Summary: The U.K. Court of Appeal Ruling and What’s Next for the Investigatory Powers Act

The U.K. Court of Appeal has held that Section 1 of an expired state surveillance law, the 2014 Data Retention and Investigatory Powers Act, was unlawful as it related to “access to retained data,” or personal data held for criminal justice or public protection purposes. While some, such as Security Minister Ben Wallace, argue that Tuesday’s ruling in SSHD v. Watson and Others does not undermine the government’s surveillance regime, the judgment could have a fatal impact on the Investigatory Powers Act (IPA), which imposes more expansive obligations on providers than those found in the 2014 act. Only time—and litigation—will tell.

The Data Retention and Investigatory Powers Act was first challenged in 2014, when two members of Parliament, Tom Watson and David Davis, argued that Section 1—which provided powers for retaining certain communications data—was contrary to EU law as expounded upon in the European Court of Justice case, Digital Rights Ireland. The U.K. High Court agreed with Davis and Watson in July 2015. The British government appealed, and the U.K. Court of Appeal referred the case to the European Court of Justice for clarification of the applicable EU law.

The European Court of Justice ruled in December 2016 on Tele2 Sverige and Watson and Others—a joined judgment directed at the Watson litigation and Swedish litigation dealing with similar issues—that “general and indiscriminate” national data retention laws are inconsistent with EU privacy directives. Further, the court imposed safeguards on EU member states’ use of retained data, including stating that EU directives preclude legislation allowing national authorities to access retained data that is not restricted solely to fighting serious crime; for which access was not subject to prior review by a court or an administrative body; and for which there is no requirement that it be retained in the EU. It also established that national authorities must notify individuals after their data has been accessed, as soon as the notification will no longer jeopardize the investigations for which access was justified. Andrew Keane Woods covered the court ruling in this Lawfare post, and Shannon Togawa Mercer and I wrote about the legal framework undergirding U.K. and EU data privacy here.

After the European court ruled in Tele2 Sverige and Watson and Others, the U.K. Court of Appeal had to apply the decision to Watson’s challenge against the Data Retention and Investigatory Powers Act. The Court of Appeal reheard the Watson case on Dec. 8, 2017 and ruled that:

Section 1 of the Data Retention and Investigatory Powers Act 2014 was inconsistent with EU law to the extent that, for the purposes of the prevention, investigation, detection and prosecution of criminal offences, it permitted access to retained data:

(a) where the object pursued by that access was not restricted solely to fighting serious crime; or

(b) where access was not subject to prior review by a court or an independent administrative authority.

The court took care not to rule on data retention in the EU or on the requirement that affected persons be notified when their data is accessed, although the decision indicated the U.K. court’s hope that the European court would offer further clarity on both. The U.K. Court of Appeal limited its judgment to data retained for the purposes of prevention, investigation, detection and prosecution of criminal offenses.

Implications for the Investigatory Powers Act

The Court of Appeal limited its holding to data retained for prosecution in part because there is ongoing litigation relating to data retained for national security purposes as authorized by the Investigatory Powers Act. That law was enacted to succeed the Data Retention and Investigatory Powers Act (DRIPA) after Sections 1 and 2 of DRIPA were repealed in December 2016. Arguably, the Investigatory Powers Act reinstates many provisions similar to those that made DRIPA controversial in the first place. For a summary of the act and its most contentious provisions, see this Lawfare post by Jillian Ventura.

Aware of the problems inherent to the IPA, Home Secretary Amber Rudd announced on Nov. 30, 2017, that the British government planned to change its data acquisition and retention regime so as to comply with the European court decision in Tele2 Sverige and Watson and Others. As part of this effort, the government proposed amendments to the Investigatory Powers Act as well as a draft communications data code of practice. The Home Office sought views from the public, through Jan. 18, on both proposed changes to the communications data regime and is analyzing the results of its consultation.

Some organizations remain skeptical about whether the government’s consultation will result in meaningful changes to the Investigatory Powers Act, though they tend to suggest that the recent judgment necessitates large scale changes. Other organizations, like Privacy International, also fear that the Court of Appeal’s judgment does not go far enough.

If the government will not make sufficient changes to the IPA on its own, however, the rights group Liberty is prepared to engage with the act in court. Liberty was granted permission in June to challenge the IPA’s compliance with Tele2 Sverige and Watson and Others; the proceedings are scheduled for Feb. 27-28. While it remains to be seen whether the government’s proposed changes are sufficient to preclude the IPA from suffering the same fate as the 2014 legislation it was designed to replace, one thing is clear: the recent judgment will inform the debate.