Privacy & Information Security Law Blog

On December 21, 2016, a judgment by the Court of Justice for the European Union (the “CJEU”) that clarifies EU surveillance laws has called into question the legality of the UK’s Investigatory Powers Act 2016. The decision in Case C-698/15 could have significant implications on the UK’s chances of securing “adequacy” status for its data protection regime post-Brexit.

The case, brought by members of the UK parliament, challenged the legality of the UK’s Data Retention and Investigatory Powers Act 2014 ("DRIPA") on the basis that it was incompatible with individuals’ fundamental rights to privacy and data protection under the European Charter of Fundamental Rights. In its judgment, the CJEU cites the principle of proportionality, stating that national legislation that sets forth the conditions under which e-communications service providers must grant national authorities access to retained data must ensure that access does not exceed the limits of what is strictly necessary. Only the objective of fighting serious crime is capable of justifying the monitoring of retained communications and location data, and the general and indiscriminate retention of data exceeds these limits. The CJEU also stated that national authorities should not be able to authorize such actions themselves, and instead should be required to seek authorization from national courts or other independent bodies.

The Investigatory Powers Act 2016 replaces DRIPA in UK law, but has been widely criticized by a number of privacy groups who have labelled it a “snoopers’ charter” on account of the broad and indiscriminate powers it affords UK intelligence authorities. Although it does not directly address the legality of the Investigatory Powers Act, the CJEU judgment fuels the prospect of challenges from privacy groups.