Did EU ruling invalidate the UK's bonkers Snoopers' Charter?

Intepretation is in the eye of the beholder. In this case, British courts

Analysis Yesterday's judgment from the EU Court of Justice offered hope to many of those critical of the wider culture of communications data retention, but what does this mean for the UK's Investigatory Powers Act?

Nothing immediately, of course. The original case will now go back to the UK's Court of Appeal, from whence it initially departed after the High Court found the government's last go at a Snoopers' Charter, the Data Retention and Investigatory Powers Act (DRIPA), to be unlawful.

The government disputed that finding, and that dispute escalated until we received yesterday's ruling. Now, the Court of Appeal will make a decision on whether DRIPA was indeed a valid law considering what requirements the EU has articulated member states' need to have in place when retaining and accessing citizens' communications data.

Responding to The Register yesterday, the Home Office admitted it was "disappointed with the judgment from the European Court of Justice and will be considering its potential implications" and suggested it was going to continue to dispute any rulings against it.

One can't help but suspect that disappointment must have been accompanied by a little anger too; the European Commission, that high table of unelected supremos nominated to run the budding superstate by its members, has long reflected those members' support of universal data retention obligations. It can't have been surprising that the court departed from their position, instead following its own Advocate General's opinion, but it will be a sore indictment of the government's own procedures in constructing the IPA, the darling legislation of the UK's new Prime Minister.

In an FAQ on the EU's data retention directive, published in a Commission memo back in 2014, they explained their belief in the activity even for ordinary policing matters:

Data retention enables the construction of trails of evidence leading up to an offence. It also helps to discern or corroborate other forms of evidence on the activities of and links between suspects and victims. In the absence of forensic or eye witness evidence, data retention is often the only way to start a criminal investigation. Generally, data retention appears to play a central role in criminal investigation even if it is not always possible to isolate and quantify the impact of a particular form of evidence in a given case.

The ruling counters such arguments however, and explains that while European Union legislation does not prohibit data retention, it does consider indiscriminate data retention as incompatible with the freedoms member states are required to allow of their citizens.

These freedoms are specified by the EU's Charter of Fundamental Rights, and in the case of data retention it is particularly the protection of individual privacy and personal information that are violated. In order for data retention to be lawful it needs to meet certain requirements which show that is not infringing those fundamental rights.

Those requirements, as the court stated, essentially demand that retention is targeted rather than general and indiscriminate; that access to retained data is only used for the purposes of investigating or preventing serious crime; and that access is only granted by indpendent bodies such as courts, rather than being signed off on by the coppers' bosses, which historically has failed to prevent unlawful police surveillance.

The result is going to be another deep dive into a topic which has been hotly disputed ever since the revelations provided by Edward Snowden; the argument over what qualifies as mass-surveillance; and what measures qualify as targeted.

Speaking to The Register, Graham Smith, an expert on snooping laws, and partner at law firm Bird & Bird, said: "Serious disagreements are likely over where the boundary lies between targeted and general data retention. There may be debate over the extent to which clear, precise and objective rules must be set out in the legislation, or how far targeting can be left to the government when deciding what kind of data retention notices to give to which operators."

In his take on the matter, David Anderson, the outgoing independent reviewer of terrorism legislation, acknowledged that the judgment was a significant departure from the existing belief in the value of mass data retention. He cited the above memo from the Commission, and wrote:

The proven utility of existing data retention powers is likely to mean that this bold judgment of the CJEU – based on its assessment that these powers constitute a “particularly serious” interference with privacy rights, and are “likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance” (para 100) – will be of serious concern to law enforcement both in the UK and in other Member States.

The court ruled that any requirements for retention and access to compulsorily retained communications data needed to be limited to issues involving serious crime, such as weapons trafficking or terrorism, which, as Smith said to The Register, was far more specific than currently allowed for under the IPA.

Anderson, who has reviewed the use of terrorism legislation for other forms of crimes, added that "access to retained traffic and location data is extremely useful to the police and other law enforcement authorities, not only in the investigation of serious crime but e.g. for missing persons investigations where serious crime may not yet be suspected."

The range of uses provided for under the IPA certainly extends well beyond serious crime, "including public health, taxation and the functioning of financial markets" as Angela Patrick of Doughty Street Chambers wrote on the UK Human Rights Blog.

The CJEU's finding corroborated that of the UK High Court in the initial Watson/Davis complaint. As noted by Open Rights Group, the government had argued for access to be provided for "the broader set of purposes in Article 13 of the Data Protection Directive 95/46 (now replaced by the GDPR)" which extends to economic matters and other areas, causing civil libertarians to warn of mission-creep and totalitarianism.

There are a number of areas in which the IPA seems to contravene the requirements set down by the CJEU, particularly in the court's requirement that access to communications data be subject to prior review by a court or independent body.

"While the IP Act introduces prior approval by a Judicial Commissioner of most warrants and notices," said Smith, "it does not do so for ordinary communications data demands" and when it does so, it is only allowed for the purposes of serious crime.

Smith told us that “the purposes for which access can ordinarily be obtained under both the existing DRIPA legislation and the IPA are wider than [the court provided for]. The IPA also provides warrants for bulk acquisition of communications data, which could include mandatorily retained data."

And as Patrick of Doughty Street Chambers stated: "What the CJEU has to say about surveillance and privacy may determine whether the IPA - also known by some as the Snoopers' Charter - has a long or a short shelf-life." Only may, because, as Patrick explained to The Register: "While [the CJEU ruling provides] serious grounds for existential challenge, the Act could be subject to amendment to bring it into line with CJEU."

So there we have it. Like a legal analogy of Schrödinger's cat, European judgments resulting from appeals cases can't be considered to have an effect in the UK until a British judge has observed them.

For now, readers should know that the Investigatory Powers Act (IPA) is still due to be commenced next Friday, 30 December, and even if some are suggesting that many of its provisions have been determined to be unlawful by yesterday's EU ruling, their interpretation will ultimately be decided upon by a domestic court in Blighty. ®

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022