Felix Pergande - Fotolia

European court delivers blow to Snoopers’ Charter

Parts of the controversial Investigatory Powers Act relating to the bulk collection of communications data have been ruled unlawful by the European Court of Justice

The European Court of Justice (CJEU) in Luxembourg has delivered a major blow to the controversial Investigatory Powers (IP) Act – the so-called Snoopers’ Charter – after ruling that parts of the law related to the retention of communications data for 12 months are unlawful.

The IP Act passed through Parliament in November 2016 as a replacement for the expiring Data Retention and Investigatory Powers Act (Dripa), passed in 2014, which enabled unprecedented levels of state surveillance in the UK.

The case was originally brought against Dripa by Labour MP Tom Watson and current Brexit secretary David Davis – although Davis withdrew his name from the action after his elevation to the Cabinet in July 2016. In 2015, the UK High Court found parts of Dripa to be unlawful and incompatible with European law, in response to which the government appealed and the case was then referred to the CJEU.

Like its predecessor, the IP Act was heavily criticised for enabling public bodies to grant themselves access to details of internet usage and telephone calls without suspicion of crime or independent sign-off. The list of organisations that would be allowed access to this data under the IP Act includes police and security services, but also bodies such as the Department for Transport and the Food Standards Agency.

In its judgment, which also referenced a similar case in Sweden, the CJEU found that European Union (EU) law precluded national legislation that prescribed general and indiscriminate retention of data. It said blanket data retention was not allowed, that an independent body must authorise any access to data, that only the data of those suspected of serious crimes could be accessed, and that those who had their data accessed must be notified.

“The court states that, with respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained,” the CJEU said.

“The interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious. The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference.

“The court states that legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security and is not restricted to, inter alia, providing for retention of data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved in a serious crime. Such national legislation therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the charter.”

Read more about the IP Act

  • Labour’s shadow home secretary Diane Abbott says that wider society must now debate the controversial Investigatory Powers Bill, despite Parliamentary approval.
  • As the Investigatory Powers Bill goes through its final stages in Parliament, a former GCHQ intelligence officer puts the case for the bulk surveillance powers contained in the legislation.
  • Former NSA technical director Bill Binney talks about the Investigatory Powers Bill and the UK government’s independent review of bulk surveillance powers.

Watson said the ruling proved it was counter-productive to rush bills through Parliament without proper scrutiny. “At a time when we face a real and ever-present terrorist threat, the security forces may require access to personal information that none of us would normally hand over,” he said. “That is why it is absolutely vital that proper safeguards are put in place to ensure this power is not abused, as it has been in the recent past.

“Most of us can accept that our privacy may occasionally be compromised in the interests of keeping us safe, but no one would consent to giving the police or the government the power to arbitrarily seize our phone records or emails to use as they see fit.

“It is for judges, not ministers, to oversee these powers. I am pleased the court has upheld the earlier decision of the UK courts.”

Civil rights organisation Liberty, which represented Watson’s case, said the judgment upheld the right of ordinary people not to be spied on without good reason.

Liberty director Martha Spurrier called on the government to make urgent changes to the IP Act to comply with this.

“This is the first serious post-referendum test for our government’s commitment to protecting human rights and the rule of law,” she said. “The UK may have voted to leave the EU, but we didn’t vote to abandon our rights and freedoms.”

Open Rights Group executive director Jim Killock added: “The government knew this judgment was coming, but Theresa May was determined to push through her Snoopers’ Charter regardless. The government must act quickly to rewrite the IP Act or be prepared to go to court again.”

A Home Office spokesperson said: “We are disappointed with the judgment from the European Court of Justice and will be considering its potential implications.

“It will now be for the Court of Appeal to determine the case. The government will be putting forward robust arguments to the Court of Appeal about the strength of our existing regime for communications data retention and access.

“Given the importance of communications data to preventing and detecting crime, we will ensure plans are in place so that the police and other public authorities can continue to acquire such data in a way that is consistent with EU law and our obligation to protect the public.”

Read more on Privacy and data protection

Data Center
Data Management