In a landmark ruling today, the Investigatory Powers Act – a flagship but highly controversial piece of legislation of the current Conservative government – has been ruled illegal by the European Union’s Court of Justice.

Ironically, the case government was originally brought to the court by Brexit minister David Davis before his appointment (against the DRIPA legislation which the IP Act replaced), as well as Deputy Labour Party Leader Tom Watson and campaign groups Liberty and Open Rights Group. A separate case brought by Swedish telecoms firm Tele2 was also heard in conjunction.

Despite some opposition, the bill passed through the House of Lords last month and was set to become law after receiving Royal Assent. The Court ruled that the law – and in particular the provision for the bulk collection of internet user history – was not ‘necessary, appropriate and [a] proportionate measure within a democratic society’ and violated rights to privacy and the protection of personal data as guaranteed by the European Union.

The IP Act is particularly onerous for telecoms and technology companies, given that they will be forced to invest in new technology systems to meet the data storage and encryption requirements implied by the provision for this mass data collection. According to Computer Weekly, “a typical 1GB home internet connection usually has about 15TB of data passing through it every year. At least 21 million UK homes are connected to the internet, not including mobile internet connections.”  The telecoms companies will also have to the meet the cost of responding to warrants that request access to this data.

The law also provides for the government to be able to demand technical changes to new software and systems introduced by technology companies and in particular enable the removal of “electronic protection” (i.e. encryption). The clause – and indeed the whole act – would not only be difficult to achieve technically, but also potentially puts individuals and companies’ security at risk and could also go some way to undermining the competitiveness of the UK technology industry.

The judgement also stated that public bodies cannot authorise their own access to the records collected under the auspices of the act. This has been another source of controversy. Most of the agencies, such as the police and the intelligence agencies allowed access to the data under the act seem reasonable. However there have been questions around why bodies such as the Department for Transport, the Competition and Markets Authority, the Food Standards Agency, Food Standards Scotland, the Gambling Commission or the Health and Safety Executive require this kind of access.

The case will now return to the UK court of appeal with a Home Office spokesperson stating, “[t]he government will be putting forward robust arguments to the court of appeal about the strength of our existing regime for communications data retention and access.”

The long term impact of the judgement is unclear. The ruling means that UK law – and indeed that of all EU member states – on data retention must comply with this new precedent. In the short term, this is likely to result in legal challenges. However, the fact that the UK voted to withdraw from the European Union means the long-term implications of the ruling on UK legislation is unclear, and will be for some time.

Image credit: Flickr/sprklg