PRIVACY

UK’s Unprecedented Mass Surveillance Powers Ruled Illegal By EU Court

Recently-passed "Snooper's Charter" requires all citizens' browsing histories to be retained for one year

PRIVACY
Illustration: R. A. Di Ieso
Dec 21, 2016 at 2:07 PM ET

Europe’s highest court has dealt a major blow to a major recent expansion of government mass-surveillance powers in the UK, ruling that the indiscriminate retention and collection of citizens’ location and internet browsing histories without a warrant is illegal.

The ruling by the European Court of Justice (ECJ) follows the UK’s controversial Investigatory Powers Act, better known as the “Snooper’s Charter,” which signed into law the most expansive set of surveillance powers ever passed by any Western nation. The IP Act requires UK Internet Service Providers to retain all customers’ browsing histories and other “electronic communication transaction records” for government inspection without a warrant, including the time and location details of every digital interaction.

But the European high court’s ruling, while not specifically aimed at the Snooper’s Charter, declares that the “general and indiscriminate retention” of that data is illegal. It says that companies can only be required to retain data for fighting serious crimes like terrorism, and that any government access to that data must be targeted, backed by a court’s approval, and should inform those affected by the retention.

“Today’s judgment is a major blow against mass surveillance and an important day for privacy. It makes clear that blanket and indiscriminate retention of our digital histories — who we interact with, when and how and where — can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep,” wrote Camilla Graham Wood, a legal officer at the UK-based charity Privacy International.

“The court has rightly recognised that our communications data is no less sensitive than the content of our communications. This is something that the UK Government has wilfully ignored, allowing a large number of public bodies to access our personal data without a warrant. The Government must now urgently fix the Investigatory Powers Act, so that access to our data is properly authorised,” she said.

Ironically, the court’s finding is the result of a legal challenge brought by David Davis, a conservative member of the UK Parliament who supports leaving the European Union and has since been named Brexit secretary by prime minister Theresa May. Davis had originally challenged a 2014 UK data retention law called DRIPA, which the EU court has also ruled unlawful. That law will be officially replaced by the more-expansive Snooper’s Charter when it sunsets at the end of this month.

But while it has invigorated the fight against the Snooper’s Charter, some worry the ruling will become mostly symbolic if it doesn’t result in changes to the law before the UK formally exits the European Union—and with it, the court’s jurisdiction.

“Post-Brexit, the UK will not be able to just ignore this judgment,” Harmit Kambo, the campaigns director for Privacy International, told Vocativ. “If EU countries want to share any data with the UK, the UK would need to demonstrate that its data protection standards are adequate, and in effect the UK’s standards will need to be as good as EU countries’ own standards. So, yesterday’s judgment will continue to matter, and will continue to offer a level of protection to people’s privacy in the UK, even after we leave the EU”.

For now, the case will return to the UK Court of Appeal for further deliberation.

This story was updated on December 22 to include comments from Privacy International.