This doesn't bode well for a controversial new power in the IP Act that allows the government to force internet service providers and mobile carriers to store data on the online activity of all customers for a period of 12 months. Your internet browsing history (or rather, just the top-level domains you accessed, such as wikipedia.org) and data around messaging and other online services you use fall under the definition of ICRs. This is far from a targeted measure, though, and thus would appear to be at odds with the EU Court of Justice's decision.
Furthermore, the court states that governments should not be able to access any personal data without prior authorisation from a judge or independent body. Under the IP Act, ICRs can be accessed without a warrant, and by a number of government organisations unlikely to be involved in the investigation of serious crimes (though the definition of "serious" is unclear, as is unfortunately often the case with legalese). Still, the retention of ICRs goes against basically every precedent laid down by the EU court today.
The government's use of so-called bulk powers also appears to be drawn into question by the ruling. Bulk powers, in one form, are the equivalent of mass surveillance, whereby data and communications related a large group of people or a large area are monitored. Often, this includes the surveillance of innocent people in order to identify certain suspects or unlawful activity (read: relatively indiscriminate). While these intrusive powers are subject to prior approval -- except in urgent cases, where it's granted after the fact -- they can be employed for a number of reasons, including the threat to injury of a person's mental health. Whether all these potential use cases can be considered "serious" enough to justify these powers is now up for argument.
If our story ends with the Investigatory Powers Act, it starts with the Data Retention Directive. This EU-wide directive was issued in 2006, and compelled telecommunications service providers to store various user data -- like IP addresses, the time text messages were sent and received, among other things -- for a minimum of six months. The idea being it could then be made available to law enforcement agencies for the purpose of investigating serious crimes.
In a landmark case, the EU Court of Justice threw out the directive in 2014, after a legal challenge from Digital Rights Ireland. While the reasons for issuing the directive were sound, the court said, the data retention requirements were unnecessarily broad, and there weren't any defined limitations on who could access the data and for what purpose. Basically, it wasn't comprehensive enough to ensure there was no risk of abuse, therefore it was incompatible with EU privacy and data protection rights.
This posed a serious problem for the UK government, as by this point the directive had trickled down into various national laws and regulations. With these now deemed unfit for purpose, the government rushed to keep its surveillance regime intact by way of the Data Retention and Investigatory Powers Act (DRIPA). The emergency legislation, which was hastily adapted from existing law, came into force mere days after it was first published, albeit with a self-destruct mechanism built in that means it expires at the end of this year.
A few months later, a cross-party pairing of MPs launched a legal challenge against DRIPA, and this time last year the UK's High Court deemed it unlawful on the basis it, too, was incompatible with human rights laws (namely the fundamental right to privacy). As expected, the government appealed the High Court's ruling, leading the Court of Appeal to seek advice from the EU Court of Justice before making its own decision.
The most important question asked of the EU court was whether its criticisms of the Data Retention Direction in the Digital Rights Ireland case (the one back in 2014) sets a precedent for future surveillance laws. "Yes" comes the answer from the court today.
While the UK Court of Appeals is focused on the DRIPA case, whatever decision it arrives at will have a direct impact on the Investigatory Powers Act -- seen as a fresh start for Britain's surveillance activities, as the bill consolidates several relevant laws in one tidy package. Based on the advice of the EU Court of Justice, the broad failings identified in DRIPA should also apply to the IP Act, and it should amount to a major reworking of the new laws. Until we leave the EU, that is, and the justice court's ruling effectively becomes ignorable.
Deputy Labour leader Tom Watson, one of the MPs that brought the legal challenge against DRIPA, commented today: "This ruling shows it's counterproductive to rush new laws through Parliament without proper scrutiny... I'm pleased the court has upheld the earlier decision of the UK courts."
Several other MPs have voiced similar views, reiterating their disapproval of the IP Act and applauding the EU court's decision. Martha Spurrier, director of privacy group Liberty -- one of several organisations that argued from the outset the government was ignoring human rights concerns -- said of the ruling: "Today's judgment upholds the rights of ordinary British people not to have their personal lives spied on without good reason or an independent warrant. The Government must now make urgent changes to the Investigatory Powers Act to comply with this."
On the other side of the fence, a Home Office spokesperson said: "We are disappointed with the judgment from the European court of justice and will be considering its potential implications. The government will be putting forward robust arguments to the court of appeal about the strength of our existing regime for communications data retention and access."
[Inline image credits: Getty (server room) / Yves Herman for Reuters (Theresa May)]