Government IS breaking the law by collecting everyone's internet and call data and accessing it with no independent sign-off and no suspicion of serious crime

21 December 2016

  • In first major post-Brexit judgment involving the UK, Court of Justice of the EU backs Tom Watson MP, represented by Liberty, in landmark challenge to Government surveillance
  • Ruling effectively means significant parts of the new Investigatory Powers Act are unlawful and must be urgently changed

The Government is breaking the law by indiscriminately collecting the nation's internet activity and phone records and letting hundreds of public bodies grant themselves access to these personal details with no suspicion of serious crime and no independent sign-off – meaning significant parts of its new Snoopers’ Charter are effectively unlawful.

Judges at the EU Court of Justice (CJEU) have today backed a challenge by MP Tom Watson, represented by Liberty, to the Data Retention and Investigatory Powers Act (DRIPA) – the temporary emergency law that covers state surveillance.

DRIPA will expire on 31 December – but the Government has since replicated and vastly expanded the same powers in its new flagship surveillance law, the Investigatory Powers Act, which passed in November.

Today’s ruling means major parts of that new Act are in effect unlawful – and the Government will need to urgently and fundamentally amend it.

Martha Spurrier, Liberty’s Director, said: “Today’s judgment upholds the rights of ordinary British people not to have their personal lives spied on without good reason or an independent warrant. The Government must now make urgent changes to the Investigatory Powers Act to comply with this.

“This is the first serious post-referendum test for our Government’s commitment to protecting human rights and the rule of law. The UK may have voted to leave the EU – but we didn't vote to abandon our rights and freedoms.”

Tom Watson MP said: “This ruling shows it's counter-productive to rush new laws through Parliament without a proper scrutiny.

“At a time when we face a real and ever-present terrorist threat, the security forces may require access to personal information none of us would normally hand over. That's why it's absolutely vital that proper safeguards are put in place to ensure this power is not abused, as it has been in the recent past.

“Most of us can accept that our privacy may occasionally be compromised in the interests of keeping us safe, but no one would consent to giving the police or the government the power to arbitrarily seize our phone records or emails to use as they see fit. It's for judges, not Ministers, to oversee these powers. I'm pleased the court has upheld the earlier decision of the UK courts.”

Today’s ruling

DRIPA forces communications companies to store every person’s “communications data” – the who, what, when, where and how of every email, text, phone call, and internet communication, including those of lawyers, doctors, MPs and journalists.

This data is subject to an extremely lax access regime, which lets hundreds of organisations and government agencies – from police forces to HMRC – grant themselves access for a wide range of reasons that have nothing to do with investigating serious crime.

CJEU judges have ruled this regime breaches British people’s rights because it:

  • allows general and indiscriminate retention of all communications data 
  • does not restrict access to this data to the purpose of preventing and detecting precisely defined serious crime.
  • lets police and public bodies authorise their own access, instead of subjecting access requests to prior authorisation by a court or independent body.
  • does not provide for notification after the event to people whose data has been accessed.
  • does not require that the data be kept within the European Union. 

What this means for the Investigatory Powers Act

Since this legal challenge was launched in 2014, the Investigatory Powers Act has not only re-legislated for the powers found unlawful today, but gone much further.

The Act has dramatically expanded powers to gather data on the entire population, while maintaining the controversial lack of safeguards that resulted in this legal challenge.

Under it, the state now also has access to every person’s internet use – every website visited or app used – which service providers must generate and store for 12 months.

This creates vast databases of deeply sensitive and revealing personal information which – at a time when companies and governments are under increasingly frequent attack from hackers – creates a goldmine for criminals and foreign spies.

This data can be accessed by dozens of public authorities with no need for suspicion of criminality or prior sign-off from a judge or other independent official. These include the NHS, Department for Work and Pensions and Gambling Commission.

The Investigatory Powers Act has also legalised other unprecedented bulk spying powers – including bulk hacking, interception of phone calls and emails on an industrial scale and collection of huge databases containing sensitive information on millions of people – which could integrate records such as Oyster card logs and Facebook back-ups.

Liberty believes these indiscriminate powers are also unlawful and is preparing to challenge them in court.