UK spy agencies broke privacy rules by collecting large amounts of UK citizens' data without adequate oversight, the Investigatory Powers Tribunal (IPT) has ruled.
Complaints about data collection by GCHQ, MI5 and MI6 were put forward by campaign group Privacy International.
The ruling said some data collection did not comply with the European Convention on Human Rights (ECHR).
But it added that proper statutory supervision was put in place last year.
It was a "highly significant judgement", Privacy International said.
As part of its review of the spy agencies' activities, the IPT examined the organisations' collection of communications data - involving the "who, where, when, how and with whom" was involved in conversations, but not their contents - and personal information about people.
Such data is "vital for identifying and developing intelligence targets", according to GCHQ.
Article 8 of the ECHR states, however, that all citizens have the right to a private life and that any interference with personal data must be lawful and necessary.
"It is very significant," said Graham Smith of London law firm Bird & Bird.
He added that much of the data collection had been carried out under an older piece of law - section 94 of the Telecommunications Act 1984.
"It gave absolutely no clue at all that it could be used for this particular purpose," said Mr Smith.
"Everyone accepts that what the agencies do operationally has to be secret, but the laws that say what they can and can't do shouldn't be secret."
An official policy about how such data collection should be carried out lawfully came into force in February 2015 - this was put into practice by the intelligence agencies later the same year.
It included guidance as to how collected data should be acquired, managed and destroyed
The tribunal found that, prior to this, personal datasets compiled by spy agencies did not comply with Article 8 and were therefore "unlawful".
"The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens," said the Home Office in a statement.
"We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes."
It added that the government was "committed" to providing greater transparency and stronger safeguards for bulk data collection powers available to intelligence agencies.