Any future surveillance and data access on UK citizens is expected to require prior approval from an independent administrative or judicial body in accordance with EU law following a ruling in the Divisional Court today that the Data Retention and Investigatory Powers Act 2014 (DRIPA) is unlawful.
The court (a Lord Justice and High Court Judge sitting together) ruled that access to data must be on the basis of what is strictly necessary and that sections 1 and 2 of DRIPA are incompatible with the British public's right to respect for private life and communications and to protection of personal data under Articles seven and eight of the EU Charter of Fundamental Rights.
The challenge to the law, which came into force exactly a year ago, was brought by brought by two MPs, Conservative former shadow home secretary David Davis and Labour backbencher Tom Watson, represented by human rights organisation Liberty. This result, believed to be the first time MPs have overturned government regulation in the courts, is seen as a massive blow to the government which pushed the bill through at speed, without including the recommendations of the Government's reviewer of terrorism legislation David Anderson QC. He had described the current law as “undemocratic” and “intolerable” and called for prior judicial authorisation for all interception warrants and some communications data requests. Judicial authorisation for some interception warrants was also recommended by the surveillance review from the Royal United Services Institute (RUSI).
DRIPA will now expire on 31 March 2016 to allow time for the Government to legislate properly – with the expectation that any new draft law will require judiciary approval for surveillance and data retention and use. John Hayes, Minister of State for Security, has since been reported by the Guardian newspaper on 18 July as saying: "We disagree absolutely with this judgement and will seek an appeal."
Storm Guidance director Sarb Sembhi commented to SCMagazineUK.com: "This is something the government wants - or something like it - and it has until April to find grounds to appeal or come up with new legislation. Most Western governments want similar powers and like the idea of using big data, but have to reconcile that with privacy concerns and advocates who want not only transparancy, but any data gathering specifics to be defined regarding what you gather, why, with time limits, geographic limits, with judicial oversight."
Liberty's legal director James Welch said: "Campaigners, MPs across the political spectrum, the Government's own reviewer of terrorism legislation are all calling for judicial oversight and clearer safeguards.” Commentators have suggested that as a result, it is unlikely that there will be any future draft bill that excludes such oversight.
DRIPA allowed the Home Secretary to order communications companies to retain communications data including the emails, calls, texts and web activity of anyone in the UK for 12 months. Then hundreds of public authorities have access to the data, some of whom can authorise access themselves for reasons other than investigation of serious crime.
For these reasons it was found not to provide clear and precise rules to ensure data is only accessed for the purpose of preventing and detecting serious offences, or for conducting criminal prosecutions relating to such offences. Nor was access to data authorised by a court or independent body, whose decision could limit access to and use of the data to what is strictly necessary.
The unlawful sections of DRIPA will remain in force until the end of March 2016 to allow time for the Government to legislate properly. At that point they will cease to have effect.
Davis issued a statement saying: “The court has recognised what was clear to many last year, that the Government's hasty and ill-thought through legislation is fatally flawed. They will now have to rewrite the law to require judicial or independent approval before accessing innocent people's data (which will)... improve both privacy and security.”
Watson added: "The Government was warned that rushing through important security legislation would end up with botched law. Now the High Court has said they must come back to Parliament and do it properly. There must be independent oversight of the Government's data-collection powers and there must be a proper framework and rules on the use and access of citizens' communications data."
Anderson notes that the ruling echoed decisions already made by national courts in the Netherlands, Belgium. Austria, Slovenia and Romania, which have themselves recently struck down national data retention laws in obedience to Digital Rights Ireland (Judgment, para 105).
One commentator who did not wish to be named pointed out that prior to Snowden's revellations we did not even know for sure what was being done, so to have moved to a position where there is enough transparency for government's rationale and authority to be questioned and overturned is enormous progress from a civil liberties perspective.
Liberty has produced a background briefing providing its perspective on the issue.
Any legislation mandating data retention by a Member State of the EU must comply with the following ten principles:
1. restrict retention to data that is related to a threat to public security and in particular restrict retention to a particular time period, geographical area and /or suspects or persons whose data would contribute to the prevention, detection or prosecution of serious offences
2. provide exceptions for persons whose communications are subject to an obligation of professional secrecy
3. distinguish between the usefulness of different kinds of data and tailor retention periods to the objective pursued or the persons concerned
4. ensure retention periods are limited to that which is ‘strictly necessary'
5. empower an independent administrative or judicial body to make decisions regarding access to the data on the basis of what is strictly necessary
6. restrict access and use of the data to the prevention, detection or prosecution of defined, sufficiently serious crimes
7. limit the number of persons authorised to access and subsequently use the data to that which is strictly necessary
8. ensure the data is kept securely with sufficient safeguards to secure effective protection against the risk of abuse and unlawful access
9. ensure destruction of the data when it is no longer required
10. ensure the data is kept within the EU