According to the tribunal, the security services failed to comply with the article 8 of the European Convention on Human Rights (ECHR) between the start of the collection of bulk communications data in 1998 and November 2015, when it was made public, the Guardian reports.
The tribunal also said that the retention of bulk personal datasets didn't comply with the same article until it's public acknowledgement in March 2015.
The presiding judge said in the ruling that the data collection and retention regimes also lacked statutory oversight, and that "it seems difficult to conclude that the use of BCD [bulk communications data] was foreseeable by the public, when it was not explained to parliament ... "
The UK House of Lords is currently debating the investigatory powers bill (also known as "the snooper's charter") which is intended to put mass digital surveillance on a solid legal footing in the UK for the first time since the disclosures by Edward Snowden, according to the Guardian.
Since their reveal in 2015, the regimes used to collect and retain data have been legal, a government spokesperson said to the Guardian. According to Ars Technica, article 8 of the ECHR, which protects an individual's "right to respect for private and family life", started to apply only after the surveillance was made public.