Good news for privacy - Investigatory Powers Act vs CJEU

As reported by the BBC, the European Court of Justice has made a ruling that could seriously impact the powers in the Investigatory Powers Act to collect data on everyone in the UK.

The IP Act has provisions, much like the Data Retention and Investigatory Powers Act (DRIPA) it replaces, and the Data Retention Directive (DRD) before it, to retain data about use of communications systems.

The IP Act actually pushes this much further - previously telcos/ISPs could have been asked to retain certain data they processed (e.g. telephone itemised billing records) but could not be required to actually generate data they were not processing. The IP Act allows much more and it has been made clear that the government wish to log usage of the Internet in some detail - down to the level of recording every web site everyone has accessed. This is far more than just retention of data, and would apply to everyone, even those not suspected of any crime.

The good news is that the ruling from the CJEU is that this sort of mass retention of data is not consistent with our basic human rights and EU law. These apply regardless of whether we leave the EU or not.

The BBC article is not ideal in its analysis, and Open Rights Group have a much better analysis (here).

Retention is an invasion of privacy

The key point of argument here is that the UK Government considered that indiscriminate retaining of data should be allowed as long as access to that data was restricted and controlled in a suitable way. However, that is not the case. The court ruled that indiscriminate retaining of data was simply not acceptable. You have to be much more specific about whose data is to be collected to target suspects in a crime.

Only to be used for serious crime

The court also looked at the issue of controls over access to the retained data. Again, this did not go well as the access has to be restricted to only serious crime. The IP Act tries to even redefine serious crime to include things that are not serious, so that will have to change too.

Proper independent authorisation of requests for data

On top of that - the access to the retained data should be approved by an independent body, such as a court, and not simply by the current system of a Designated Senior Officer. This could finally mean we see proper court warrants for access to retained data.

No more secrecy

As I have long said, the secrecy around data retention and collection of data is not really acceptable. The ruling says subjects of access should be told about it once there is no longer a risk of prejudice to the investigation.

We can still catch criminals

None of this stops wire taps (or the Internet equivalent) on suspects in serious crime, set up and accessed with the proper controls. All it stops is the indiscriminate logging of everything we all do on the Internet - and that is a good thing - we are all meant to be innocent until proven guilty, after all.

Read more

Read the ORG article for a lot more useful insight in to this ruling.


  1. Great though this decision is, the IP Act, having received Royal Assent, is current UK law. Am I correct in thinking that nothing legally prevents the government from serving a data retention order on any ISP tomorrow (if they haven’t already done so?) and that said ISP would still be prohibited from revealing the fact. They have no intention of amending the act before this case is reheard in the UK Court of Appeal and even if that goes against them I’m sure they’ll find a way drag things out. So until the IPA is actually amended can they not effectively ignore today’s ruling?
    Please tell me I’m wrong.

    1. Could the ISP that's been served appeal the order to a non-secret court, in light of the ECJ ruling? (i.e. they may not be allowed to explicitly tell everyone they've been served, but maybe they can ledge a non-secret court case that effectively reveals the order).

    2. As the Home Office has said that it will not be making changes, and will defend any claims that DRIPA (bear in mind that the case was not about the IPA) robustly, probably fair to say that there will be no changes to any plans they have around data retention for the time being.

  2. On the rare occasions I've ever talked to the police they've seem to have spent more time trying to avoid taking action rather than getting on with the job.

    I was even mugged, dragged up a road by people in a mini-van and subsequently run over by said mini-van. I ended up in hospital with a number of broken ribs (the paramedics were expecting punctured lungs apparently) and ankles that visibly swelled when I finally left hospital and tried to walk again. I was only dragged along though because they tried grabbing my bag and I insisted on holding on.

    They could have sent the bag away to be tested and examined more closely but apparently decided not to do so because of the time and expense involved in the process.

    Apparently attempted murder isn't enough to encourage further investigation.

    Tracking down journalists that happen to be exposing lies of chief constables on the other hand...

  3. I've been extremely fortunate every time I've dealt with the police. When my father died suddenly the officers who came out were truly worthy of commendation. Twice I've been a victim of minor crime and the local police have been marvellous, indeed on the most recent occasion they sorted the matter out within hours and with zero hassle. Indeed they were defending those who are most vulnerable, and with no jobs worth attitude. On one occasion my employer asked me to help the police, with technical expertise and once the local police came to me personally to ask for my help concerning the internet and examination of computers. On these occasions I got a very favourable impression of their attitude. So it seems I myself have seen nothing but the good. Unfortunately that isn't true for everyone.

    1. Indeed, they can be very good, and for specific targeted investigations nobody has a real issue with helping them. Just the scope of the IP Act goes so much further than that.

  4. Adrian. From my reading of the IP Bill Communications Service Providers can be requested when necessary to start maintaining 12 months of ICRs for user(s) - at this stage all ISPs are not busy installing huge SANs to store all ICR records etc. My question to you is this:

    Do you think its feasible/likely for them (.gov) to just go higher up the foodchain. E.g All TalkTalk, OpenReach or Virgin backhaul links get snooped. So they see a vast majority of UK unencrypted internet traffic without bothering most ISPs to lift a finger? If so a feeling of "My ISP has never had a warrant so im outside their current reach" might be a false sense of security?

    1. Read my other post, as we don't think that is actually allowed by the Act.

  5. You don't seriously still rely on the BBC for accurate news ? in fact rely on them to publish news stories that don't fit their agenda? BBC is a fake news publisher


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

TOTSCO 66 is guidance, optional

I feel I need to explain this. The TOTSCO call today, first I have been on, and wow! But a key point was TOTSCO bulletin 66, which is actual...