Court of Appeal declares the Data Retention and Investigatory Powers Act 2014 unlawful
Is section 1 of the Data Retention and Investigatory Powers Act 2014 (DRIPA) inconsistent with EU law?
Two British MPs commenced judicial review proceedings to challenge the validity of the powers under section 1 of DRIPA (now replaced by the Investigatory Powers Act (IPA) 2016, the so-called “snooper’s charter” which contains similar provisions). This section allows the Home Secretary to require communication service providers to retain communication data for up to twelve months for various purposes, including national security and the detection and prevention of crime.
The ECJ's finding
In 2016, in response to questions referred from the Court of Appeal, the European Court of Justice (ECJ) declared that EU law precludes national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of traffic and location data (ie metadata). Such legislation would be incompatible with the Privacy and Electronic Communications Directive (PECR) and the Charter of Fundamental Rights.
It further noted that any legislation which gives a public authority the power to access retained data must be subject to some restrictions. Such a power must be exercised according to criteria now known as the ‘Watson requirements’:
- ·only for the purpose of fighting serious crime;
- ·only with prior approval from a court or an independent authority; and
- ensuring that the data remain within the EU.
With this clarification, the case was referred back to the Court of Appeal for a further hearing.
The Court of Appeal's decision
The Court granted a declaration stating that section 1 of DRIPA was inconsistent with EU law in that, for the purposes of prevention and detection of criminal offences, it permitted access to retained data where (i) the object of that access was not solely to fight serious crime; and (ii) access was not subject to review by a court or independent body.
Many other aspects of the ECJ's response (eg does it create an absolute bar on bulk communications data leaving the EU? Do the Watson requirements equally apply to retention for the purpose of national security?) were not discussed by the Court, which observed that these issues will likely be considered as a result of yet another ECJ referral – this time from the Investigatory Powers Tribunal (see Privacy International v IPT  EWCA Civ 1868).
Why is this important?
Yet again, a UK court has ruled that the government’s proposed mass surveillance regime is unlawful. While the decision is somewhat academic (since it relates to law which has since been repealed), it will still have implications for the IPA 2016 and the government's proposed changes to it in its recent consultation.
The several ongoing legal challenges concerning both the ECJ's judgment and the IPA 2016 (eg campaign group Liberty’s judicial review claim) are symptomatic of a bigger problem, and suggest more polemics to come – especially at a time of heightened sensitivity in all things data.
Any practical tips?
Communication service providers will be particularly affected, as the judgment creates a difficult balance – retention notices issued under the IPA 2016 may require them to retain customer data for potential access by various public bodies; however, the ECJ has made clear in its ruling that blanket retention of such data is not acceptable.On a bigger scale, what does all of this mean for Brexit, and in particular data transfers once the UK sits outside the EU? How will the UK meet adequacy requirements with this type of legislation in play? As if GDPR wasn't complicated enough, could the UK be facing similar difficulties to those which ultimately saw the death of the Safe Harbour in the US?