Out-Law News 2 min. read
31 Jan 2018, 2:22 pm
The Court of Appeal held that provisions within the now-expired Data Retention and Investigatory Powers Act (DRIPA) were "inconsistent with EU law".
DRIPA contained rules requiring telecoms companies to store 'communications data' and disclose it law enforcement agencies under certain circumstances.
The Court of Appeal said that DRIPA was inconsistent with EU law because it did not limit the data gathering powers to being used for "fighting serious crime" only. It also held that the Act was unlawful where it enabled access to data without "prior review by a court or an independent administrative authority".
The lawfulness of DRIPA in respect of use of the communication data powers for national security purposes was not ruled upon by the court.
DRIPA was rushed into UK law in 2014 in response to a ruling by the Court of Justice of the EU (CJEU) which effectively invalidated UK data retention laws on privacy grounds. However, a new legal challenge against DRIPA was then brought by two UK MPs, who raised concerns raised that the faults found by the CJEU in respect of the previous data retention regime had been repeated in DRIPA.
In July 2015, the High Court in London ruled that DRIPA was incompatible with human rights legislation but that decision was appealed by the UK government to the Court of Appeal. The Court of Appeal asked the CJEU to help it determine whether DRIPA was compatible with EU law and the requirements set out in the EU court's previous ruling on the Data Retention Directive.
The CJEU ruled on the case in December 2016. It said EU law precludes EU countries from passing a law that "provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication" in order to help fight crime. It also said that EU law does permit national law makers to, "as a preventive measure", require traffic and location data to be retained on a targeted basis, but only where the objective of the data retention rules is to fight "serious crime".
Now the Court of Appeal has issued its decision on the UK government's appeal after interpreting the CJEU's judgment.
However, in response to calls to reform UK surveillance laws and address the legal challenge brought against DRIPA, a new Investigatory Powers Act was created by the UK government. That Act, which came into effect in November 2016, sets out new rules on access to communications data by UK authorities. It also addresses further surveillance mechanisms, including lawful interception of communications, the bulk gathering of data, and use of equipment interference methods.
However, the CJEU's December 2016 ruling prompted civil liberty groups to call on the UK government to make changes to the Investigatory Powers Act.
Late last year the government admitted that the Investigatory Powers Act needs to be updated to comply with the CJEU's judgment. It opened a consultation on "new safeguards for the use of communications data" at the time.
However, those proposals have now been labelled as "half-baked plans" by human rights group Liberty, which said that they "do not even fully comply with past court rulings requiring mandatory safeguards".
"[The government's proposed amendments to the Investigatory Powers Act] … continue to allow public bodies to indiscriminately retain and access personal data, including records of internet use, location tracking using mobile phones and records of who we communicate with and when," Liberty said.
Liberty has already lodged a legal challenge against the Investigatory Powers Act. According to the Court of Appeal's ruling, the High Court will hear arguments in that case on 27 and 28 February.
In response to the Court of Appeal's judgment, Labour MP Tom Watson, who led the legal challenge against DRIPA, said: "The government must now bring forward changes to the Investigatory Powers Act to ensure that hundreds of thousands of people, many of whom are innocent victims or witnesses to crime, are protected by a system of independent approval for access to communications data."