Government given six months to rewrite snoopers’ charter

Serious constitutional issues

The case, which according to the two judges raised serious constitutional issues, is the first part of an ongoing legal challenge by Liberty over the lawfulness of the Investigatory Powers Act.

“Police and security agencies need tools to tackle serious crime in the digital age, but creating the most intrusive surveillance regime of any democracy in the world is unlawful, unnecessary and ineffective,” said Martha Spurrier, director of the non-governmental organisation.

The judgment follows a decision by the court of appeal in January, which found that near-identical powers in the government’s previous surveillance law – the Data Retention and Investigatory Powers Act (Dripa) – were unlawful, because they allowed public bodies to order the retention of the public’s internet and phone activity without suspicion of serious crime or independent sign-off.

The case focuses on Part 4 of the Investigatory Powers Act, which allows the government to order communications companies to store records of who people call, text and email, when and how often, and their customers’ web browsing activities.

A wide range of public bodies, ranging from police to regulators, can access the information for reasons that fall far short of investigating national security or serious crime.

“Today’s ruling focuses on just one part of a law that is rotten to the core. It still lets the state hack our computers, tablets and phones, hoover up information about who we speak to, where we go and what we look at online, and collect profiles of individual people, even without any suspicion of criminality”

Liberty asked the court to declare parts of the act unlawful on the grounds that it permits the government to compel retention of the public’s data with no independent authorisation, allows data retention for purposes which fall short of “serious crime”, and for a wide range of non-criminal purposes, such as collecting tax and regulating financial services.

The court declined to rule whether retaining data for the purposes of protecting health, for tax matters, regulation of financial services and markets, and financial stability were lawful, on the grounds that the government has already announced plans to amend this part of the legislation.

The government conceded last year that Part 4 of the IPA was inconsistent with the requirements of EU law, following a decision by the court of appeal in January, which ruled that the near-identical powers in the government’s previous surveillance law, Dripa, were unlawful.

Lawyers for the government argued in court hearings that it should be given until April 2019 to make changes to the Investigatory Powers Act, after the court heard that the creation of an independent body – the Office for Communications Data Authorisations (OCDA) – to oversee the authorisation of data retention orders had been delayed by a year, following a series of IT problems.

But the court ruled there was no reason why the legal framework should not be amended before April 2019, even if the practical arrangements for the establishment of the OCDA needed to wait until then. The Investigatory Powers Commissioner announced the appointment of 13 judicial commissioners in October 2017, who will have independent oversight of surveillance, the judgment noted.

No general and indiscriminate retention of data

The court rejected Liberty’s arguments that the Investigatory Powers Act permits “general and indiscriminate retention of data”.

The 2016 act requires each retention notice to be statutory and proportionate, and the “rigorous approach” required by the act will be reinforced when provisions for independent scrutiny by judicial commissioners are brought into force, it said.

The human rights group also asked the court to refer questions of EU law to the European Court of Justice (CJEU), including whether EU privacy laws apply to data retention laws issued for national security purposes, and whether internet service providers and phone companies must retain data in the EU to comply with EU data protection requirements.

The court decided not to refer the questions to the CJEU, as they are already subject to similar questions raised in a separate case brought by Privacy International last year in the UK’s most secret court, the Investigatory Powers Tribunal.

More legal challenges planned

Liberty said it planned to raise further legal challenges against the Investigatory Powers Act and was seeking crowdfunding to meet its legal costs.

“Today’s ruling focuses on just one part of a law that is rotten to the core. It still lets the state hack our computers, tablets and phones, hoover up information about who we speak to, where we go and what we look at online, and collect profiles of individual people, even without any suspicion of criminality,” said Spurrier.

The Open Rights Group, a digital rights campaign group, said that while it welcomed the government’s plans to create an independent oversight body for data retention, it was disappointed that the courts had not challenged the wide-ranging scope of the retention in the UK.

Javier Ruiz, policy director at Open Rights Group, said: “We believe the proposed thresholds for access to data are too low to comply with the requirements of the courts to restrict access to serious crime. We are disappointed the court decided to narrowly focus on access to records, but did not challenge the general and indiscriminate retention of communications data.”