PRESS RELEASE: Landmark ruling by European Court could render the UK Government’s new ‘Snoopers Charter’ unlawful

The Court of Justice of the European Union (“CJEU”) has today delivered a landmark judgment that will have major significance for the UK Government’s new ‘Snoopers’ Charter’. Just weeks after the Investigatory Powers Act became law, ministers might be forced to rewrite large parts of it.

The CJEU has today ruled that “general and indiscriminate retention” of data is prohibited.

Instead, if a nation like the UK wishes to ask service providers to retain data, it can only do so if that retention and any access to the data is strictly necessary for the purpose of fighting serious crime. Further, access to the retained data by the Government must be:

• Subject to prior review by a court or independent authority; and
• Notice must be given to people affected by the retention, as soon as such notice would no longer jeopardise the investigation, so those people can if necessary exercise their legal rights.

The case originated, in part, in a challenge to the UK’s Data Retention and Investigatory Powers Act 2014 (“DRIPA”), which enabled the UK Government to retain people’s data on a widespread, indiscriminate and untargeted basis. These powers have been replicated and expanded in the ‘Snoopers’ Charter’.

Privacy International intervened in the case together with Open Rights Group, arguing that wholesale and indiscriminate retention of data is not permissible and violates European Union law.

The case, which went to the CJEU at the request of the UK Court of Appeal, will now go back to that Court of Appeal.

While today’s judgment was not specifically about the newly passed Investigatory Powers Act, the judgment nonetheless raises significant questions about whether vast swathes of the new law should now be repealed:

• In particular, the judgment raises concerns about the viability of the mandatory communications data retention powers (Part 4 of the Investigatory Powers Act), which are carried over from DRIPA. Under the new Act, communications data — which includes the who, when and where of our telephone calls, emails and instant messages — can be subject to a retention order for up to 12 months for reasons that go far beyond what is strictly necessary for fighting serious crime.
• The judgment also demands a rethink of the Government’s significant expansion of data retention powers to so-called ‘Internet Connection Records’, which could include the retention of browsing histories for the past 12 months.
• The judgment may also mean that the UK Government is forced to increase safeguards, such as judicial authorisation and notification, for data that it keeps about us. These were shown to be lacking in DRIPA. The judgment could mean that the Government will need to introduce new safeguards for accessing communications data (including Internet Connection Records) and other intrusive powers contained within the new law.

Camilla Graham Wood, Legal Officer, Privacy International said:

“Today’s judgment is a major blow against mass surveillance and an important day for privacy. It makes clear that blanket and indiscriminate retention of our digital histories — who we interact with, when and how and where — can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep. Unfortunately, those safeguards are not present in the Investigatory Powers Act, which is why it’s a Snoopers’ Charter.

The court has rightly recognised that our communications data is no less sensitive than the content of our communications. This is something that the UK Government has wilfully ignored, allowing a large number of public bodies to access our personal data without a warrant. The Government must now urgently fix the Investigatory Powers Act, so that access to our data is properly authorised”.

Press enquiries:
Camilla Graham Wood: camilla@privacyinternational.org
Harmit Kambo: harmitk@privacyinternational.org / 07780 994204

Notes to editors

The CJEU judgment is available here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=186492&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=516300

The CJEU press release is available here: http://curia.europa.eu/jcms/upload/docs/application/pdf/2016-12/cp160145en.pdf

Detailed history on the case can be found at the end of this post: https://www.privacyinternational.org/node/830

• DRIPA was almost identical to the European Data Retention Directive, whose broad and wholesale retention of communications data was previously ruled a violation of European law by the CJEU. It was this ruling which was the catalyst for DRIPA, as the UK government was not willing to give up its intrusive data retention powers.
• At the end of this year, 2016, parts of DRIPA will sunset and the Investigatory Powers Act will take effect as the main law governing the data retention powers of the United Kingdom.
• Privacy International blog on ICRs: https://medium.com/privacy-international/the-database-of-you-2b4347ad74e3#.slfqq0308
• ICRs have been described as the internet history of every internet user in the UK. At the very least they comprise a 12-month log of websites visited, communications software used, system updates downloaded, desktop widgets used (e.g. calendars, notes), every mobile app used (e.g. Whatsapp, Signal, Google Maps), and logs of any other device connecting to the internet, such as games consoles, baby monitors, digital cameras and e-book readers. They are comparable to a compilation of call records, postal records, library records, study and research records, social and leisure activity records, location records, and additionally capture concerns about health, sexual and family issues.