Britain’s surveillance laws have been deemed illegal by the European Court of Justice in a case that throws into question the fate of the UK’s new Investigatory Powers Act.
On Wednesday, the ECJ ruled the legislation was illegal because it allowed “general and indiscriminate” retention of electronic communications. The judgment said member states could perform “targeted retention of that data solely for the purpose of fighting serious crime” but not the mass and indiscriminate data collection of everyone in Britain allowed by a new UK spying regime.
This type of legislation “cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter”, the ECJ said, referring to the charter of European human rights.
One of the politicians who originally brought the case was David Davis, now the Brexit minister, who has the task of taking Britain out of the jurisdiction of the Luxembourg court. As a backbencher, however, earlier this year Mr Davis turned to the ECJ in an effort to defend British civil liberties. Mr Davis withdrew from the case after becoming Brexit secretary in July.
The Home Office said it was “disappointed” with the judgment and would consider its implications.
Mr Davis brought the case challenging the UK’s rules on data retention, under the Data Retention and Investigatory Powers Act 2014 (Dripa), together with Tom Watson, deputy leader of the opposition Labour party.
Although Dripa is due to be repealed by the end of this year, the Investigatory Powers Act (IPA) will be adopted in 2017. The latter significantly expands the mass data-gathering powers challenged in this case.
Specifically, the new law compels internet and phone companies to keep the records of every phone call made and every website visited by any of their users for 12 months. Not only would telecoms companies have a list of every site visited or call made, they would also record the date, time and duration of these actions.
Dozens of public organisations and departments ranging from the police, HM Revenue & Customs, customs officials and intelligence agencies, to the NHS, the Department of Health, the Food Standards Agency and the Gambling Commission, will be able to access the communications of people in Britain, in some cases without a warrant.
However, the ECJ’s ruling creates another major source of post-Brexit uncertainty for UK businesses because EU rules forbid the sharing of personal data with countries that do not meet its strict data privacy standards.
British officials will be looking at the precedent of the US, which has repeatedly come up against such rules. This year, officials on both sides of the Atlantic had to cobble together a new deal on data transfers after a previous one — itself a result of laborious negotiation — was struck down by the European courts.
The new deal, known as Privacy Shield, was essential to provide a legal means for businesses to transfer personal data online — whether payslips, pictures or healthcare data — to the US from the EU without falling foul of Europe’s privacy regulations.
Wednesday’s ruling means Britain could now struggle to convince the EU that its data protection standards are up to scratch, a headache not only for companies but also for law enforcement authorities.
“The government is breaking the law by indiscriminately collecting the nation’s internet activity and phone records and letting hundreds of public bodies grant themselves access to these personal details with no suspicion of serious crime and no independent sign-off — meaning significant parts of its new ‘snoopers charter’ are effectively unlawful,” said Liberty, the human rights organisation supporting Mr Watson.
Lawyers believe the ECJ’s ruling will force the hand of the UK government to amend the law and limit its remit.
“The provisions in the two laws are extremely similar so it is perfectly logical that the rationale will apply equally to the new [act], and it will have to be amended,” said Richard Cumbley, partner at law firm Linklaters. “There is no doubt the government, if it takes on board the decision, will have to apply more restrictive rules both to the types of data stored and the conditions under which it can be accessed.”
Large swaths of the Investigatory Powers Act will remain unaffected by the ECJ ruling, however, including the ability to “bulk hack” citizens’ communications and force technology companies to create a backdoor into their products so that communications can be accessed.
Mr Watson said: “This ruling shows it’s counter-productive to rush new laws through parliament without a proper scrutiny.
“At a time when we face a real and ever-present terrorist threat, the security forces may require access to personal information none of us would normally hand over. That’s why it’s absolutely vital that proper safeguards are put in place to ensure this power is not abused, as it has been in the recent past.
“Most of us can accept that our privacy may occasionally be compromised in the interests of keeping us safe, but no one would consent to giving the police or the government the power to arbitrarily seize our phone records or emails to use as they see fit. It’s for judges, not ministers, to oversee these powers. I’m pleased the court has upheld the earlier decision of the UK courts.”
Copyright The Financial Times Limited . All rights reserved. Please don't copy articles from FT.com and redistribute by email or post to the web.