UK Court of Appeal finds metadata retention regime inconsistent with EU law

Secretary of State for the Home Department v Watson [2018] EWCA Civ 70

Summary

The United Kingdom Court of Appeal has decided that aspects of the Data Retention and Investigatory Powers Act 2014, which has now been repealed, were unlawful.  The Court found that allowing public bodies access to the phone records and internet activity of individuals in the United Kingdom, in circumstances where there is an absence of suspicion of serious crime and independent sign off allowing access, is illegal.   

Facts

This case challenged the validity of Section 1 of the Data Retention and Investigatory Powers Act (DRIPA).  DRIPA - which has now been repealed and replaced with the Investigatory Powers Act 2016 (IPA) - forced public telecommunication companies to store certain data for a maximum period of 12 months.  Data that was required to be stored included geographical information relating to the location of individuals and metadata such as to whom and when individuals made telephone calls and sent text messages.

The judicial review proceedings were brought by Labour Party MP Tom Watson on the basis that DRIPA contained inadequate protections for British people's fundamental rights.  The issue was not about the retention of data by telecommunication providers, but that there were inadequate safeguards protecting that data.  More specifically, Watson raised issue with the fact that:

1. access to the data was not restricted for the purpose of fighting serious crime; and
2. there was no independent body that existed to decide when access to data was appropriate.

The High Court agreed that DRIPA breached a number of fundamental individual rights. In its initial judgment of 20 November 2015, the Court of Appeal referred the question to the Court of Justice of the European Union (CJEU).

Decision

In considering the referred issues, in December 2016 the CJEU backed the High Court, holding that DRIPA existed in breach of EU law. The relevant provisions of the EU Charter were Article 7, which protects respect for private and family life, and Article 8, which concerns the protection of personal data. More specifically, the CJEU held that EU law precluded:

1. national legislation which, for the purpose of fighting crime, provides for indiscriminate retention of all traffic and location of registered users; and
2. national legislation governing the protection and security of traffic and location data unless solely for the purpose of fighting serious crime, where access to the data is not subject to the prior review of a court or independent administrative authority. 

The Court of Appeal interpreted this to mean, at least, that where the purpose is the prevention, investigation, detection and prosecution of criminal offences:-

1. access to and use of retained communications data should be restricted to the objective of fighting serious crime; and
2. access to retained data should be dependent on a prior review by a court or an independent administrative body.

In light of the above, the Court of Appeal unanimously decided that, in the context of fighting crime, Section 1 of DRIPA was inconsistent with EU law and that declaratory relief was appropriate.

Commentary

The IPA now contains the United Kingdom’s data retention arrangements. Although the relevant parts of the DRIPA have been repealed, this judgment will have consequences for the legality of the IPA. That Act is currently the subject of a separate challenge, which was heard by the High Court in February, including a claim that the IPA does not comply with the CJEU’s judgment in the present case.

This case is particularly significant in light of the new data retention laws that came into effect in Australia on 13 October 2015. The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 provided, for the first time in Australia, an obligation on Australian communication providers to retain data.   

Interestingly, the Australian laws are more onerous and invasive than Section 1 of DRIPA. They otherwise have the features the Court of Appeal found to be contrary to EU law. Under the Australian law, telecommunication providers must retain data about the use of services for a two year period.  Further to this, there is no independent body that will authorise access to data in appropriate cases, with criminal law enforcement and intelligence agencies such as the Australian Security Intelligence Organisation and the Australian Federal Police able to self-authorise access to the stored metadata.  Under the Australian legislation, self-authorisation is allowed if it is necessary for the enforcement of the criminal law, a law imposing a pecuniary penalty or for the protection of public revenue.

It is apparent that Australian legislation would not be consistent with EU law. 

The full decision can be found here.

Rachel Hardy is a lawyer at Lander & Rogers.