UK’s Court of Appeals has ruled that the Data Retention and Investigatory Powers Act (DRIPA) is “inconsistent with EU law”, as it did not restrict the police access of confidential personal phone and web browsing records to investigations of serious crime, and did not provide independent oversight on access by police and other public bodies, who could authorise their own access.

Section 1 of the Data Retention and Investigatory Powers Act 2014 was inconsistent with the EU law to the extent that, for the purposes of prevention, investigation, detection and prosecution of criminal offences, it permitted access to retained data:-

  1. where the object pursued by that access was not restricted solely to fighting serious crime; or
  2. where access was not subject to prior review by a court or an independent administrative authority.

The DRIPA was passed in 2014 with very little Parliamentary debate as an “emergency” legislation and lapsed in 2016. It paved the way for and was replaced with the Investigatory Powers Act in 2016 (nicknamed as “Snooper’s Charter”), which further broadened the surveillance aspects like targeted interception of communications, bulk collection of communications data, and bulk interception of communications and requiring records to be kept by Internet Service Providers tracking use of the internet from the UK – all of which were accessible by the police and security services without judicial oversight.

Earlier, in 2016, European Court of Justice (ECJ) had found the UK’s “general and indiscriminate retention” of communications data was illegal (full text).

The Court states that, with respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.

The interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious. The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference.

The Court states that legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security and is not restricted to, inter alia, providing for retention of data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved in a serious crime. Such national legislation therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter.

While the DRIPA has already lapsed, the ruling has significance, because the Investigatory Powers Act (2016) that succeeded it carried forward the provisions now ruled as unlawful.

This ruling has extensive implications for mass digital surveillance legislation in the UK, as the government will now have to revise the existing laws on mass surveillance.

Nikhil adds: India, meanwhile, has no privacy law, and, as far as we know, no laws preventing mass surveillance. It also has no definition for the term “National Security”, which gives the government disproportionate power to surveille citizens.