Analysis Yesterday's judgment from the EU Court of Justice offered hope to many of those critical of the wider culture of communications data retention, but what does this mean for the UK's Investigatory Powers Act?
Nothing immediately, of course. The original case will now go back to the UK's Court of Appeal, from whence it initially departed after the High Court found the government's last go at a Snoopers' Charter, the Data Retention and Investigatory Powers Act (DRIPA), to be unlawful.
The government disputed that finding, and that dispute escalated until we received yesterday's ruling. Now, the Court of Appeal will make a decision on whether DRIPA was indeed a valid law considering what requirements the EU has articulated member states' need to have in place when retaining and accessing citizens' communications data.
Responding to The Register yesterday, the Home Office admitted it was "disappointed with the judgment from the European Court of Justice and will be considering its potential implications" and suggested it was going to continue to dispute any rulings against it.
One can't help but suspect that disappointment must have been accompanied by a little anger too; the European Commission, that high table of unelected supremos nominated to run the budding superstate by its members, has long reflected those members' support of universal data retention obligations. It can't have been surprising that the court departed from their position, instead following its own Advocate General's opinion, but it will be a sore indictment of the government's own procedures in constructing the IPA, the darling legislation of the UK's new Prime Minister.
In an FAQ on the EU's data retention directive, published in a Commission memo back in 2014, they explained their belief in the activity even for ordinary policing matters:
The ruling counters such arguments however, and explains that while European Union legislation does not prohibit data retention, it does consider indiscriminate data retention as incompatible with the freedoms member states are required to allow of their citizens.
These freedoms are specified by the EU's Charter of Fundamental Rights, and in the case of data retention it is particularly the protection of individual privacy and personal information that are violated. In order for data retention to be lawful it needs to meet certain requirements which show that is not infringing those fundamental rights.
Those requirements, as the court stated, essentially demand that retention is targeted rather than general and indiscriminate; that access to retained data is only used for the purposes of investigating or preventing serious crime; and that access is only granted by indpendent bodies such as courts, rather than being signed off on by the coppers' bosses, which historically has failed to prevent unlawful police surveillance.
The result is going to be another deep dive into a topic which has been hotly disputed ever since the revelations provided by Edward Snowden; the argument over what qualifies as mass-surveillance; and what measures qualify as targeted.
Speaking to The Register, Graham Smith, an expert on snooping laws, and partner at law firm Bird & Bird, said: "Serious disagreements are likely over where the boundary lies between targeted and general data retention. There may be debate over the extent to which clear, precise and objective rules must be set out in the legislation, or how far targeting can be left to the government when deciding what kind of data retention notices to give to which operators."
In his take on the matter, David Anderson, the outgoing independent reviewer of terrorism legislation, acknowledged that the judgment was a significant departure from the existing belief in the value of mass data retention. He cited the above memo from the Commission, and wrote:
The court ruled that any requirements for retention and access to compulsorily retained communications data needed to be limited to issues involving serious crime, such as weapons trafficking or terrorism, which, as Smith said to The Register, was far more specific than currently allowed for under the IPA.
Anderson, who has reviewed the use of terrorism legislation for other forms of crimes, added that "access to retained traffic and location data is extremely useful to the police and other law enforcement authorities, not only in the investigation of serious crime but e.g. for missing persons investigations where serious crime may not yet be suspected."
The range of uses provided for under the IPA certainly extends well beyond serious crime, "including public health, taxation and the functioning of financial markets" as Angela Patrick of Doughty Street Chambers wrote on the UK Human Rights Blog.
The CJEU's finding corroborated that of the UK High Court in the initial Watson/Davis complaint. As noted by Open Rights Group, the government had argued for access to be provided for "the broader set of purposes in Article 13 of the Data Protection Directive 95/46 (now replaced by the GDPR)" which extends to economic matters and other areas, causing civil libertarians to warn of mission-creep and totalitarianism.
There are a number of areas in which the IPA seems to contravene the requirements set down by the CJEU, particularly in the court's requirement that access to communications data be subject to prior review by a court or independent body.
"While the IP Act introduces prior approval by a Judicial Commissioner of most warrants and notices," said Smith, "it does not do so for ordinary communications data demands" and when it does so, it is only allowed for the purposes of serious crime.
Smith told us that “the purposes for which access can ordinarily be obtained under both the existing DRIPA legislation and the IPA are wider than [the court provided for]. The IPA also provides warrants for bulk acquisition of communications data, which could include mandatorily retained data."
And as Patrick of Doughty Street Chambers stated: "What the CJEU has to say about surveillance and privacy may determine whether the IPA - also known by some as the Snoopers' Charter - has a long or a short shelf-life." Only may, because, as Patrick explained to The Register: "While [the CJEU ruling provides] serious grounds for existential challenge, the Act could be subject to amendment to bring it into line with CJEU."
So there we have it. Like a legal analogy of Schrödinger's cat, European judgments resulting from appeals cases can't be considered to have an effect in the UK until a British judge has observed them.
For now, readers should know that the Investigatory Powers Act (IPA) is still due to be commenced next Friday, 30 December, and even if some are suggesting that many of its provisions have been determined to be unlawful by yesterday's EU ruling, their interpretation will ultimately be decided upon by a domestic court in Blighty. ®