UK High Court rules part of Snoopers’ Charter incompatible with EU law

Waterfall Security: Trust issues with your firewalls? Eliminating vulnerabilities that accompany firewalls is a click away.

The UK High Court has ruled that part of the Investigatory Powers Act 2016 (nicknamed Snoopers’ Charter) is incompatible with European Union law and the European Convention on Human Rights and, therefore, unlawful.

Snoopers Charter EU law

The section in question is Part 4 – Retention of Communications Data – in particular the power given to the Secretary of State to issue “retention notices” to telecommunications operators requiring the retention of relevant communications data (but not its contents), as well as location data and internet use history.

The challenge and the judgement

The challenge was brought to the court by the National Council for Civil Liberties (NCCL), aka Liberty, a UK-based advocacy group that aims to protect civil liberties and promote human rights.

They argued that the court should order the UK government to amend that particular part of the Investigatory Powers Act (IPA) because it allows the storage of and access to the aforementioned data with no independent authorization, for crime-fighting purposes extending far beyond “serious crime,” and for a wide range of other non-crime purposes – all of which violates the UK citizen’s right to privacy.

The High Court sided with Liberty by declaring that Part 4 of the IPA is incompatible with fundamental rights in EU law because access to retained data is not limited to the purpose of combating “serious crime” and access to retained data is not subject to prior review by a court or an independent administrative body.

On the other hand, the Court found that the same part of the legislation does not permit “a general and indiscriminate retention of traffic and location data.”

The Home Office sees this ruling as a victory, as the Court did not judge the data collection unlawful, and they’ve previously already acknowledged that the Act doesn’t comply with European laws and were planning to make appropriate changes.

They asked the Court to be allowed to make those changes by April 2019, but the latter said that there is no reason why the legal framework cannot be amended before that date, even if the practical arrangements (e.g., the creation of an Office for Communications Data Authorisations) take longer.

Therefore, the Court has decided on 1 November 2018 as the deadline for the government to amend the legislation so that it is in line with the EU law.

Liberty also considers the judgement a victory.

“The Government must now change the law to require prior review by a court or independent administrative body and – in the context of crime-fighting – to only allow access to data for purposes of combatting ‘serious crime.’ The Court did not rule on the legitimacy of the wide range of other non-crime purposes in the Act because the Government has already proposed legislation to remove them,” the group commented.

Martha Spurrier, Director of Liberty, said that the group has already issued legal challenges to three other parts of the IPA.

“Today’s ruling focuses on just one part of a law that is rotten to the core. It still lets the state hack our computers, tablets and phones, hoover up information about who we speak to, where we go, and what we look at online, and collect profiles of individual people even without any suspicion of criminality,” she noted, and has asked the public to contribute funds to ensure they can continue with the next stage of the legal challenge.