The UK Home Office has acknowledged that it is preparing to accept a landmark EU ruling from last year which restated that access to retained data must only be given in cases of serious crime, unlike the range of cases provided for under the new Investigatory Powers Act.
When the Court of Justice of the European Union (CJEU) handed down its judgment last December, the Home Office said it was "disappointed with the judgment... and will be considering its potential implications".
Among those implications was the requirement for a far higher bar to access the range of data which the government had made it a legal requirement for ISPs to store on their users, including prohibiting the police and public bodies from authorising their own access to this data. Instead the CJEU ruling requires that access requests receive prior authorisation by independent courts or similar bodies.
The Home Office has been quiet as to what such bodies may look like and whether it would seek to comply with the ruling at all, which will be formally reckoned with by the UK's Court of Appeal in the coming months, stating that "the government will be putting forward robust arguments to the Court of Appeal about the strength of our existing regime for communications data retention and access."
Other than the notable omission of a draft code of practice on communications data alongside the other draft codes published last month, it has been unclear whether the Home Office had paid any attention to the ruling at all – until last Friday, when an IT tender relating to the Investigatory Powers Act made mention of a "a new communications data independent authorising body", which was spotted by the Open Rights Group.
Regarding the new authorising body, a Home Office spokesperson repeated to The Register that it was "disappointed" and "carefully considering [the ruling's] implications".
"The government will vigorously defend the fundamental powers in the Investigatory Powers Act because they are vital to the police and intelligence agencies in arresting criminals, prosecuting paedophiles and preventing terrorist attacks," the spokesperson added. "We will provide Parliament and the courts with an update on our response to the judgment in due course."
While the ambiguity of "in due course" has become something of a running joke for those asking questions of the department, it did also inform us that although the CJEU ruling was specifically directed at a previous bit of legislation which the Investigatory Powers Act replaced, DRIPA, it was currently considering how the ruling would affect the new Snoopers' Charter.
"We are exploring options for ensuring we comply with any ruling but no final decisions have been taken," the department said. "Our guiding principle is keeping people, families and communities safe and it is only right that the Government prepares for all eventualities."
The Open Rights Group's executive director Jim Killock said: "The government is still silent on what it expects to do after the CJEU ruling explained that limits must be placed on the retention of our phone and email records. The government now needs to explain what changes it proposes. The Home Office must be fairly clear about what it thinks it needs to do, as it is busy lining up IT firms to move authorisation from the police to a new independent body.
"This change would be welcome, but we would expect this to be a matter for Parliament to hear about first, rather than IT contractors. Perhaps the government is embarrassed about admitting its years of errors in allowing internal police sign off for people's phone and email records. However, MPs and the public need to hear exactly what is proposed and why it is needed." ®