The Court of Appeal judgment has been a very, very long time coming, and is actually relevant to a now-expired law, the Data Retention and Investigatory Powers Act (DRIPA). You see, the EU issued a directive way back in 2006 that compelled telecoms providers to store data for law enforcement to use in investigating serious crimes. Years later in 2014, though, a legal challenge resulted in the EU Court of Justice invalidating the directive on the grounds it was too broad in scope and didn't contain safeguards compatible with privacy and data protection rights.
This meant the UK government had to throw together emergency legislation in the form of DRIPA to keep the wheels of surveillance turning. But that, too, ended up being deemed incompatible with privacy and data protection laws by the UK's High Court. The government appealed that ruling, but before making a call, the Court of Appeal asked the EU Court of Justice to clarify whether the judgment it made back in 2014 -- which spawned DRIPA in the first place -- was specific to the EU directive, or set a precedent for future surveillance legislation.
The EU court basically said 'yes,' any future surveillance law must follow in the spirit of the 2014 ruling. While all this was going on, the government set about drafting new legislation that pulled all relevant laws into one bill, updated them to reflect technological advancements and expanded its surveillance powers. DRIPA was an emergency measure, after all, and as such had a built-in self-destruct timer.
The issue that the government now has is that although the Court of Appeal has ruled the out-of-date DRIPA unlawful, there's no ignoring the fact that the IP Act is also at odds with the judgment. If anything, it's even more contentious. Under the IP Act, the government can instruct telecoms providers to record the online activity (aka Internet Connection Records, or ICRS) of all their customers for 12 months. ICRs include the top-level domains you've visited (such as engadget.com) as well as data related to messaging apps and other online services.
These ICRs can be accessed by law enforcement and other government agencies with a warrant or similar approval, and for reasons not always specific to the investigation of serious crimes. In a roundabout way, the Court of Appeal today ruled these powers unlawful. Interestingly, the court didn't pass any judgment the use of 'bulk' powers, which were challenged in the DRIPA case and remarked on by the EU Court of Justice.
Bulk powers are not targeted, but indiscriminate. They include the interception of communications content (emails, text conversations, phone taps, etc.) and the hacking of devices on a grand scale. The retention of ICRs fall under the definition of bulk data collection, too, and are likely incompatible with privacy laws since they involve the surveillance of innocent people. The counter-argument to this is: You can't find the needle if there's no haystack to search through.
Part of the reason the Court of Appeal didn't pass judgment on bulk powers is because human rights group Liberty is challenging the IP Act directly in the High Court -- a case that's due to be heard at the end of February. At that point, the fact today's ruling applies to DRIPA will become irrelevant, because the IP Act will have to be reviewed in light of this decision and the EU Court of Justice's previous opinion. What's more, in another ongoing case Privacy International is currently asking the Investigatory Powers Tribunal (IPT) to decide whether the intelligence services' use of bulk powers complies with European law -- the group has successfully proved otherwise before. As seems to be the done thing, the IPT has referred the case to the EU Court of Justice, asking specifically whether its opinions on DRIPA apply here too, and if there is any leeway "for the purposes of national security."
The government was pretty sure the Court of Appeal would rule the way it did today. In reaction to the EU Court of Justice ruling, it announced last November it would begin consulting on amendments to the IP Act. These include adding a new authorisation process for accessing communications data, and clarifying they must only be used in the investigation of "serious crime." The government is also preparing "additional safeguards" that must be considered before asking a provider to begin collecting ICRs.
Thus, the government appears to be one step ahead of the Court of Appeal ruling already. The Home Office has today released a statement from Security Minister Ben Wallace, some of which we've heard before.
"Communications data is used in the vast majority of serious and organised crime prosecutions and has been used in every major Security Service counter-terrorism investigation over the last decade. It is often the only way to identify paedophiles involved in online child abuse as it can be used to find where and when these horrendous crimes have taken place.
"This judgment relates to legislation which is no longer in force and, crucially, today's judgement does not change the way in which law enforcement agencies can detect and disrupt crimes.
"We had already announced that we would be amending the Investigatory Powers Act to address the two areas in which the Court of Appeal has found against the previous data retention regime. We welcome the fact that the Court of Appeal ruling does not undermine the regime and we will continue to defend these vital powers, which Parliament agreed were necessary in 2016, in ongoing litigation."
Tom Watson, one of the MPs that originally challenged DRIPA with Liberty's help, said: "This legislation was flawed from the start. It was rushed through Parliament just before recess without proper parliamentary scrutiny.
"The Government must now bring forward changes to the Investigatory Powers Act to ensure that hundreds of thousands of people, many of whom are innocent victims or witnesses to crime, are protected by a system of independent approval for access to communications data. I'm proud to have played my part in safeguarding citizen's fundamental rights."
Attacks on the IP Act are far from over, meaning the government may have to make amendments beyond those it's already proposing. It's imperative the law's in good order come Brexit, too. If our surveillance regime is incompatible with EU privacy and data protection laws by the time we leave, there's a chance the sharing of data between businesses and law enforcement agencies across the continent could be seriously disrupted.