UK surveillance regime dealt another blow in court

The UK government has suffered yet another defeat in the courts over a surveillance regime that critics have dubbed a ‘Snooper’s charter’.

Today the UK High Court agreed with several aspects of digital and civil rights group Liberty’s crowdfunded legal challenge to a portion of the UK’s 2016 Investigatory Powers Act that gives the state the power to mandate that communications companies and service providers collect and retain web activity logs, comms metadata and location information on all their users for a full 12 months.

The provision for a blanket retention of citizens’ digital data — which can be accessed by a wide range of public bodies for all sorts of purposes — has always been controversial. Though the government contends that retention is necessary for law enforcement and national security purposes.

Liberty’s challenge to this section of the IP Act included the fact the retained metadata could be accessed by dozens of public bodies without independent authorization by a court of independent agency; that the bar for accessing the data was merely “crime-fighting” rather than for “serious crime”; and also that the data could be accessed — using other powers in the IP Act — for various non-crime purposes, including collecting taxes and fines; and for regulating financial services.

Ministers have been given until November 1 to amend the aspects of the legislation that have been judged unlawful by the High Court — which means the government will need to change the law to require prior review by a court or independent administrative body to access the data; and — in the context of crime-fighting — to only allow access for purposes related to combatting “serious crime”.

The court did not affirm one of Liberty’s other contentions, however — declining to find that Part 4 was unlawful on the grounds that it constituted “general and indiscriminate” retention of data. (Though EU jurisprudence would likely have reached a different conclusion.)

The Home Office has seized on that aspect of the ruling in its response statement — writing that “the Court found that our current data retention regime is neither general nor indiscriminate”, and quoting from a portion of the judgement where the judges say: “We do not think it could possibly be said that the legislation requires, or even permits, a general and indiscriminate retention of communications data.”

“We have already committed to bring forward amendments to our regime for Parliament to debate and vote on, along with the communications data code of practice, and will do so in line with the Court’s timetable,” the Home Office adds, confirming it will comply with the court’s timeline for reworking the legislation.

Liberty said it asked the High Court to refer questions of EU law to Europe’s top court – including the question of whether EU privacy laws apply to retention orders issued for national security purposes and whether retained data must be kept within the EU so it can be protected by EU privacy and data protection rules. But says the Court did not refer those questions because they are already set to be decided in another case pending before the CJEU.

Commenting in a statement, Martha Spurrier, director of Liberty, said: “Police and security agencies need tools to tackle serious crime in the digital age — but creating the most intrusive surveillance regime of any democracy in the world is unlawful, unnecessary and ineffective.

“Spying on everyone’s internet histories and email, text and phone records with no suspicion of serious criminal activity and no basic protections for our rights undermines everything that’s central to our democracy and freedom — our privacy, free press, free speech, protest rights, protections for journalists’ sources and whistleblowers, and legal and patient confidentiality. It also puts our most sensitive personal information at huge risk from criminal hackers and foreign spies.”

It’s unclear whether the government or any public bodies have actually made use of the powers since the law was passed at the end of 2016. A European Court of Justice (CJEU) ruling in December of the same year — asserting that general and indiscriminate retention of comms data is illegal — clearly dealt a major blow to its ambitions for the freshly inked legislation.

Since then the government has been trying to come up with amendment proposals to plaster over the unlawful cracks in its surveillance regime.

Liberty says the government had also conceded, prior to today’s ruling, that non-crime portions of part 4 of the IP Act contained the same flaws it’s been proposing to amend elsewhere but that it asked the court to be given a further year to keep applying it — a request the judges denied, granting half a year instead.

At the start of this year the UK Appeals Court demolished the IP Act’s predecessor — 2014’s DRIPA, which was the ’emergency’ surveillance stop-gap the government put in place to give it time to draft the full Snooper’s charter — judging that DRIPA’s bulk collection and retention of citizens’ Internet activity and phone records had been unlawful.

There’s some pretty clear legal guidance here, certainly in EU courts, yet the majority of UK politicians on both sides of the bench appear unable to see it.

Albeit, at least where ministers are concerned, the government’s M.O. looks very much like an attempt to try to legislate as close to the limit of the law as the courts will subsequently allow, leaving the taxpayer and the rights concerned public to foot the legal bills.

Liberty is launching the second phase of its crowdfunding campaign today to finance the next round of its legal fight against other portions of the sweeping surveillance powers — including challenging bulk hacking powers; bulk interceptions of communications data; and the linking of personal data via massive ‘bulk personal datasets’.

“The Court has done what the government failed to do and protected these vital values — but today’s ruling focuses on just one part of a law that is rotten to the core,” added Spurrier. “It still lets the state hack our computers, tablets and phones, hoover up information about who we speak to, where we go, and what we look at online, and collect profiles of individual people even without any suspicion of criminality. Liberty’s challenge to these powers will continue.”

This report was updated after the Home Office sent us their response