Stop-gap legislation that allowed the British government to continue ordering telecom and Internet companies to retain communications data for 12 months is unlawful, the U.K.’s high court ruled on Friday.
The ruling sets an example for other European Union countries looking to introduce new data retention laws following a European court ruling last year.
Many E.U. member states scrapped laws based on the E.U. Data Retention Directive demanding the storage of telecom and Internet metadata after an April 2014 ruling from the Court of Justice of the European Union (CJEU) found that the directive violated fundamental privacy rights. Since then, though, many governments have moved to introduce new data retention laws that would provide law enforcers with continued access to communications data without, they say, violating fundamental rights.
Following the CJEU ruling, the U.K. government rushed through a new data retention law, the Data Retention and Investigatory Powers Act 2014 (DRIPA), through Parliament.
Two members of Parliament, David Davis and Tom Watson, called for a judicial review of DRIPA, saying it is incompatible with the European Convention on Human Rights and the E.U. Charter of Fundamental Rights, which cover fundamental privacy rights.
On Friday, the U.K. High Court ruled that Section 1 of DRIPA would not apply after March 31, 2016, effectively giving the government nine months to come up with a new data retention law. The act does not ensure that access to and use of retained data is restricted to the prevention and detection of precisely defined serious offences, nor does it require a court or to grant such access or use, the ruling said.
Davis, an MP for the ruling Conservative Party, welcomed the ruling: “The court has recognized what was clear to many last year, that the Government’s hasty and ill-thought through legislation is fatally flawed. They will now have to rewrite the law to require judicial or independent approval before accessing innocent people’s data.”
Watson, a member of the opposition Labour Party, said any new law should provide independent oversight of the Government’s data-collection powers.
Other E.U. countries, while less hasty than the U.K., are also keen to reintroduce data retention laws. For example, in Germany the government unveiled plans in May for a law that would oblige providers to store call and Internet traffic metadata for up to 10 weeks, while location data would have to be stored for four weeks. Germany hasn’t had a data retention law since the German Federal Constitutional Court ruled the previous law unconstitutional in 2010. In the Netherlands, where the national data retention law was scrapped by a court in March, the government is looking to introduce a new one as soon as possible.
Reacting to the U.K. ruling, Member of the European Parliament Jan Philipp Albrecht wondered how many high courts in the E.U. will have to judge data retention unlawful before the European Commission and E.U. countries start enforcing the CJEU ruling.
The U.K. government plans to appeal the ruling. Security Minister John Hayes warned that, without a data retention law, communications data that could potentially save lives would only be available to the police and other law enforcement if a communications company had decided to retain it for commercial reasons.