hacking-1685092_960_720In an early holiday delivery, the Court of Justice of the European Union (“CJEU”) today handed down its judgment in the joined cases of Tele Sverige/Watson & Ors (C-203/15/C-698/15), this morning.

Hotly anticipated by surveillance and privacy lawyers, these cases consider the legality of data retention laws in Europe, following the decision in Digital Rights Ireland that the Data Retention Directive was unlawful. Broadly, the CJEU confirms that EU law precludes national legislation that prescribes the general and indiscriminate retention of data.  The Court concludes that the emergency data retention legislation passed in a few days in 2014 – the Data Retention and Investigatory Powers Act 2014 – is unlawful.  That legislation is, of course, due to lapse at the end of December 2016 in any event.

This morning’s decision comes just too late to have influenced the passage into law of the Investigatory Powers Act 2016 (“IPA”) – the new domestic bible on bulk surveillance, interception, communications data retention and acquisition and equipment interference – which received Royal Assent in early December. However, what the CJEU has to say about surveillance and privacy may determine whether the IPA – also known by some as the Snoopers Charter – has a long or a short shelf-life.

The powers in IPA are built on the same model as its predecessor and provides for broad powers of data retention with limited provision for safeguards of the kind that the Court considered crucial.  Significant parts of that newly minted legislation lay open to challenge.

Watson & the Data Retention and Investigatory Powers Act 2014

The Data Retention and Investigatory Powers Act 2014 (“DRIPA”) was passed speedily by Parliament over a handful of days in summer 2014.  It provides for telecommunications providers to retain 12 months data on their users, including information about their communications and traffic-data.  Broadly, access is provided to a range of public bodies for a range of purposes, subject to the requirement that access is “proportionate and necessary”.  Access to this data is not generally subject to prior judicial authorisation, except where the information is sought by local authorities.  For police, security agencies and a host of others, including HMRC and the Food Standards Agency, access is authorised internally by senior officers.

The challenge to the legality of DRIPA was brought swiftly in the domestic courts, with Parliamentarians highlighting the inconsistency between the Act’s provisions and the decision in Digital Rights Ireland during its passage.  The High Court thought the legislation unlawful, the Court of Appeal disagreed and sent the case off to Luxembourg for clarification of the Court’s intent in the earlier case-law.  The case has been supported throughout by Liberty (read their response to today’s judgment here).

The Court’s view is now transparent.  While data retention is not prohibited by EU law, general and indiscriminate retention is incompatible with the requirements of Directive 2002/58 on the confidentiality of electronic communications (the Directive on the Privacy of Electronic Communications) as interpreted in a manner consistent with the protection for individual privacy and personal information provided by the Charter of Fundamental Rights of the European Union (Articles 7, 8, 11 and 52(1)) (see [81], [92] – [94]).

The Court is clear that one of the purposes of that Directive is to afford individuals “protection against risks to their personal data and privacy that arise from new technology and the increasing capacity for automated storage and processing of data” [83]. The Court expresses real concern that an exception to the protection on storage of data cannot be so broad as to become a rule which would render the protection offered by EU law “largely meaningless” [89].

The breadth of the interference imposed by untargeted retention of communications data is squarely acknowledged by the Court:

“That data taken as a whole is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them…In particular that data provides the means…of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications” [99]

Where national legislation provides for data retention, any retention must be strictly necessary for the purposes of investigating serious crime and linked to the investigation of serious crime (see [96], [105]).

The Court provides a robust judgment on this basis making clear that the purposes for which data retention might be authorised must be linked to the “exhaustive” list of authorisations in the Directive, which are limited to national security, defence, public security and the investigation, detection and prosecution of criminal offences [90].  The Court goes further and establishes that the legislation in issue falls short because if applies to retain the data of individuals “for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences” [105].  It indicates that it is unlawful for data to be retained where that retention is not restricted to retention in relation to data pertaining to a particular time period, or geographical area or a group of persons likely to be involved in serious crime, or persons who could for other reasons contribute through their data being retained to fighting crime [106] – [112].   The Court confirms that only the fight against serious crime can justify access to such retained data [115].  These are findings consistent with earlier case-law from both the CJEU and from Strasbourg, but they are crucial for the provisions in domestic law, which extend powers of retention and access for a broad range of reasons including public health, taxation or other public charges, mitigating injury to physical or mental health (see DRIPA, Section 22).

Finally, the Court stressed that all access must be confined to that which is strictly necessary and accompanied by appropriate safeguards for privacy [119].  Importantly, access to retained data must be subject to prior authorisation by a judge or other independent body, following a “reasoned request” “within the framework of procedures for the prevention, detection and prosecution of crime” [120].

The lack of prior judicial authorisation for access to communications data in the UK has long been subject to criticism.  In 2011, JUSTICE highlighted the significant bulk proportion of access requests never subject to oversight each year, and called for reform.  In his review of surveillance, A Question of Trust, David Anderson QC indicated that it would, pending the decision in Watson, be appropriate for some requests to be subject to judicial oversight.  The contemporaneous review conducted by RUSI agreed.  However, the Joint Committee tasked with review of the Draft Investigatory Powers Bill disagreed. A system of internal review governed by an internal “Single Point of Contact” separate from an active investigation, trained in surveillance but part of the same force or agency was considered broadly adequate. Whether this model can survive the independence test set by the CJEU is questionable.

What next for the Investigatory Powers Act 2016?

Part 3 of the IPA provides for the retention of communications data on a model broadly mirroring DRIPA.  The range of bodies which can access data and the purposes for which information can be accessed are slightly narrower, but still clearly wider than that envisaged by the CJEU (see Sections 61(7), 70 and Schedule 4).  Section 61(7) still includes functions far wider than serious crime, including public health, taxation and the functioning of financial markets.  Retention of data is similarly unconstrained (Section 87).

There is no provision for prior judicial authorisation of access to data, except by local authorities.  Section 76 replicates the “single Point of Contact” model which sees access decisions authorised internally, subject only to after-the-event scrutiny by the new Investigatory Powers Commissioner, who will not examine all access requests, but may dip-sample or audit on another selective basis.

The decision in Watson clearly leaves the communications data model in the new legislation on shaky legal ground.  However, the decision may have a wider impact on the IPA.  In so far as it confirms the previous case law of the CJEU and the broad approach of the ECtHR to targeting surveillance, strict necessity and safeguards, it may leave a significant part of the Act which avows and provides a statutory basis for “thematic” and bulk surveillance open to challenge.  To give two examples, warrants in the IPA for interception are not restricted to serious crime and they are available by reference to broad “factors” where specific individuals cannot be identified (see Sections 15 – 17); and interception, acquisition of data and equipment interference (or hacking) (albeit targeting “overseas communications”) is authorised in “bulk” (see Sections 136, 158, 176).  Whether these powers might be considered “strictly necessary” in an analogous challenge remains open to question, of course.

But, is it all about Brexit?

The decision affirms the important role which EU law has played historically in safeguarding fundamental rights across the Union.  While the Supreme Court considers the mechanics of the UK’s departure from the Union, the Westminster Parliament has this month been at pains to emphasise the importance of the Government taking stock of the impacts which Brexit will have on the protection of individual rights (see the JCHR and the House of Lords EU Sub-Committee on Justice). The decision draws directly upon the recent surveillance case law of the European Court of Human Rights including in Zakharov v Russia App No 47143/06 [119], making clear that Brexit may not be a get-out-of-jail free card for the IPA.

Of course, the case in Watson was originally labelled Davis & Watson.  The now Secretary of State for Exiting the European Union may have some seriously conflicting views reading the judgment this morning.  A potentially costly defeat for his Government is a personal win in his own campaign to establish that ill-targeted data retention is inconsistent with the protection of our privacy free from unjustifiable surveillance by the State.  In the interests of collective Cabinet responsibility, perhaps he might be thinking about starting his own holiday early.

Angela Patrick is a barrister at Doughty Street Chambers.  Until October 2016, she was Director of Human Rights at JUSTICE, where she led their work on the passage of the Investigatory Powers Bill.

This post originally appeared on the UK Human Rights Blog and is reproduced with permission and thanks.