Policy mass data slurping ruled illegal – AGAIN

Another blow for Snooper's Charter

By Rebecca Hill


The UK’s Court of Appeal has ruled that the government’s unfettered slurping of citizens’ data broke the law.

In a judgment handed down this morning, judges backed a challenge brought by deputy Labour leader Tom Watson in a long-running battle against state surveillance rules.

These laws allow for ISPs and telcos to retain communications data for up to a year and for public authorities to get access to this information. But campaigners have argued it fails to properly restrict this retention and access.

Today's ruling refers to the Data Retention and Investigatory Powers Act, which expired at the end of 2016, but will have significant implications for its successor, the Investigatory Powers Act.

The so-called Snoopers’ Charter was already under pressure following a landmark 2016 ruling from the Court of Justice of the European Union, and today’s judgment adds weight to this.

In the document, the judges also note: “As [Ben] Jaffey QC, on behalf of the first respondent, pointed out in the course of his oral submissions, that the fact that DRIPA has been repealed does not make this a pointless exercise”.

Their ruling was that DRIPA “was inconsistent with EU law” because it did not limit access to retained communications data solely to the purpose of fighting serious crime.

It also broke the law because police forces and public authorities could themselves grant access to retained data – rather than access being subject to prior review by a court or an independent administrative authority.

This cements the CJEU’s opinions, with Martha Spurrier - director of Liberty, which represented Watson in the case - saying that it “tells ministers in crystal clear terms that they are breaching the public’s human rights”. admits Investigatory Powers Act illegal under EU law


The government has already been forced to admit that chunks of the Investigatory Powers Act are illegal, issuing a set of amendments it hoped would plaster over the faults and bring it into line.

But Liberty described these as “half-baked plans [that] do not even fully comply with past court rulings requiring mandatory safeguards” - even without today’s decision.

Of particular concern from privacy activists was the plan to lower the threshold for “serious crime” to six months (rather than three years) in prison - effectively making it easier for the government to slurp up people’s data.

Big Brother Watch’s response to the consultation also picked apart the government’s reading of the CJEU judgment, criticising the assertion that the government’s data retention regime isn't "general and indiscriminate”.

It also expressed disappointment that the proposed Office of Communications Data Authorisations – which will sign off on communications data requests instead of the public bodies themselves – would not be a judicial body.

In addition, Big Brother Watch said the fact the proposed rules also allow for “urgent requests” to be signed off internally without retrospective assessment by the OCDA weakened safeguards in these cases.

Today’s judgement did not consider whether the CJEU’s decision should refer to national security - predictably, the government says no and campaign groups say yes - and instead stuck to the matters of serious crime.

The judges said that it was not necessary for that court to come to a conclusion on this because it was to be considered by the Investigatory Powers Tribunal and is now subject to a further reference to the CJEU. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

Enforcing GDPR is expensive work, says watchdog

Campaigners call for immigration exemption in UK's Data Protection Act to be scrapped

Judicial review into law launched

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum

Magnetic strips barrier to ransomware, burble box-flingers

US tech circles wagons as India reviews data protection proposals

Ex-Cisco CEO-chaired lobby leading the charge

IT management software crowd Kaseya buys cloudy data protection crew Spanning

Private equity holdings shuffle

Why, hello Rubrik's Trello: Data protection biz leaves productivity tool open to world+dog

Anyone with URL could see lists of case study projects

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al