The Court of Justice of the European Union (CJEU) ruled last week that general mass surveillance programs unlawfully violated provisions of the European Union’s Charter guaranteeing EU citizens a right to privacy and their right to protection of personal data, raising questions about the United Kingdom’s Investigatory Powers Act 2016 (colloquially known as the “Snooper’s Charter”), slated to go into effect on December 31,, 2016. While this controversial ruling could pave the way for future legal attacks on the UK’s mass surveillance program within the British court system, the direct impact of the CJEU’s decision is unclear: the UK’s forthcoming exit from the European Union pursuant to the “Brexit” referendum will strip the CJEU of jurisdiction over the UK’s laws.
The Snooper’s Charter, originally proposed by then Home Secretary and current UK Prime Minister Theresa May, would require communication service providers (CSPs) to retain the internet usage data of UK internet users for one year, regardless of whether the internet user was suspected of committing or planning any crime. Proponents of the law describe it as a necessary counter-terrorism tool to preserve data for law enforcement to more effectively investigate potential self-radicalized extremists, who often develop their ideologies with the aid of the internet. Without a law requiring private companies to preserve user data, law enforcement officers could face evidentiary barriers when seeking to head off potential terrorists before they strike. But critics accuse the Snooper’s Charter of enshrining parallel construction into law by encouraging law enforcement to build a parallel—or separate—evidentiary basis for a criminal investigation in order to conceal how the investigation actually began. The UK law also created a legal obligation for CSPs to help with targeted interception of data in connection with open investigations – but the investigators do not need a warrant to access the data and instead only require that their request be signed off by a senior officer.
While the UK law attempted to give concessions to privacy advocates by limiting the data retained to only information about which websites were visited (but not the particular pages and not the full browsing history), critics demanded further privacy safeguards such as judicial authorization and notification. In response to these criticisms, Conservative MP David Davis and Labour MP Tom Watson, together with a coalition of interest groups including Liberty (an independent human rights organization), the Law Society (the representative body for solicitors in England and Wales), the Open Rights Group (a campaigning group for digital rights and civil liberties) and Privacy International (a human rights watchdog focused on privacy intrusions), initiated a legal challenge against the Snooper’s Charter in the CJEU in April 2016.
MP Davis, who claimed that the Snooper’s Charter allowed the British government to “treat the entire nation as suspects,” brought the case before the CJEU seeking clearly defined “minimum standards” European Nations must meet to safeguard individual privacy rights of EU citizens when implementing mass surveillance programs. The CJEU consolidated Davis’s appeal with a Swedish Telecoms case examining Swedish data retention laws, and fifteen European Union states intervened to support their own mass surveillance programs.
The case revolved around a request for clarification from the CJEU following that court’s 2014 decision in Digital Rights Ireland and Others, which struck down the EU Parliament’s own “Data Retention Directive” of 2006. The Directive had required that all CSPs operating in Europe must collect and retain a subscriber’s incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of six months to two years. In Digital Rights Ireland, the CJEU found that the bulk data collection violated the EU Charter’s guarantees of a general right to privacy and right to protection against collection of personal data because it lacked proportionality; the court characterized the Directive as “a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.”
In its ruling last week, the CJEU extended its Digital Rights Ireland decision to data retention programs implemented by its member states by stating that the “general and indiscriminate retention” of data without reference to a serious crime conflicted with the EU Charter. The Court held that, absent some showing of urgency, the general rule should be that the relevant competent national authorities “submit a reasoned request to the court or an independent administrative body who should review that request and make a decision.” Furthermore, member states who use retained data “must notify the persons affected, under the applicable national procedures, as soon as that notification is no longer liable to jeopardize the investigations being undertaken by those authorities,” as “[t]hat notification is . . . necessary to enable the persons affected to exercise . . . their right to a legal remedy.”
The ultimate impact of the CJEU’s ruling is unclear due to the UK’s forthcoming exit from the European Union. Proponents of Brexit point to the CJEU’s decision as emblematic of the need to return final decisions on British law to British hands. And while the Snooper’s Charter would still be good law after the UK removes itself from the jurisdiction of the CJEU, some commentators have asserted that the CJEU’s ruling will force revision of the Snooper’s Charter because strict EU rules forbid the sharing of personal data with countries that do not meet its strict data privacy standards. Somewhat ironically, MP Davis, who just won his legal challenge against the Snooper’s Charter because of the European Union’s Charter, is now in charge of negotiating the UK’s exit from the EU. The British government is currently seeking an appeal of the CJEU’s interpretation before the UK’s high court.