Governance & Risk Management , Privacy

Court Overturns UK Surveillance Law

Gives Parliament Until Next Year to Rewrite Rules
Court Overturns UK Surveillance Law
Parliament must rewrite the Data Retention and Investigatory Powers Act.

Britain's high court on July 17 overturned "emergency" surveillance legislation, which was rushed into law in July 2014 after just one day of debate in Parliament (see U.K. Surveillance Bill Becomes Law).

See Also: A Look at Processing Principles Under the GDPR, CCPA, and the EU-US DPF

The Data Retention and Investigatory Powers Act - also known as the DRIP Act - was backed by the three main political parties.

But two Members of Parliament - former shadow home secretary David Davis, Conservative, and Tom Watson, Labor - challenged DRIPA on the grounds that it failed to address privacy rights. Their move was backed by the civil rights organizations Open Rights Group and Privacy International, as well as the Law Society Of England and Wales.

In its ruling, the court sided with the two MPs, saying that DRIPA "does not lay down clear and precise rules providing for access to and use of communications data," and that as a result, DRIPA should be "disapplied," meaning it would no longer be a law.

But the court stayed that ruling until March 31, 2016, to give Parliament time to redo the law, and ensure that any and all access to retained data would be authorized by either a court or an independent body. "The need for that approval to be by a judge or official wholly independent of the force or body making the application should not, provided the person responsible is properly trained or experienced, be particularly cumbersome," the judges wrote in their ruling.

Commenting on the ruling, Davis said: "The court has recognized what was clear to many last year, that the government's hasty and ill-thought through legislation is fatally flawed. Whilst the government gave Parliament one day to consider its law, the court has given almost nine months" to Parliament to now rewrite the law.

Adds Watson: "There must be independent oversight of the government's data-collection powers, and there must be a proper framework and rules on the use and access of citizens' communications data."

Surveillance Law Push

The U.K. government introduced and pushed DRIPA through Parliament three months after the European Court of Justice ruled three months earlier that an EU directive requiring blanket - as opposed to targeted - data retention violated Europeans' right to privacy and protection of their personal information, unless there were strong safeguards in place.

The U.K.'s data-retention regulation had been based on the EU directive. As a result, legal experts said that the ruling left U.K. telecommunications providers in a gray area - legally speaking - when it came to government-mandated retention of their subscribers' emails, texts and phone call metadata. Accordingly, the government moved to pass legislation that explicitly required telecom providers to retain that data for 12 months.

Arguing before the high court in June, however, the two MPs' representative, attorney Dinah Rose, said that DRIP had been rushed through Parliament "with enormous speed and hardly any scrutiny," the Guardian reported.

Rose said that the two MPs understood that the government needed tools to fight crime and terrorism, but that they believed the law failed to provide proper safeguards. "Their concern is that this legislation doesn't contain the necessary minimum safeguards to protect against the risk of arbitrary, disproportionate or abusive retention and use of personal data, and for that reason, it breaches the fundamental right to privacy," she said.

But Home Secretary Theresa May fought the judicial review, and a government legal team argued before the court that the Regulation of Investigatory Powers Act, or RIPA, provided sufficient safeguards to comply with EU human-rights laws (see Surveillance Report Demands Transparency).

Many legal experts, however, said DRIPA failed to comply with EU privacy laws. Steve Peers, a professor of EU law and human rights law at the University of Essex, had warned that "the government's intention, as manifested by the bill, to reinstitute mass surveillance of telecoms traffic data is a clear breach of the EU Charter of Fundamental Rights."

Writing July 17 via Twitter, Peers said: "I get to say 'I told you so.'"


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.