CJEU judgment says UK Government’s bulk retention of our communications data is illegal

Big Brother Watch Team / December 21, 2016

The Court of Justice of the European Union today published the final judgment in relation to the Tom Watson MP (and formerly David Davis MP) case regarding the lawfulness of the Data Retention and Investigatory Powers Act (DRIPA).

The court has ruled that:

  • Communications data (the who, when, what and where of our telephone and internet activity) cannot be retained in a “general and indiscriminate” way.
  • Communications data can be accessed for the objective of maintaining national security or investigating serious crime only.
  • Any request for access to communications data must be “subject to prior review by a court or an independent administrative authority”.
  • Authorities must notify people when they have accessed their data, as soon as notification is not likely to jeopardise investigations further.
  • Only data held in the EU can be requested.

This Judgment strikes a massive blow not just to DRIPA but to the recently passed Investigatory Powers Act (IP Act).

The Government have today issued a statement stating that they are “disappointed with the judgment” and no wonder because today’s ruling effectively challenges the legality of the IP Act in four particular areas:

  1. The ability for the police to internally sign off on requests for access to communications data will need to be rewritten to ensure that any warrant request is reviewed and approved by a judicial commissioner.
  2. The need for “an objective criteria in order to define the circumstances and conditions” under which communications data can be accessed. This is set out as “access can, as a general rule , be granted in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or being implicated in one way or another in such a crime”.
  3. The requirement that any national authority accessing retained data “must notify the persons affected….as soon as the notification is no longer liable to jeopardise the investigations being undertaken.
  4. The need for “electronic communications services…to ensure the full integrity and confidentiality” of data and that they must be able to “guarantee a particularly high level of protection and security”. This implies that any weakening of encryption or building of backdoors into services providing communications will not be lawful.

But the ruling will also raise issue and serious questions with regard to the bulk powers in the IP Act which fall seriously short of adhering to today’s ruling, notably:

  • Bulk personal datasets on each and every one of us living or dead.
  • The use of bulk equipment interference (hacking), when the necessity and proportionality cannot be determined.

The judgment will now go before the UK Court of Appeal. No doubt the Government will continue to assert that they have adequately ticked all the right boxes. But what the ruling makes abundantly clear is that there is still a great deal of work to be done to ensure that the laws which are designed to keep us safe don’t remove our privacy in the process.

You can read the judgment here