The Court of Justice of European Union has delivered a Christmas present of privacy to the British public - and a major blow to Theresa May.
The Court has ruled that powers that force Internet Service Providers to collect and keep records of our online activity should not be permitted in a democracy. This has massive implications for the Government’s latest snooping law, the Investigatory Powers Act, which only received royal assent this month.
Retaining information about everyone, all of the time is pretty clearly a problem for a free society. People will choose to avoid certain websites or information because of the feeling they might be watched. This is especially true in countries like Germany who have more recent experience of the surveillance state, but it is also true for many people in the UK. Many of us simply don’t want to be watched, and why should we, if we aren’t under suspicion?
The UK has had data retention since the early 2000s, first as a voluntary arrangement, and later as the result of a 2005 EU-wide law, after the UK lobbied for it. The European Court rejected data retention in 2014, saying that it interfered with our right to privacy after a challenge from both Digital Rights Ireland and from Austrian citizens.
The UK Government's response was to rush the Data Retention and Investigatory Powers Act through parliament in just a few weeks. Many were disturbed by the lack of parliamentary scrutiny. MPs Tom Watson and David Davis challenged DRIPA in the courts and won - the High Court ruled that parts of it were unlawful in 2015.
It was the Government's appeal that sent the case back to the CJEU, where the High Court asked for clarification of its ruling on the Data Retention Directive. The Prime Minister may live to regret this. Her decision to push on regardless with the Investigatory Powers Act suggests that she thought the CJEU's ruling may have been limited.
Today, the CJEU went much further than expected and ruled that the blanket collection of everyone’s communications data is not permissible.
It’s not just that our data is being collected but it is at risk of being accessed by employees from over 48 organisations and all they need to do is get internal sign off from a colleague. Now, the CJEU has ruled that authorisation must be independent, a clear no-brainer. They have also specified that only people suspected of or linked to serious crime should have their data looked at. This begs the question as to whether organisations like the Food Standards Agency and Health and Safety Executive really need the powers to see the websites we visit.
Some people will be asking if less retained data means we are less safe. This isn’t likely. Many countries do without data retention, including the USA and most of Europe. There isn’t a simple correlation between retention and crime solving. Most criminals leave more than one path to their crimes. Arguably, we will be safer, because less data about innocent people means less opportunities for that data to be hacked and abused by criminals, corrupt law enforcement or dangerous governments. Of all the threats to society, law breaking, authoritarian governments are very clearly a major threat in a number of European countries today. It’s not impossible to imagine these problems occurring in the UK.