The UK’s Court of Appeal has ruled that the government’s unfettered slurping of citizens’ data broke the law.
In a judgment handed down this morning, judges backed a challenge brought by deputy Labour leader Tom Watson in a long-running battle against state surveillance rules.
These laws allow for ISPs and telcos to retain communications data for up to a year and for public authorities to get access to this information. But campaigners have argued it fails to properly restrict this retention and access.
Today's ruling refers to the Data Retention and Investigatory Powers Act, which expired at the end of 2016, but will have significant implications for its successor, the Investigatory Powers Act.
The so-called Snoopers’ Charter was already under pressure following a landmark 2016 ruling from the Court of Justice of the European Union, and today’s judgment adds weight to this.
In the document, the judges also note: “As [Ben] Jaffey QC, on behalf of the first respondent, pointed out in the course of his oral submissions, that the fact that DRIPA has been repealed does not make this a pointless exercise”.
Their ruling was that DRIPA “was inconsistent with EU law” because it did not limit access to retained communications data solely to the purpose of fighting serious crime.
It also broke the law because police forces and public authorities could themselves grant access to retained data – rather than access being subject to prior review by a court or an independent administrative authority.
This cements the CJEU’s opinions, with Martha Spurrier - director of Liberty, which represented Watson in the case - saying that it “tells ministers in crystal clear terms that they are breaching the public’s human rights”.
UK.gov admits Investigatory Powers Act illegal under EU lawREAD MORE
The government has already been forced to admit that chunks of the Investigatory Powers Act are illegal, issuing a set of amendments it hoped would plaster over the faults and bring it into line.
But Liberty described these as “half-baked plans [that] do not even fully comply with past court rulings requiring mandatory safeguards” - even without today’s decision.
Of particular concern from privacy activists was the plan to lower the threshold for “serious crime” to six months (rather than three years) in prison - effectively making it easier for the government to slurp up people’s data.
Big Brother Watch’s response to the consultation also picked apart the government’s reading of the CJEU judgment, criticising the assertion that the government’s data retention regime isn't "general and indiscriminate”.
It also expressed disappointment that the proposed Office of Communications Data Authorisations – which will sign off on communications data requests instead of the public bodies themselves – would not be a judicial body.
In addition, Big Brother Watch said the fact the proposed rules also allow for “urgent requests” to be signed off internally without retrospective assessment by the OCDA weakened safeguards in these cases.
Today’s judgement did not consider whether the CJEU’s decision should refer to national security - predictably, the government says no and campaign groups say yes - and instead stuck to the matters of serious crime.
The judges said that it was not necessary for that court to come to a conclusion on this because it was to be considered by the Investigatory Powers Tribunal and is now subject to a further reference to the CJEU. ®
Sponsored: Webcast: Ransomware has gone nuclear