CJEU finds UK legislation unlawfully allowed for general and indiscriminate retention of data

The Court of Justice of the European Union (CJEU) has ruled that the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA), a temporary emergency law which expired on 21 December 2016, was unlawful.

DRIPA was enacted in July 2014 after 3 days’ scrutiny, allowing UK authorities to request that communications companies retain communications data for purposes such as economic well-being and tax collection. The UK Court of Appeal invoked the preliminary reference procedure, and the CJEU ruled that any request to retain data for any purpose other than fighting serious crime is unlawful.

DRIPA gave the UK government the power to require communications companies to retain ‘communications data’ for up to 12 months. ‘Communications data’ included the time and date an email was sent or a phone call was made, as well as user location data, but not the contents of the communications themselves. These provisions were challenged in the UK courts by Labour MP Tom Watson, supported by the human rights organisation Liberty.

The claimant argued that bulk retention of data violated the right to private life and the protection of personal data, as guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights (the Charter). The data was subject to what Liberty criticised as a “lax access regime”, which allowed government agencies to grant themselves access. The claimant was successful in the High Court; the State appealed to the Court of Appeal, which sought a preliminary ruling.  The issue at hand was whether the EU’s e-Privacy Directive, read in light of the Charter, precluded authorities accessing retained data where national legislation does not restrict access to the objective of preventing serious crime, and the access request is not subject to prior review.

The CJEU ruled that under the Directive, governments must ensure communications data remains confidential and must not legislate for its storage without the user’s consent. This principle can only be departed from to safeguard national security, and for the investigation, detection and prevention of serious crime. As DRIPA allowed for data retention and access for a wider range of objectives, it ruled that this represented a very serious interference with fundamental rights, as the general and indiscriminate retention of communications data of all users and subscribers is unlawful. Furthermore, DRIPA allowed bodies to authorise their own access – the Luxembourg court ruled that Member States must ensure independent review data access requests as an essential element of the EU’s protection of personal data

The ruling raises issues in relation to the lawfulness of certain provisions of the Investigatory Powers Act 2016, which replaces and replicates DRIPA.  However, in light of the UK’s decision to leave the EU, it is unclear whether Parliament will amend the 2016 Act. The decision of the UK Court of Appeal is pending.

Click here for the full judgment in Tele2 Sverige v Post-och Telestyrelsen and Secretary of State v Watson.

Share

Resources

Sustaining Partners