In a major ruling for all European Union (EU) member states, the Court of Justice of the European Union (CJEU) said UK’s DRIP Act, which allowed mass retention of citizens’ emails and other data, is unlawful under EU law. The ruling should also impact UK’s recently passed and highly controversial “Investigatory Powers Act,” which has been nicknamed the “Snoopers’ Charter" for its mass surveillance capabilities.
Mass Data Retention Is Illegal
Back in 2014, the CJEU ruled that EU’s “Data Retention Directive”, which enabled countries to mandate that ISPs and telecoms store logs of the phone calls people make and the websites they visit for up to two years, was declared invalid.
This meant similar laws, such as UK’s Regulation of Investigatory Powers Act 2000 (RIPA), were invalid, which prompted the UK government to quickly pass a new law called Data Retention and Investigatory Powers Act (DRIPA). The law would supposedly “legalize” the practice in the UK once again.
DRIPA was meant as a temporary replacement until the Investigatory Powers Act (IPA) could be finalized. However, the civil rights group Liberty along with two ministers, David Davis MP (Conservative) and Tom Watson MP (Labour), challenged DRIPA in court. The complaint ended up at EU’s top court, the CJEU. Davis later withdrew from the lawsuit as he became a Brexit minister.
The CJEU has now ruled that any mass retention of data is illegal, which means that not only is DRIPA invalid, but the recently passed “Snoopers’ Charter” is too. The court also ruled that only targeted surveillance of “serious crimes” is permitted under the law.
“EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary.Access of the national authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU,” said the Court of Justice of the European Union.
The CJEU also said suspects must be notified of data retention the moment the notification wouldn’t jeopardize the investigation anymore, so that the citizens in question can exercise their legal rights if needed.
The requirement to notify suspects could put serious problems to the “black box” model of mass surveillance used by EU intelligence agencies today. If they have to notify every citizen that has been spied upon by the mass surveillance apparatus, that could open up even more legal challenges against governments that employ mass surveillance.
Snooper’s Charter Violations
Snoopers’ Charter violates the new ruling in multiple ways, not only because it requires ISPs to store browsing logs of their users, but also because it allows intelligence agencies to do bulk collection of data as well as “bulk hacking”. Plus, the UK law doesn’t require intelligence agencies or the police to notify the target of the investigation.
If the UK remains in the EU any longer, it may have to rewrite the Investigatory Powers Act from scratch. Perhaps this time, the government will also take into account what the Parliamentary intelligence committees have said when they criticized it, which is that privacy protections should be applied by default to citizens and only well-supervised exceptions for surveillance purposes should be allowed.
Snoopers’ Charter instead seems to have been written as an intelligence agencies’ wishlist, with some privacy exceptions added on top that are likely meaningless in practice. (Such as the fact that the government’s Home Secretary gets to sign the “warrants” for mass surveillance, and a single judge gets to approve them)
Chilling Freedom Of Expression
The CJEU also argued that DRIPA and similar laws that enable mass surveillance mass and retention of data infringe not just on the fundamental right to privacy, but also on freedom of expression, which is important for any democratic society.
If citizens know that all the sites they visit, for instance, are being recorded by the government, they could change what they read online for fear that their browsing activity may be used against them in the future.
Retained Data Must Stay Within The EU
The CJEU said that data retained about private individuals must stay within the EU. It can’t be shared with other countries, which means whatever law enforcement data sharing deals UK or the EU has with the United States or other countries are now invalid. The retained data must also be irreversibly destroyed at the end of the data retention period.
For now, at least, UK is still in the European Union, so it will have to comply with CJEU rulings. Once the “Brexit” is official (if ever), in theory, it wouldn’t have to comply with EU laws and the EU Charter of Fundamental Rights anymore.
However, in practice, UK will want to sign some kind of trade deals with the EU, and the EU will have its own requirements for accepting those trade deals. Therefore, if the EU officials wanted, they could also require that UK continue to comply with CJEU rulings and EU laws, much like Norway does.
Just in case UK will continue to use Snooper's Charter unchanged despite the new CJEU ruling, Liberty is also preparing to challenge it directly in court over similar as well as other violations of EU and international laws.