The UK's mass surveillance laws just suffered another hefty blow

The UK's newest surveillance laws may have to change after a legal challenge from Tom Watson MP found 2014's Dripa law was illegal
iStock / serazetdinov

In December 2016, the EU's highest court ruled that governments keeping emails and electronic communications on a "general an indiscriminate" basis was illegal. In doing so, it pushed the UK's controversial surveillance laws back into the country's highest court.

Now, in what will be seen as a fresh blow for the government's so-called Snooper's Charter, the UK's Court of Appeal has ruled previous surveillance law was illegal. After years of legal wrangling the court said the Data Retention and Investigatory Powers Act 2014 (Dripa) didn't put restrictions on the access to reams of data collected about people in the UK.

Dripa was "inconsistent with EU law" as it allowed access to retained data that wasn't "restricted solely to fighting serious crime". The court's judgement (https://drive.google.com/file/d/10sfyVVu2IJNl3HEKg9zLJRQQO1M5LlGZ/view?usp=sharingGoogle Drive download) also found the law allowed police and public bodies to authorise their own access to data collected about people in the UK, without oversight.

The case, which started in 2014, was brought by Labour's deputy leader Tom Watson and the government's Brexit chief David Davis. When the case started, Davis was a backbench Conservative MP and he has since removed himself from the proceedings. The challenge from Watson (and initially Davis) against government surveillance has been supported by the campaign groups Liberty, Privacy International and the Open Rights Group.

The decision by the Court of Appeal means it is likely the government's current Investigatory Powers Act (IP Act) will have be to amended.

"The government must now bring forward changes to the Investigatory Powers Act to ensure that hundreds of thousands of people, many of whom are innocent victims or witnesses to crime, are protected by a system of independent approval for access to communications data," Watson said in a statement.

In 2015, the UK's High Court ruled that Dripa's email and communication weren't compatible with EU law. To challenge the decision the government appealed the case to the European Court of Justice (ECJ).

“With respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained," the ECJ said in its ruling. The ECJ also remarked that collecting emails and messages would make people "feel that their private lives are the subject of constant surveillance".

"Consequently, only the objective of fighting serious crime is capable of justifying such interference," the ECJ added. As a result of the judgement the case came back to the UK for judges to rule upon how the EU decision could be applied to national legislation.

In November last year, the government responded to the European Court of Justice's ruling saying it was granting more concessions for privacy. Included in these new safeguards were the creation of an Office for Communications Data Authorisation which should handle communications data requests, stopping communications data being used for anything but serious crimes and not allowing the collection of communications data for issues of public health or tax collection.

The UK's most recent update to its surveillance laws came around the same time as the 2016 ECJ judgement. The controversial IP Act started to be implemented in January 2017. The law was dubbed as the biggest reform of surveillance powers in a decade by Theresa May, who was home secretary during the Act's progress through parliament.

However, the IP Act was widely criticised by security and privacy experts for the range of powers it allowed police and security services. The law allows for communications companies – ISPs, mobile firms and others – to store internet connection records for 12 months. This data includes details of every website every person in the UK has visited.

The law also allows for bulk data sets to be collected by security agencies, gives them increased powers to hack into devices and allow for real-time surveillance. Since the law was enacted it has faced a number of new legal challenges.

This article was originally published by WIRED UK