Elements of internet surveillance legislation that was rushed through the UK parliament in a matter of days last year is unlawful and will have to rethought, the High Court has ruled.
In a response to a challenge brought by MPs David Davis and Tom Watson, the High Court found that sections one and two of the UK's Data Retention and Investigatory Powers Act 2014 (DRIPA) are incompatible with the public's right to private life and communications and the protection of personal data under articles seven and eight of the EU Charter of Fundamental Rights.
The DRIPA legislation was pushed through Parliament a year ago by the then-coalition government, which claimed such "emergency" legislation was necessary because three months earlier the Court of Justice of the EU had ruled the existing EU legislation on data retention was too sweeping. The UK government hurried through the DRIPA legislation because without it, the government said, it would lose vital powers to protect UK citizens from crime.
Conservative MP David Davis said: "The court has recognised what was clear to many last year, that the government's hasty and ill-thought through legislation is fatally flawed. They will now have to rewrite the law to require judicial or independent approval before accessing innocent people's data." He added: "This change will improve both privacy and security, as whilst the government gave Parliament one day to consider its law, the court has given almost nine months."
Under DRIPA, communications companies are required to retain communications data for 12 months. This includes the location, time and duration of emails, calls, texts and web activity, which can then be accessed by a number of government bodies.
Critics such as Liberty, which represented the two MPs, argue this data is subject to an "extremely lax" access regime. Liberty said the information can be acquired by "hundreds of public authorities, many of which can authorise access themselves for a broad range of reasons that have nothing to do with the investigation of serious crime". Roughly half a million requests are granted each year, it said.
The High Court found sections one and two of DRIPA unlawful on the basis that they fail to provide clear and precise rules to ensure data is only accessed for the purpose of preventing and detecting serious offences, or for conducting criminal prosecutions relating to such offences, and also that access to data is not authorised by a court or independent body.
However, these sections of DRIPA will remain in force until the end of March 2016 to allow time for the government to legislate properly. The government has said it will appeal the ruling.
Labour MP Tom Watson said: "The government was warned that rushing through important security legislation would end up with botched law. Now the High Court has said they must come back to Parliament and do it properly. The government gave MPs one day to discuss the legislation, which was wrongly represented as respectful of people's right to privacy."
It's just the latest in a long series of clashes between the government and privacy campaigners over internet privacy. And there is more to come - later this year the government intends to reintroduce a version of the so-called snoopers' charter, which would give it wider powers to collect data.
More stories on surveillance and cybercrime
- Defending the last missing pixels: Phil Zimmermann speaks out on encryption, privacy, and avoiding a surveillance state
- Inside the secret digital arms race: Facing the threat of a global cyberwar
- Surveillance laws need rethink, but bulk collection of web data will continue
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- The impossible task of counting up the world's cyber armies
- Encryption: More and more companies use it, despite nasty tech headaches