An appeals court in the United Kingdom ruled Tuesday that key portions of the government’s immense surveillance powers are unlawful, putting greater pressure on authorities to quickly add greater protections for citizen’s privacy and civil liberties. But privacy advocates say changes the government plans to impose will likely do little to keep the government out of citizens’ browser histories.
The ruling comes against the Data Retention and Investigatory Powers Act of 2014, or DRIPA. The “emergency” surveillance law, which passed after just one day of debate, was later incorporated into the Investigatory Powers Act of 2016 (IP Act), better known as the “Snooper’s Charter.”
Under the IP Act, the government has a full suite of authorities to access, retain, and surveil the phone and web-browsing data of citizens. The law also places legal burdens on British companies to help. But privacy advocates say it includes too few protections to allow authorities to access private data or to prevent people who aren’t suspected of committing crimes from getting caught in the dragnet.
The regime granted law enforcement the right to hack into citizens’ devices to obtain information during an investigation. All UK companies faced a legal requirement to aid hacking operations and hand over encryption keys if asked. The law also required ISPs to retain the search and browser history of all UK citizens for at least 12 months. Law enforcement agencies were permitted to freely access the data without warrants. Further, ISPs could be charged with a criminal offense if they reveal to users their data had been requested by the government.
On Tuesday, a panel of three judges ruled that DRIPA was “inconsistent with EU law” because it didn’t restrict access to user data and violated personal rights by giving police the ability to gain access to citizens’ data without authorization by courts or another independent entity. The ruling starts the clock for the UK government to roll out changes to the IP Act in anticipation of the court’s decision.
In November, the UK’s Home Office released a proposal to roll back some of the powers of the Snooper’s Charter under the assumption that the court would rule against them. The changes included restricting senior police officers’ power to self-authorize access to citizens’ personal data and creating a new governmental body, the Office for Communications Data Authorization, to review requests for communications data.
On Tuesday, a panel of three judges ruled that powers now authorized under the IP Act were “inconsistent with EU law” because, as the government anticipated in its November proposal, it didn’t restrict access to user data and violated personal rights by giving police the ability to authorize themselves, bypassing the warrant process.
MP Tom Watson and the civil rights group Liberty led the challenge against DRIPA, starting in 2014. The UK High Court also found the law illegal in 2015.
In a statement released alongside Liberty, Watson said called on the UK government to “bring forward changes to the Investigatory Powers Act to ensure that hundreds of thousands of people, many of whom are innocent victims or witnesses to crime, are protected by a system of independent approval for access to communications data.”
For now, however, the government appears unwilling to institute greater privacy protections under the law beyond those they proposed in November, which the court found to be unlawful. Watson described those changes as inadequate.
The legality of the UK surveillance powers will soon head to the European Court of Justice, which is set to hear the case next month.