The UK government's controversial Snoopers' Charter was dealt a blow today, after the European Court of Justice (ECJ) ruled that "general and indiscriminate" retention of online traffic is unlawful.
The ECJ's ruling comes just one month after the UK passed the Investigatory Powers Act (IPA), better known as the Snoopers' Charter, which requires internet providers to record every customer's top-level web browsing history for up to one year.
However, according to the ECJ, under EU law such online traffic data should only be retained when operations are carried out in a targeted manner, and in the course of fighting "serious crime".
The UK government says it is assessing the potential impact of the ruling.
"We are disappointed with the judgment from the European Court of Justice and will be considering its potential implications," said a UK Home Office spokesperson.
The ECJ ruling stems, in part, from a challenge to the UK government's Data Retention and Investigatory Powers Act (DRIPA) 2014, which will be replaced by the IPA from the end of December. In July, the UK High Court ruled against DRIPA, triggering an appeal by the government. It was judges at the UK Court of Appeal who then referred the DRIPA case to the ECJ, to clarify EU law on surveillance, and who will now finish considering the case.
Privacy International, one of several pressure group that supported the legal challenge, greeted the decision.
"Today's judgment is a major blow against mass surveillance and an important day for privacy," said Camilla Graham Wood, legal officer with Privacy International.
"It makes clear that blanket and indiscriminate retention of our digital histories - who we interact with, when and how and where - can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep. Unfortunately, those safeguards are not present in the Investigatory Powers Act, which is why it's a Snoopers' Charter."
In a summary of its judgement against indiscriminate data collection, the ECJ said "the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained".
Even where targeted retention of data takes place; the categories of data to be retained, the means of communication affected, the persons concerned and the retention period, should be limited to "what is strictly necessary", the court found.
"Some of the EU Court of Justice's requirements may be addressed relatively easily by changes to the IP Act, but others may cause the UK government serious difficulties," said Graham Smith, partner at international law firm Bird & Bird LLP.
In particular he highlighted "serious disagreements are likely over where the boundary lies between targeted and general data retention".
The UK's IPA is also at odds with the ECJ stipulation that data should only be retained in the fight against "serious crime", he said. Smith also highlighted how the IPA fell short of ECJ requirements for controlling access to data and the need to store data within the EU.
David Anderson Q.C., the UK's independent reviewer of terrorism legislation, believes the ECJ ruling is likely to mean the IPA will have to be amended, "either by further primary legislation or by a statutory instrument".
Jim Killock, executive director of the Open Rights Group, which also supported the legal challenge against DRIPA, said: "The CJEU has sent a clear message to the UK government: blanket surveillance of our communications is intrusive and unacceptable in a democracy.
"The government knew this judgment was coming but Theresa May was determined to push through her snoopers' charter regardless. The government must act quickly to re-write the IPA or be prepared to go to court again."
The case against DRIPA was brought by Labor deputy leader Tom Watson and UK Brexit secretary David Davis, who withdrew his support for the case upon taking up his ministerial post.
According to a Privacy International spokesperson, the ruling's potential impact on UK surveillance legislation is complicated by the country's recent vote to leave the European Union, which will eventually result in the UK no longer falling under EU jurisdiction.
However, the ECJ's ruling may still have a bearing on UK law after Britain leaves the EU, according to Bird & Bird's Smith.
"Should the UK become a data protection 3rd country -- like the USA -- post-Brexit, then it may seek an 'adequacy' decision from the European Commission that the UK's protections for personal data are essentially equivalent to those in the EU, so as to enable personal data to be transferred from the EU to the UK," he said.