High Court gives UK.gov six months to make the Snooper's Charter lawful

The UK government's surveillance regime has been dealt another blow as the High Court in England today ruled the Snooper's Charter unlawful – and gave the government six months to fix it.

Handing down the judgment, Lord Justice Rabinder Singh said that Part 4 of the Investigatory Powers Act (IPA), which relates to retention of communications data, was incompatible with EU law, and gave the government until 1 November 2018 to remedy it.

The ruling is the latest instalment in a long-running and complex legal battle between the government and various privacy campaign groups over the state's extensive surveillance laws.

In this case, brought by civil rights group Liberty, the court considered the powers granted to the government to force internet firms and telcos to store data on communications – like location info and records of when and to whom calls or messages were made – for up to a year. These powers came into force on 30 December 2016.

Lord Justice Singh and Justice David Holgate ruled that Part 4 was incompatible with the EU Charter of Fundamental Rights for two reasons: ministers can issue data retention orders without independent review, and this can be done for reasons other than serious crime.

However, the judges declined to rule Part 4 inconsistent with EU law because it provides for "general and indiscriminate retention of traffic and location data".

Liberty had asked that this be applied based on a section in a landmark Court of Justice of the European Union (CJEU) judgment in 2016, which deemed indiscriminate data retention illegal, and a subsequent related decision from the UK Court of Appeal.

The judges said that it was "plain" that this was based on the language of the Swedish legislation that was also part of the case, adding that they "do not think it could possibly be said that the legislation requires, or even permits, a general and indiscriminate retention of communications data".

Despite this loss, today's decision is significant because – unlike previous cases, which were about the now-expired Data Retention and Investigatory Powers Act (DRIPA) – this refers to current legislation.

Don't drag your feet

The government has refused to see the ruling as a defeat on the grounds that it has already conceded the Act doesn't comply with European laws. Back in November, it proposed a set of changes it thinks will bring the Act in line, for instance by creating a new body, the Office for Communications Data Authorisation, to review and approve notices.

But it did lose its request, made during the February hearing, that it be given until April 2019 to enact the changes. The judges today ruled that they "see no reason why the legal framework cannot be amended before April 2019", even if some practical arrangements take longer.

They added that it "would not be just or appropriate for the Court simply to give the Executive a carte blanche to take as long as it likes in order to secure compliance with EU law" – but noted that they would not immediately disapply Part 4, citing "the resultant chaos and damage to the public interest which that would undoubtedly cause in this country".

However, it's unlikely that this will be the end of discussion over this part of the Act as privacy campaigners have said that a number of the changes proposed by the government don't meet the spirit of the 2016 CJEU ruling.

For instance, the government's solution to the fact data isn't retained only in serious cases was simply to lower the bar defining "serious".

Rather than the commonly used threshold of a three-year prison sentence, the government plumped for just six months. It also chose the threshold that an adult should be "capable" of being imprisoned for this time, as opposed to that they should "reasonably expect" it.

Many of the consultation responses (PDF) have pointed out that this would cover a large range of crimes, rendering it "almost meaningless" (PDF) in practice, and that it conflicts with other definitions in the IPA scheme.

If the government sticks by its definition, it can reasonably expect to end up in court again.

Liberty, meanwhile, is already working up the next phase of its challenges to the IPA – which refers to parts 5, 6 and 7, government hacking, bulk warrants and bulk personal data set warrants – and has today launched a crowdfunding campaign to pay for the battle.

A number of related issues are still waiting a decision from the CJEU; in today's ruling the court chose to stay issues related to national security and notification of people affected by data retention and access pending a decision of the CJEU in a related case brought by Privacy International. ®