The European Union’s highest court on Wednesday issued a landmark ruling against mass surveillance in a judgment that challenges key portions of the U.K.’s so-called “Snooper’s charter,” a sweeping surveillance bill that was set to become law by the end of the year.
The decision by the Court of Justice of the European Union (CJEU), which directly calls into question both the British law and a similar bill in Sweden, finds that indiscriminate storing of private citizens’ communications data is illegal under EU law.
The court’s ruling finds that data retention is only allowable when government agencies are investigating a “serious crime,” such as terrorism.
The “general and indiscriminate retention” of emails allowed by the the “Investigatory Powers Act,” or Snooper’s charter, is therefore illegal, the Guardian reports.
“Today’s judgment is a major blow against mass surveillance and an important day for privacy,” said Camilla Graham Wood, legal officer with the rights organization Privacy International. “It makes clear that blanket and indiscriminate retention of our digital histories — who we interact with, when and how and where — can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep. Unfortunately, those safeguards are not present in the Investigatory Powers Act, which is why it’s a Snooper’s Charter.”
The Guardian notes:
The long-awaited judgment “raises significant questions about whether vast swathes of the [Snooper’s charter] should now be repealed,” observes Privacy International.
The advocacy group summarizes the key portions called into question by the decision:
- In particular, the judgment raises concerns about the viability of the mandatory communications data retention powers (Part 4 of the Investigatory Powers Act), which are carried over from DRIPA. Under the new Act, communications data — which includes the who, when and where of our telephone calls, emails and instant messages — can be subject to a retention order for up to 12 months for reasons that go far beyond what is strictly necessary for fighting serious crime.
- The judgment also demands a rethink of the government’s significant expansion of data retention powers to so-called ‘Internet Connection Records’, which could include the retention of browsing histories for the past 12 months.
- The judgment may also mean that the U.K. government is forced to increase safeguards, such as judicial authorization and notification, for data that it keeps about us. These were shown to be lacking in DRIPA. The judgment could mean that the government will need to introduce new safeguards for accessing communications data (including Internet Connection Records) and other intrusive powers contained within the new law.
“In addition to rejecting generalized retention and narrowing down access to serious crime with independent authorization, the CJEU has further established that as a rule only the data of people suspected of direct involvement in […] crimes can be accessed,” observes the U.K.-based Open Rights Group. “Accessing other people’s data must be an exception and also based on specific evidence of how this may help investigations.”
Wood added: “The court has rightly recognized that our communications data is no less sensitive than the content of our communications. This is something that the U.K. government has willfully ignored, allowing a large number of public bodies to access our personal data without a warrant. The government must now urgently fix the Investigatory Powers Act, so that access to our data is properly authorized.”