High Court gives UK.gov six months to make the Snooper's Charter lawful

Doesn't comply with EU rules, say judges, but you knew that

The UK government's surveillance regime has been dealt another blow as the High Court in England today ruled the Snooper's Charter unlawful – and gave the government six months to fix it.

Handing down the judgment, Lord Justice Rabinder Singh said that Part 4 of the Investigatory Powers Act (IPA), which relates to retention of communications data, was incompatible with EU law, and gave the government until 1 November 2018 to remedy it.

web snoop

UK.gov admits Investigatory Powers Act illegal under EU law


The ruling is the latest instalment in a long-running and complex legal battle between the government and various privacy campaign groups over the state's extensive surveillance laws.

In this case, brought by civil rights group Liberty, the court considered the powers granted to the government to force internet firms and telcos to store data on communications – like location info and records of when and to whom calls or messages were made – for up to a year. These powers came into force on 30 December 2016.

Lord Justice Singh and Justice David Holgate ruled that Part 4 was incompatible with the EU Charter of Fundamental Rights for two reasons: ministers can issue data retention orders without independent review, and this can be done for reasons other than serious crime.

However, the judges declined to rule Part 4 inconsistent with EU law because it provides for "general and indiscriminate retention of traffic and location data".

Liberty had asked that this be applied based on a section in a landmark Court of Justice of the European Union (CJEU) judgment in 2016, which deemed indiscriminate data retention illegal, and a subsequent related decision from the UK Court of Appeal.

The judges said that it was "plain" that this was based on the language of the Swedish legislation that was also part of the case, adding that they "do not think it could possibly be said that the legislation requires, or even permits, a general and indiscriminate retention of communications data".

Despite this loss, today's decision is significant because – unlike previous cases, which were about the now-expired Data Retention and Investigatory Powers Act (DRIPA) – this refers to current legislation.

Don't drag your feet

The government has refused to see the ruling as a defeat on the grounds that it has already conceded the Act doesn't comply with European laws. Back in November, it proposed a set of changes it thinks will bring the Act in line, for instance by creating a new body, the Office for Communications Data Authorisation, to review and approve notices.

But it did lose its request, made during the February hearing, that it be given until April 2019 to enact the changes. The judges today ruled that they "see no reason why the legal framework cannot be amended before April 2019", even if some practical arrangements take longer.

They added that it "would not be just or appropriate for the Court simply to give the Executive a carte blanche to take as long as it likes in order to secure compliance with EU law" – but noted that they would not immediately disapply Part 4, citing "the resultant chaos and damage to the public interest which that would undoubtedly cause in this country".

However, it's unlikely that this will be the end of discussion over this part of the Act as privacy campaigners have said that a number of the changes proposed by the government don't meet the spirit of the 2016 CJEU ruling.

For instance, the government's solution to the fact data isn't retained only in serious cases was simply to lower the bar defining "serious".

Rather than the commonly used threshold of a three-year prison sentence, the government plumped for just six months. It also chose the threshold that an adult should be "capable" of being imprisoned for this time, as opposed to that they should "reasonably expect" it.


UK.gov mass data slurping ruled illegal – AGAIN


Many of the consultation responses (PDF) have pointed out that this would cover a large range of crimes, rendering it "almost meaningless" (PDF) in practice, and that it conflicts with other definitions in the IPA scheme.

If the government sticks by its definition, it can reasonably expect to end up in court again.

Liberty, meanwhile, is already working up the next phase of its challenges to the IPA – which refers to parts 5, 6 and 7, government hacking, bulk warrants and bulk personal data set warrants – and has today launched a crowdfunding campaign to pay for the battle.

A number of related issues are still waiting a decision from the CJEU; in today's ruling the court chose to stay issues related to national security and notification of people affected by data retention and access pending a decision of the CJEU in a related case brought by Privacy International. ®

Similar topics

Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021