Stop-gap legislation that allowed the British government to continue ordering telecom and Internet companies to retain communications data for 12 months is unlawful, the UK's high court ruled on Friday.
The ruling sets an example for other European Union countries looking to introduce new data retention laws following a European court ruling last year.
Many EU member states scrapped laws based on the EU Data Retention Directive demanding the storage of telecom and Internet metadata after an April 2014 ruling from the Court of Justice of the European Union (CJEU) found that the directive violated fundamental privacy rights. Since then, though, many governments have moved to introduce new data retention laws that would provide law enforcers with continued access to communications data without, they say, violating fundamental rights.
Following the CJEU ruling, the UK government rushed through a new data retention law, the Data Retention and Investigatory Powers Act 2014 (DRIPA), through Parliament.
Two members of Parliament, David Davis and Tom Watson, called for a judicial review of DRIPA, saying it is incompatible with the European Convention on Human Rights and the EU Charter of Fundamental Rights, which cover fundamental privacy rights.
On Friday, the UK High Court ruled that Section 1 of DRIPA would not apply after March 31, 2016, effectively giving the government nine months to come up with a new data retention law. The act does not ensure that access to and use of retained data is restricted to the prevention and detection of precisely defined serious offences, nor does it require a court or to grant such access or use, the ruling said.
Conservative MP Davis welcomed the ruling: "The court has recognised what was clear to many last year, that the Government's hasty and ill-thought through legislation is fatally flawed. They will now have to rewrite the law to require judicial or independent approval before accessing innocent people's data."
Labour's Watson said any new law should provide independent oversight of the Government's data-collection powers.
Other EU countries, while less hasty than the UK, are also keen to reintroduce data retention laws. For example, in Germany the government unveiled plans in May for a law that would oblige providers to store call and Internet traffic metadata for up to 10 weeks, while location data would have to be stored for four weeks. Germany hasn't had a data retention law since the German Federal Constitutional Court ruled the previous law unconstitutional in 2010. In the Netherlands, where the national data retention law was scrapped by a court in March, the government is looking to introduce a new one as soon as possible.
Reacting to the UK ruling, Member of the European Parliament Jan Philipp Albrecht wondered how many high courts in the EU will have to judge data retention unlawful before the European Commission and EU countries start enforcing the CJEU ruling.
The UK government plans to appeal the ruling. Security Minister John Hayes warned that, without a data retention law, communications data that could potentially save lives would only be available to the police and other law enforcement if a communications company had decided to retain it for commercial reasons.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to [email protected]