Security Experts:

Connect with us

Hi, what are you looking for?



EU Court Slaps Down UK’s Investigatory Powers Act

The Court of Justice of the European Union (CJEU), the highest constitutional court of the EU, has effectively slapped down the UK’s new Investigatory Powers Act. The court passed judgement on Wednesday in a case brought by Labour MP Tom Watson and others against the UK government’s ability to require ISPs to retain all customer metadata for 12 months. 

The Court of Justice of the European Union (CJEU), the highest constitutional court of the EU, has effectively slapped down the UK’s new Investigatory Powers Act. The court passed judgement on Wednesday in a case brought by Labour MP Tom Watson and others against the UK government’s ability to require ISPs to retain all customer metadata for 12 months. 

The ruling states that “EU law precludes national legislation that prescribes general and indiscriminate retention of data.” This itself follows the court’s ruling against the EU’s own Data Retention Directive in 2014.

The same requirement for data retention by the ISPs is made possible in the new Investigatory Powers Act (IPA) which completed its passage through Parliament and was granted Royal Assent on 29 Nov, 2016. It is now UK law and is expected to be effective from 1 Jan, 2017.

The IPA itself has not been considered by the CJEU; but the ruling paves the way for a direct challenge. Civil liberties group, Liberty, which supported Tom Watson’s case, is already preparing to challenge the IPA. Martha Spurrier, director of Liberty, said yesterday, “Today’s judgment upholds the rights of ordinary British people not to have their personal lives spied on without good reason or an independent warrant. The government must now make urgent changes to the Investigatory Powers Act to comply with this.”

The CJEU’s ruling over mass data retention is very clear. “The Court states that, with respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.

“The interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious. The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference.”

The question now is whether the ruling actually invalidates the IPA. The UK government will appeal the ruling; but the reality is the UK is still subject to European law despite the Brexit referendum, and will remain so for two years following the prime minister’s invocation of Article 50 (expected in March 2017). In reality, however, the UK difficulties may transcend its membership of the European Union.

“Until such time as the UK leaves the EU (probably 2 years after Article 50 is invoked) the UK remains bound by the requirements of EU law and the judgements of the CJEU,” explained David Flint, a senior partner at the MacRoberts law firm. “The issue here is complicated as the CJEU is actually applying the European Convention on Human Rights (ECHR), and that is not an EU issue. As the UK has made human rights law directly enforceable in the UK by virtue of the Human Rights Act and the ECHR, in my opinion it is likely that (unless the UK withdraws from the European Convention on Human Rights) a similar ruling would be made by the Strasbourg court (not part of the EU).”

In other words, the IP Act may be illegal whether the UK stays within the European Union or leaves it. “The IP Act,” he added, “insofar as it imposes an obligation (or legalizes) blanket, untargeted collection and storage of personal data (previously held to include IP addresses) would, in my opinion not be compatible with the UK’s obligations under EU law or the Human Rights Act.”

Meanwhile, back at the ranch, on the same day as the CJEU ruling, Reuters published a report suggesting that US law enforcement is currently engaged in seeking a new interpretation of the Fourth Amendment. The Fourth Amendment is the American Constitution’s equivalent to the EU constitutional arguments enforced by the CJEU.

According to Reuters, “The order on Yahoo from the secret Foreign Intelligence Surveillance Court (FISC) last year resulted from the government’s drive to change decades of interpretation of the U.S. Constitution’s Fourth Amendment right of people to be secure against ‘unreasonable searches and seizures,’ intelligence officials and others familiar with the strategy told Reuters.”

That strategy is to get the courts to redefine reasonable and unreasonable. Firstly, people willingly disclose vast amounts of personal data on social media; and secondly, no harm is done by the collection of data unless a human physically examines it. If the outcome of that examination is an arrest, then it is perforce a reasonable ‘search and seizure’ of personal information.

Ultimately, the modern interpretation of the Fourth Amendment in America will need to be decided by the Supreme Court in the same way as the CJEU has made its decision in Europe.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...