from the snoopers-charter:-now-with-10%-less-snooping! dept
UK civil liberties group Liberty has won a significant legal battle against the Snoopers Charter. A recent ruling [PDF] by the UK High Court says the data retention provisions, which include mandated extended storage of things like web browsing history by ISPs, are incompatible with EU privacy laws.
The court found the data retention provisions are at odds with civil liberties protections for a couple of reasons. First, the oversight is too limited to be considered protective of human rights asserted by the EU governing body. As the law stands now, demands for data don’t require independent oversight or authorization.
Second, even though the Charter claims demands for data will be limited to “serious crimes,” the actual wording shows there are no practical limitations preventing the government from accessing this data for nearly any reason at all.
The decision quotes the Charter’s stated reasons for obtaining data, which range from “public safety,” to “preventing disorder” to “assessing or collecting taxes.” Obviously, the broad surveillance powers will not be limited to “serious crimes,” contrary to the government’s assertions in court.
First, the wording of the draft declaration is so broad that it would include areas which are outside (or potentially outside) the area of serious crime: for example, the area of national security. As will become apparent later, the issue of whether the area of national security falls within the scope of EU law at all is the subject of dispute between the parties.
The second sentence refers to the government’s argument: that UK national security concerns trump European law. Unfortunately, the High Court does not provide an answer as to whether UK law can ignore CJEU decisions when it comes to securing the nation. This will have to wait until after a decision is handed down in another challenge to the surveillance law.
[I]n our view, although the terms of section 94 of the 1984 Act and the terms of Part 4 of the 2016 Act are not identical, the questions which have been referred by the IPT are not confined to the precise scope of section 94. Rather they raise broader questions about the scope of EU law, having regard to Article 4 TEU and Article 1(3) of the e-Privacy Directive; and also raise the particular question of whether any of the Watson CJEU requirements apply in the field of national security.
For those reasons we refuse the application by the Claimant to make a reference to the CJEU on this question. This part of this claim will be stayed pending the CJEU’s decision in the reference in the Privacy International case.
In the end, the court decides this part of the Snoopers Charter must be stricken and rewritten to comply with EU privacy protections. The UK government has six months to fix the law. Until that point, it appears UK agencies will still be able to demand data in bulk under the Charter draft. Once the fixes are in and enacted, bulk collections of internet browsing data and communications metadata will cease… at least until the UK exits the European Union.