Security Experts:

EU Court Slaps Down UK's Investigatory Powers Act

The Court of Justice of the European Union (CJEU), the highest constitutional court of the EU, has effectively slapped down the UK's new Investigatory Powers Act. The court passed judgement on Wednesday in a case brought by Labour MP Tom Watson and others against the UK government's ability to require ISPs to retain all customer metadata for 12 months. 

The ruling states that "EU law precludes national legislation that prescribes general and indiscriminate retention of data." This itself follows the court's ruling against the EU's own Data Retention Directive in 2014.

The same requirement for data retention by the ISPs is made possible in the new Investigatory Powers Act (IPA) which completed its passage through Parliament and was granted Royal Assent on 29 Nov, 2016. It is now UK law and is expected to be effective from 1 Jan, 2017.

The IPA itself has not been considered by the CJEU; but the ruling paves the way for a direct challenge. Civil liberties group, Liberty, which supported Tom Watson's case, is already preparing to challenge the IPA. Martha Spurrier, director of Liberty, said yesterday, "Today's judgment upholds the rights of ordinary British people not to have their personal lives spied on without good reason or an independent warrant. The government must now make urgent changes to the Investigatory Powers Act to comply with this."

The CJEU's ruling over mass data retention is very clear. "The Court states that, with respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.

"The interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious. The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference."

The question now is whether the ruling actually invalidates the IPA. The UK government will appeal the ruling; but the reality is the UK is still subject to European law despite the Brexit referendum, and will remain so for two years following the prime minister's invocation of Article 50 (expected in March 2017). In reality, however, the UK difficulties may transcend its membership of the European Union.

"Until such time as the UK leaves the EU (probably 2 years after Article 50 is invoked) the UK remains bound by the requirements of EU law and the judgements of the CJEU," explained David Flint, a senior partner at the MacRoberts law firm. "The issue here is complicated as the CJEU is actually applying the European Convention on Human Rights (ECHR), and that is not an EU issue. As the UK has made human rights law directly enforceable in the UK by virtue of the Human Rights Act and the ECHR, in my opinion it is likely that (unless the UK withdraws from the European Convention on Human Rights) a similar ruling would be made by the Strasbourg court (not part of the EU)."

In other words, the IP Act may be illegal whether the UK stays within the European Union or leaves it. "The IP Act," he added, "insofar as it imposes an obligation (or legalizes) blanket, untargeted collection and storage of personal data (previously held to include IP addresses) would, in my opinion not be compatible with the UK's obligations under EU law or the Human Rights Act."

Meanwhile, back at the ranch, on the same day as the CJEU ruling, Reuters published a report suggesting that US law enforcement is currently engaged in seeking a new interpretation of the Fourth Amendment. The Fourth Amendment is the American Constitution's equivalent to the EU constitutional arguments enforced by the CJEU.

According to Reuters, "The order on Yahoo from the secret Foreign Intelligence Surveillance Court (FISC) last year resulted from the government's drive to change decades of interpretation of the U.S. Constitution's Fourth Amendment right of people to be secure against 'unreasonable searches and seizures,' intelligence officials and others familiar with the strategy told Reuters."

That strategy is to get the courts to redefine reasonable and unreasonable. Firstly, people willingly disclose vast amounts of personal data on social media; and secondly, no harm is done by the collection of data unless a human physically examines it. If the outcome of that examination is an arrest, then it is perforce a reasonable 'search and seizure' of personal information.

Ultimately, the modern interpretation of the Fourth Amendment in America will need to be decided by the Supreme Court in the same way as the CJEU has made its decision in Europe.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.