your Facebook Messenger contacts, donate to charity, set spending alerts, and more.

However, in the context of traction and Cleo’s broader global ambitions, it is the decision not to become a bank in its own right, that Hussey-Yeo feels is really beginning to bear fruit. His argument has always been that you don’t need to be a bank to become the primary way users interface with their finances, and that without the regulatory and capital burden that becoming a fully licensed bank brings, you can scale much more quickly. I have a feeling that strategy — and its pros and cons — has a long way to play out just yet.

Announcing the agenda for TechCrunch Startup Battlefield MENA 2018 in Beirut

We’re excited to head to Beirut, Lebanon, on October 3rd for TechCrunch Startup Battlefield MENA 2018. Yes, we’re bringing our premier startup pitch competition to the Middle East / North Africa, and as well as launching 15 of the hottest startups in MENA on stage for the first time, we’ll also be joined by some leading lights of the scene.

Tickets to this event — our first in this part of the world — cost $29 (including VAT), and you can buy your tickets right here.

Startup Battlefield consists of three preliminary rounds with 15 teams — five startups per round — who have six minutes to pitch and present a live demo to a panel of expert technologists and VC investors. After each pitch, the judges have six minutes to grill the team with tough questions. This is all after the free pitch-coaching they receive from TechCrunch editors.

One startup will emerge the winner of TechCrunch Startup Battlefield MENA 2018 — and receive a US$25,000 no-equity cash prize and win a trip for two to compete in the Startup Battlefield at TechCrunch Disrupt in 2019 (assuming the company still qualifies to compete at the time).

We still have a few tricks up our sleeves and will be adding some new names to the agenda over the few weeks so keep your eyes open. In the meantime, check out these agenda highlights:

Fireside Chat
With Imad Kreidieh (Ogero Telecom) and Ari Kesisoglu (Facebook)

Startup Battlefield Competition, Session 1
TechCrunch’s iconic startup competition is here and for the first time in MENA, as entrepreneurs from around the region pitch expert judges and vie for the Battlefield Cup.

Konstantinos Papamiltiadis (Facebook)
Hear from Facebook’s Director of Developer Platforms & Programs about how his team supports Facebook’s product and platform strategy through partnerships with technology companies and programs for startups.

Startup Battlefield Competition, Session 2
TechCrunch’s iconic startup competition is here and for the first time in MENA, as entrepreneurs from around the region pitch expert judges and vie for US$25,000 no-equity cash prize and a trip for two to compete in the Startup Battlefield at TechCrunch Disrupt in 2019.

Lessons 10 Years On
With Omar Gabr (Instabug), Nour Al Hassan (Tarjama) and Ameer Sherif (Wuzzuf)
Ten years ago the Middle East and North Africa’s tech ecosystem was worth perhaps tens of millions of dollars. Today it’s in the hundreds of millions, and beyond. A decade ago the societal landscape was very different from today. Let’s discuss the huge changes that have happened and challenges and opportunities ahead.

Startup Battlefield Competition, Session 3
TechCrunch’s iconic startup competition is here and for the first time in MENA, as entrepreneurs from around the region pitch expert judges and vie for the Battlefield Cup.

Fireside chat
With Magnus Olsson (Careem)
How do you scale a big startup in MENA? We hear from Magnus Olson, founder and Managing Director of ride-hailing giant Careem on how they joined the unicorn club with Lyft and Uber.

Where Will the Exits Come From?
With Henri Asseily (Leap Ventures), Priscilla Elora Sharuk (Myki), and Kenza Lahlou (Outlierz Ventures)
Both VCs and startups in MENA alike are furiously building the companies of the future. But you can’t have a startup without an acquisition or IPO, so where are these going to come from? We’ll hear from both the founder and investor perspectives.

Startup Battlefield Competition – Final Round
TechCrunch’s iconic startup competition is here and for the first time in MENA, as entrepreneurs from around the region pitch expert judges and vie for the Battlefield Cup.

MENA Content Plays
with Hussam Hammo (Tamaten) and Rami Al Qawasmi (Mawdoo3)
A little-known fact about the MENA market is the sheer lack of Arabic language content online for consumers, whether it be media, music, games or events. Arabic-specific sites have appeared, tailor-made to the market. We’ll get the perspective of key entrepreneurs in this space.

Startup Battlefield Closing Awards Ceremony
Watch the crowning of the latest winner of the Startup Battlefield

Twitter’s former Head of People EMEA joins VC firm Atomico as Partner

Atomico, the European venture capital firm founded by Skype’s Niklas Zennström, is announcing a number of new hires to its investment team, including new Partner Caroline Chayot, who previously led the EMEA HR team at Twitter.

I’m told she’ll be working alongside existing Atomico Partner Dan Hynes, who was formerly the Director of Global Staffing at Skype, with the pair helping meet increased demand from Atomico’s portfolio companies for talent support.

At Twitter, Chayot is said to have supported the leadership team in scaling the social media behemoth from two to six markets, growing the team from 80 based in London to 500 across the region. Prior to that she worked at Google in HR for 9 years.

In addition, Irina Haivas has joined Atomico as Principal. The former surgeon and former surgical fellow at Harvard Medical School (yes, you read that correctly) previously worked at healthcare investor GHO Capital Partners. She’ll focus on sourcing investment opportunities in machine intelligence-enabled businesses, synthetic biology, robotics and other “frontier technologies”.

The other new members of the 30-strong Atomico investment team are:

  • Senior Associate Annalise Dragic, a recent Stanford MBA graduate and who was a member of LinkedIn’s Strategy & Analytics Leadership Program’s inaugural class. She’ll be focusing on the U.K.
  • Associate Luca Eisenstecken, a German native who spent the last two years in San Francisco with Vector Capital. He’ll be covering Germany, Austria and Switzerland.
  • Associate Christina Fa, who grew up in Australia and New Zealand and joins Atomico from Google’s Corporate Finance team in Mountain View. She’ll be focusing on the Nordics and Baltic regions.
  • IR Associate Gunita Bhasin, who joins Atomico from Deutsche Bank and has lived and studied in India, Singapore, Turkey, and the U.K. She’ll support long-time Head of IR Camilla Richards in managing Atomico’s relationships with its global investor base.

Finally, it would be remiss of me not to mention Atomico’s new addition to its communications team. Eleanor Warnock, formerly with the Wall Street Journal, has joined the VC firm as Communications Manager. The hack-turned-flack will work alongside Atomico’s Head of Communications Bryce Keane to help raise the profile of the firm’s portfolio companies internationally.

Meanwhile, it’s that time of year again. Atomico has launched its latest State of European Tech survey, where it seeks your help in capturing a data-driven snapshot of the current European tech ecosystem and to confront a number of myths along the way. You can read TC’s analysis of the 2017 report here, and if you’d like to contribute, this year’s survey can be found here.

Tandem CEO will tell you why building a bank is hard at Disrupt Berlin

Challenger banks, neobanks or digital-only banks… Whatever we choose to call them, Europe — and the U.K. in particular — has more than its fair share of bank upstarts battling it out for a slice of the growing fintech pie. One of those is Tandem, co-founded by financial technology veteran Ricky Knox, who we’re excited to announce will join us at TechCrunch Disrupt Berlin.

Tandem — or the so-called “Good Bank” — has been on quite a journey this year. Most recently the bank launched a competitive fixed savings product, pitting it against a whole host of incumbent and challenger banks. It followed the launch of the Tandem credit card in February, which competes well on cash-back and FX rates when spending abroad.

Both products are part of a wider strategy where, like many other consumer-facing fintechs, Tandem wants to become your financial control centre and connect you to and offer various financial services. These are either products of its own or through partnerships with other fintech startups and more established providers.

At the heart of this is the Tandem mobile app, which acts as a Personal Finance Manager (PFM), including letting you aggregate your non-Tandem bank account data from other bank accounts or credit cards you might have, in addition to managing any Tandem products you’ve taken out. The company recently acquired fintech startup Pariti to beef up its account aggregation features.

However, what makes Tandem’s recent progress all the more interesting is that it comes after a definite bump in the road last year. This saw the company temporarily lose its banking license and forced to make lay-offs following the partial collapse of a £35 million investment round from department store House of Fraser, due to restrictions on capital leaving China. The remedy was further investment from existing backers and the bold move to acquire Harrods Bank, the banking arm of the U.K.’s most famous luxury department store.

As you can see, there is plenty to talk about. And some. So, why not grab your ticket to Disrupt Berlin to listen to the Tandem story. The conference will take place on November 29-30.

In addition to fireside chats and panels, like this one, new startups will participate in the Startup Battlefield Europe to win the highly coveted Battlefield cup.


Ricky Knox

CEO & Co-Founder, Tandem

Ricky is a serial investor and entrepreuner. He has built five technology disruptors in fintech and telecoms, each of which also does a bit of good for the world.

Before Tandem he founded Azimo and Small World, two remittance businesses, and is managing partner of Hexagon Partners, a private equity firm. He built Tandem to be a digital bank that helps improve customers’ lives with money.

Ricky has a first class degree from Bristol University and an MBA from INSEAD.

Call for smart home devices to bake in privacy safeguards for kids

A new research report has raised concerns about how in-home smart devices such as AI virtual voice assistants, smart appliances, and security and monitoring technologies could be gathering and sharing children’s data.

It calls for new privacy measures to safeguard kids and make sure age appropriate design code is included with home automation technologies.

The report, entitled Home Life Data and Children’s Privacy, is the work of Dr Veronica Barassi of Goldsmiths, University of London, who leads a research project at the university investigating the impact of big data and AI on family life.

Barassi wants the UK’s data protection agency to launch a review of what she terms “home life data” — meaning the information harvested by smart in-home devices that can end up messily mixing adult data with kids’ information — to consider its impact on children’s privacy, and “put this concept at the heart of future debates about children’s data protection”.

“Debates about the privacy implications of AI home assistants and Internet of Things focus a lot on the the collection and use of personal data. Yet these debates lack a nuanced understanding of the different data flows that emerge from everyday digital practices and interactions in the home and that include the data of children,” she writes in the report.

“When we think about home automation therefore, we need to recognise that much of the data that is being collected by home automation technologies is not only personal (individual) data but home life data… and we need to critically consider the multiple ways in which children’s data traces become intertwined with adult profiles.”

The report gives examples of multi-user functions and aggregated profiles (such as Amazon’s Household Profiles feature) as constituting a potential privacy risk for children’s privacy.

Another example cited is biometric data — a type of information frequently gathered by in-home ‘smart’ technologies (such as via voice or facial recognition tech) yet the report asserts that generic privacy policies often do not differentiate between adults’ and children’s biometric data. So that’s another grey area being critically flagged by Barassi.

She’s submitted the report to the ICO in response to its call for evidence and views on an Age Appropriate Design Code it will be drafting. This code is a component of the UK’s new data protection legislation intended to support and supplement rules on the handling of children’s data contained within pan-EU privacy regulation — by providing additional guidance on design standards for online information services that process personal data and are “likely to be accessed by children”.

And it’s very clear that devices like smart speakers intended to be installed in homes where families live are very likely to be accessed by children.

The report concludes:

There is no acknowledgement so far of the complexity of home life data, and much of the privacy debates seem to be evolving around personal (individual) data. It seems that companies are not recognizing the privacy implications involved in children’s daily interactions with home automation technologies that are not designed for or targeted at them. Yet they make sure to include children in the advertising of their home technologies. Much of the responsibility of protecting children is in the hands of parents, who struggle to navigate Terms and Conditions even after changes such as GDPR [the European Union’s new privacy framework]. It is for this reason that we need to find new measures and solutions to safeguard children and to make sure that age appropriate design code is included within home automation technologies.

“We’ve seen privacy concerns raised about smart toys and AI virtual assistants aimed at children, but so far there has been very little debate about home hubs and smart technologies aimed at adults that children encounter and that collect their personal data,” adds Barassi commenting in a statement.

“The very newness of the home automation environment means we do not know what algorithms are doing with this ‘messy’ data that includes children’s data. Firms currently fail to recognise the privacy implications of children’s daily interactions with home automation technologies that are not designed or targeted at them.

“Despite GDPR, it’s left up to parents to protect their children’s privacy and navigate a confusing array of terms and conditions.”

The report also includes a critical case study of Amazon’s Household Profiles — a feature that allows Amazon services to be shared by members of a family — with Barassi saying she was unable to locate any information on Amazon’s US or UK privacy policies on how the company uses children’s “home life data” (e.g. information that might have been passively recorded about kids via products such as Amazon’s Alexa AI virtual assistant).

“It is clear that the company recognizes that children interact with the virtual assistants or can create their own profiles connected to the adults. Yet I can’t find an exhaustive description or explanation of the ways in which their data is used,” she writes in the report. “I can’t tell at all how this company archives and sells my home life data, and the data of my children.”

Amazon does make this disclosure on children’s privacy — though it does not specifically state what it does in instances where children’s data might have been passively recorded (i.e. as a result of one of its smart devices operating inside a family home.)

Barassi also points out there’s no link to its children’s data privacy policy on the ‘Create your Amazon Household Profile’ page — where the company informs users they can add up to four children to a profile, noting there is only a tiny generic link to its privacy policy at the very bottom of the page.

We asked Amazon to clarify its handling of children’s data but at the time of writing the company had not responded to multiple requests for comment.

The EU’s new GDPR framework does require data processors to take special care in handling children’s data.

In its guidance on this aspect of the regulation the ICO writes: “You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.”

The ICO also warns: “The GDPR also states explicitly that specific protection is required where children’s personal data is used for marketing purposes or creating personality or user profiles. So you need to take particular care in these circumstances.”

Insurtech startup Setoo closes $9.3M Series A from Kamet, AXA’s accelerator

Given all the scams of the last few years, consumers are increasingly unwilling to spend money on what they see as irrelevant insurance products. That means many business have lost out on revenue.

Setoo is a UK startup which solves this problem, by helping online businesses to build and integrate simple insurance products tailor-made to the customer and automatically embedded into the customer journey.

Today Setoo announces it has closed an €8million ($9.3million) Series A funding round, bringing the total amount raised to date to €10.3million ($12million). The main investor in this and the seed round is Kamet, AXA’s ‘Insurtech’ startup studio.

Co-founder Eyal Gluska says “In French ‘c’est tout’ means ‘that’s it’. My chose the name Setoo to symbolise how simple and quick it is to create effective new protections products using the platform, and the simplicity of the products created for the consumer. This investment from Kamet is key to helping us expand across the EU and build further new products to empower more businesses to take control of insurance for their consumers.”

An example of how it works might be the instance of an OTA selling connecting flights from multiple airlines. Using Setoo, it can provide insurance to cover for missed flight connections if preceding flights are delayed or cancelled. In these situations, Setoo sends an automated SMS to the consumer on behalf of the OTA, explaining that a full refund has been provided and offering alternative flight suggestions. In another scenario, a tour operator selling ski holidays could insure against a lack of snow, fully automating payment and removing the hassle of the claims process for the customer.

Setoo is also licensed by the UK”s FCA to distribute products on behalf of insurers in the EU.

Commenting, Guillaume Borie, Chief Innovation Officer of the Group, AXA said: “Our investment in Setoo supports AXA’s strategy to build more impactful insurance platforms as one of our four key priorities for innovation and to become a partner for the end customer. Setoo’s platform enables digital businesses to create, through automation, new types of insurance that are more relevant to consumers.”

Setoo’s key competitors include ZhongAn, Moonshot and Qover. It differentiates from these competitors by providing its customers with the means to build protection products for themselves, quick and easy set-up, and its focus on exogenous events that could ruin the customer journey.

UK warns of satellite and space program problems in case of Brexit ‘no deal’

The UK government says that access to satellites and space surveillance programs will suffer in the event of a “no deal” departure from the European Union .

Britain has less than six months to go before the country leaves the 28 member state bloc, after a little over half the country voted to withdraw membership from the European Union in a 2016 referendum. So far, the Brexit process has been a hot mess of political infighting and uncertainty, bureaucracy and backstabbing — amid threats of coups and leadership challenges. And the government isn’t even close to scoring a deal to keep trade ties open, immigration flowing, and airplanes taking off.

Now, the government has further said that services reliant on EU membership — like access to space programs — will be affected.

The reassuring news is that car and phone GPS maps won’t suddenly stop working.

But the government said that the UK will “no longer play any part” of the European’s GPS efforts, shutting out businesses, academics and researchers who will be shut out of future contracts, and “may face difficulty carrying out and completing existing contracts.”

“There should be no noticeable impact if the UK were to leave the EU with no agreement in place,” but the UK is investing £92 million ($120m) to fund its own UK-based GPS system. The notice also said that the UK’s military and intelligence agencies will no longer have access to the EU’s Public Regulated Service, a hardened GPS system that enhances protections against spoofing and jamming. But that system isn’t expected to go into place until 2020, so the government isn’t immediately concerned.

The UK will also no longer be part of the Copernicus program, a EU-based earth observation initiative that’s a critical asset to national security as it contributes to maritime surveillance, border control and understanding climate change. Although the program’s data is free and open, the UK government says that users will no longer have high-bandwidth access to data from the satellites and additional data, but admits that it’s “seeking to clarify” the terms.

Although this is the “worst case scenario” in case of no final agreement on the divorce settlement from Europe, with just months to go and a distance to reach, it’s looking like a “no deal” is increasingly likely.

Uber drivers in Denmark could face fines for every ride they offered

The Danish Supreme Court has upheld large fines issued to several Uber drivers for operating without a taxi license, at a time when the ride-hailing giant was still running its non-licensed p2p driver UberPop service in the market.

The decision could mean more than a thousand additional Uber drivers who sold rides in Denmark could also be faced with a big bill.

The four drivers had appealed fines issues by the national court — of between DKK 40,000 (~$6,270) and DKK 486,500 (~$76,200) — but the Supreme Court judged the amounts to be appropriate.

The level of fines is based on the number of Uber rides each driver carried out. In the case of the largest fine the unnamed individual had apparently run up 5,427 Uber rides.

Uber drivers in Denmark have also faced demands for unpaid taxes this year, after Danish tax authorities found tax avoidance among almost all of them.

Meanwhile Uber pulled out of Denmark early last year, blaming a new taxi law which includes requirements such as mandatory fare meters and seat sensors. Though it says it continues to engage with local authorities to lobby for the kind of tech-friendly reform which would enable it to return.

When it left Denmark the company said it had more than 2,000 drivers in the market and 300,000 users.

According to AP, today’s Supreme Court judgement paves the way for fines to be issued against a further 1,500 people who had also driven for Uber without a taxi license. A spokesman for the Copenhagen police told Reuters it would assess the verdict and decide how to proceed next week.

At the end of 2016 Danish prosecutors sought to bring a test case against Uber’s European business, seeking to indict it on charges of assisting two drivers of breaking local taxi laws — likely contributing to Uber’s decision to shut up shop there.

In November of the same year the Danish Supreme Court also ruled Uber to be an illegal taxi service, rather than a ride-sharing platform as the company’s lawyers had sought to argue.

Since then Europe’s supreme court, the ECJ, has cemented that view of the business in the region, ruling at the end of last year that Uber is a transport company, not a platform — and locking the company into a new era of needing to work with local authorities to try to reform taxi laws, rather than just burning rubber over their rulebooks.

Under its current CEO Dara Khosrowshahi, Uber is certainly trying to put founder Travis Kalanick’s legacy way of doing business behind it — dispensing apologies and emollient words.

And seeking to enact a pivot to become a multi-modal transport platform — to be able to offer cities something other than just more traffic and congestion on already clogged and polluted roads.

This week it also debuted a new streamlined brand look, after hiring a new CMO Rebecca Messina, who spent two decades selling sugared water at Coca-Cola.

But even as Uber seeks to carve out a new, more progressive looking path its past practices keep coming back to bite it in the boot. And not to dent the company’s ambitions either; In Denmark it’s thousands of people who put their faith in its platform to sell driving services now faced with being on the hook for thousands of dollars worth of fines apiece.

Commenting on the Supreme Court ruling an Uber spokesperson told us: “We are very disappointed for the drivers involved and our top priority is to support them during this difficult time.

“We are changing the way we do business and are operating in line with local laws across Europe, connecting with professionally licensed drivers. Drivers who used the Uber app were key in providing a safe, reliable and affordable option to help hundreds of thousands of Danes get around Copenhagen.”

We also asked whether Uber would be paying fines issued to drivers in Denmark as a result of them offering an unlicensed service in the market. The company did not respond directly to our question, saying only that it is in the process of reviewing the Supreme Court ruling and its implications.

UK’s mass surveillance regime violated human rights law, finds ECHR

In another blow to the UK government’s record on bulk data handling for intelligence purposes the European Court of Human Rights (ECHR) has ruled that state surveillance practices violated human rights law.

Arguments against the UK intelligence agencies’ bulk collection and data sharing practices were heard by the court in November last year.

In today’s ruling the ECHR has ruled that only some aspects of the UK’s surveillance regime violate human rights law. So it’s not all bad news for the government — which has faced a barrage of legal actions (and quite a few black marks against its spying practices in recent years) ever since its love affair with mass surveillance was revealed and denounced by NSA whistleblower Edward Snowden, back in 2013.

The judgement reinforces a sense that the government has been seeking to push as close to the legal line as possible on surveillance, and sometimes stepping over it — reinforcing earlier strikes against legislation for not setting tight enough boundaries to surveillance powers, and likely providing additional fuel for fresh challenges.

The complaints before the ECHR focused on three different surveillance regimes: 1) The bulk interception of communications (aka ‘mass surveillance’); 2) Intelligence sharing with foreign governments; and 3) The obtaining of communications data from communications service providers.

The challenge actually combines three cases, with the action brought by a coalition of civil and human rights campaigners, including the American Civil Liberties Union, Amnesty International, Big Brother Watch, Liberty, Privacy International and nine other human rights and journalism groups based in Europe, Africa, Asia and the Americas.

The Chamber judgment from the ECHR found, by a majority of five votes to two, that the UK’s bulk interception regime violates Article 8 of the European Convention on Human Rights (a right to respect for private and family life/communications) — on the grounds that “there was insufficient oversight both of the selection of Internet bearers for interception and the filtering; search and selection of intercepted communications for examination; and the safeguards governing the selection of ‘related communications data’ for examination were inadequate”.

The judges did not find bulk collection itself to be in violation of the convention but noted that such a regime must respect criteria set down in case law.

In an even more pronounced majority vote, the Chamber found by six votes to one that the UK government’s regime for obtaining data from communications service providers violated Article 8 as it was “not in accordance with the law”.

While both the bulk interception regime and the regime for obtaining communications data from communications service providers were deemed to have violated Article 10 of the Convention (the right to freedom of expression and information,) as the judges found there were insufficient safeguards in respect of confidential journalistic material.

However the Chamber did not rule against the government in two other components of the case — finding that the regime for sharing intelligence with foreign governments did not violate either Article 8 or Article 10.

While the court unanimously rejected complaints made by the third set of applicants, under Article 6 (right to a fair trial), about the domestic procedure for challenging secret surveillance measures, and under Article 14 (prohibition of discrimination).

The complaints in this case were lodged prior to the UK legislating for a new surveillance regime, the 2016 Investigatory Powers Act, so in coming to a judgement the Chamber was considering the oversight regime at the time (and in the case of points 1 and 3 above that’s the Regulation of Investigatory Powers Act 2000).

RIPA has since been superseded by IPA but, as noted above, today’s ruling will likely fuel ongoing human rights challenges to the latter — which the government has already been ordered to amend by other courts on human rights grounds.

Nor is it the only UK surveillance legislation judged to fall foul on that front. A few years ago UK judges agreed with a similar legal challenge to emergency surveillance legislation that predates IPA — ruling in 2015 that DRIPA was unlawful under human rights law. A verdict the UK Court of Appeal agreed with, earlier this year.

Also in 2015 the intelligence agencies’ own oversight court, the IPT, also found multiple violations following challenges to aspects of its historical surveillance operations, after they have been made public by the Snowden revelations.

Such judgements did not stop the government pushing on with the IPA, though — and it went on to cement bulk collection at the core of its surveillance modus operandi at the end of 2016.

Among the most controversial elements of the IPA is a requirement that communications service providers collect and retain logs on the web activity of the digital services accessed by all users for 12 months; state power to require a company to remove encryption, or limit the rollout of end-to-end encryption on a future service; and state powers to hack devices, networks and services, including bulk hacking on foreign soil. It also allows the security agencies to maintain large databases of personal information on U.K. citizens, including individuals suspected of no crime.

On the safeguards front the government legislated for what it claimed was a “double lock” authorization process for interception warrants — which loops in the judiciary to signing off intercept warrants for the first time in the U.K., along with senior ministers. However this does not regulate the collection or accessing of web activity data that’s blanket-retained on all users.

In April this shiny new surveillance regime was also dealt a blow in UK courts — with judges ordering the government to amend the legislation to narrow how and why retained metadata could be accessed, giving ministers a deadline of November 1 to make the necessary changes.

In that case the judges also did not rule against bulk collection in general — declining to find that the state’s current data retention regime is unlawful on the grounds that it constituted “general and indiscriminate” retention of data. (For its part the government has always argued its bulk collection activities do not constitute blanket retention.)

And today’s ECHR ruling further focuses attention on the safeguards placed around bulk collection programs — having found the UK regime lacked sufficient monitoring to be lawful (but not that bulk collection itself is unlawful by default).

Opponents of the current surveillance regime will be busily parsing the ruling to find fresh fronts to attack.

It’s not the first time the ECHR has looked at bulk interception. Most recently, in June 2018, it deemed Swedish legislation and practice in the field of signals intelligence did not violate EU human rights law. Among its reasoning was that it found the Swedish system to have provided “adequate and sufficient guarantees against arbitrariness and the risk of abuse”.

However it said the Big Brother Watch and Others vs United Kingdom case being ruled upon today is the first case in which it specifically considered the extent of the interference with a person’s private life that could result from the interception and examination of communications data (as opposed to content).

In a Q&A about today’s judgement, the court notes that it “expressly recognised” the severity of threats facing states, and also how advancements in technology have “made it easier for terrorists and criminals to evade detection on the Internet”.

“It therefore held that States should enjoy a broad discretion in choosing how best to protect national security. Consequently, a State may operate a bulk interception regime if it considers that it is necessary in the interests of national security. That being said, the Court could not ignore the fact that surveillance regimes have the potential to be abused, with serious consequences for individual privacy. In order to minimise this risk, the Court has previously identified six minimum safeguards which all interception regimes must have,” it writes.

“The safeguards are that the national law must clearly indicate: the nature of offences which may give rise to an interception order; a definition of the categories of people liable to have their communications intercepted; a limit on the duration of interception; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which intercepted data may or must be erased or destroyed.”

(Additional elements the court says it considered in an earlier surveillance case, Roman Zakharov v. Russia, also to determine whether legislation breached Article 8, included “arrangements for supervising the implementation of secret surveillance measures, any notification mechanisms and the remedies provided for by national law”.)

Commenting on today’s ruling in a statement, Megan Goulding, a lawyer for Liberty, said: “This is a major victory for the rights and freedom of people in the UK. It shows that there is — and should be — a limit to the extent that states can spy on their citizens.

“Police and intelligence agencies need covert surveillance powers to tackle the threats we face today — but the court has ruled that those threats do not justify spying on every citizen without adequate protections. Our government has built a surveillance regime more extreme than that of any other democratic nation, abandoning the very rights and freedoms terrorists want to attack. It can and must give us an effective, targeted system that protects our safety, data security and fundamental rights.”

A Liberty spokeswoman also told us it will continue its challenge to IPA in the UK High Court, adding: “We continue to believe that mass surveillance can never be compliant in a free, rights-respecting democracy.”

Also commenting in a statement, Silkie Carlo, director of Big Brother Watch, said: “This landmark judgment confirming that the UK’s mass spying breached fundamental rights vindicates Mr Snowden’s courageous whistleblowing and the tireless work of Big Brother Watch and others in our pursuit for justice.

“Under the guise of counter-terrorism, the UK has adopted the most authoritarian surveillance regime of any Western state, corroding democracy itself and the rights of the British public. This judgment is a vital step towards protecting millions of law-abiding citizens from unjustified intrusion. However, since the new Investigatory Powers Act arguably poses an ever greater threat to civil liberties, our work is far from over.”

A spokesperson for Privacy International told us it’s considering taking the case to the ECHR’s Grand Chamber.

Also commenting in a supporting statement, Antonia Byatt, director of English PEN, added: “This judgment confirms that the British government’s surveillance practices have violated not only our right to privacy, but our right to freedom of expression too. Excessive surveillance discourages whistle-blowing and discourages investigative journalism. The government must now take action to guarantee our freedom to write and to read freely online.”

We’ve reached out to the Home Office for comment from the UK government.

On intelligence sharing between governments, which the court had not previously considered, the judges found that the procedure for requesting either the interception or the conveyance of intercept material from foreign intelligence agencies to have been set out with “sufficient clarity in the domestic law and relevant code of practice”, noting: “In particular, material from foreign agencies could only be searched if all the requirements for searching material obtained by the UK security services were fulfilled.”

It also found “no evidence of any significant shortcomings in the application and operation of the regime, or indeed evidence of any abuse” — hence finding the intelligence sharing regime did not violate Article 8.

On the portion of the challenge concerning complaints that UK intelligence agencies’ oversight court, the IPT, lacked independence and impartiality, the court disagreed — finding that the tribunal had “extensive power to consider complaints concerning wrongful interference with communications, and those extensive powers had been employed in the applicants’ case to ensure the fairness of the proceedings”.

“Most notably, the IPT had access to open and closed material and it had appointed Counsel to the Tribunal to make submissions on behalf of the applicants in the closed proceedings,” it also writes.

In addition, it said it accepted the government’s argument that in order to ensure the efficacy of the secret surveillance regime restrictions on the applicants’ procedural rights had been “both necessary and proportionate and had not impaired the essence of their Article 6 rights”.

On the complaints under Article 14, in conjunction with Articles 8 and 10 — that those outside the UK were disproportionately likely to have their communications intercepted as the law only provided additional safeguards to people known to be in Britain — the court also disgareed, rejecting this complaint as manifestly ill-founded.

“The applicants had not substantiated their argument that people outside the UK were more likely to have their communications intercepted. In addition, any possible difference in treatment was not due to nationality but to geographic location, and was justified,” it writes.