[Chriky]

The legal challenges and confusion relate mainly to the distinction between "targeting" a person's communications (i.e. the actual content of their emails and phone calls), and the bulk collection of "metadata".

5-EYES countries agree to not "target" each others citizens, i.e. to actually hack their devices or listen to their phones.

---

GCHQ's bulk collection of metadata was ruled legal but they had failed to provide some information to the surveillance watchdog, which is why the watchdog retrospectively ruled a period of it's operation (7 years) unlawful.

It did not become lawful after IPA, it was always allowed (rightly or wrongly), they just failed to provide sufficient information about the programme to the watchdog. IPA didn't pass until 2016, well after the programme had been ruled lawful under existing laws.