The emergency surveillance law which came into force last year allows the home secretary to order companies to keep communications data including emails, texts, phone records and communications from journalists, MPs and lawyers, for up to 12 months.
However, a judicial challenge by Labour MP Tom Watson and Conservative MP David Davis, backed by human rights campaign group Liberty, has been upheld by judges at the High Court.
Section 1 does not lay down clear and precise enough rules on the use of communications data, the High Court said, and access to the data under the section is also not dependent on a prior review by a court or independent body.
Section 1 will therefore be disapplied to the "extent that it permits access to the retained data which is inconsistent with EU law", although that order will be suspended until 31 March 2016 to give the government time to pass fresh legislation, the judgment said.
The Home Office has said it will appeal against the ruling, saying that it may result in police and investigators losing data that could save lives, The Guardian has reported.
James Welch, legal director for Liberty, said: "Liberty has long called for fundamental reform of our surveillance laws to ensure the public’s rights are properly respected by our government – the chorus of voices demanding change is now growing."
"Campaigners, MPs across the political spectrum, the government’s own reviewer of terrorism legislation are all calling for judicial oversight and clearer safeguards. The High Court has now added its voice, ruling key provisions of DRIPA unlawful. Now is the time for the Home Secretary to commit publicly to surveillance conducted with proper respect for privacy, democracy and the rule of law – not plough on with more of the same," he said.
The Data Retention and Investigatory Powers (DRIP) Act came into force in July 2014. It requires telecoms providers to retain information about customers' communications and to disclose that information to law enforcement agencies when asked to do so.
The Act was fast-tracked through the UK parliament to replace UK regulations on data retention that implemented an EU law which was ruled to be invalid by the EU's highest court. The Court of Justice of the EU (CJEU) ruled that the EU Data Retention Directive disproportionately infringed on privacy rights enjoyed by EU citizens.
The UK government said the DRIP Act was implemented quickly to plug potential holes in UK intelligence-gathering capabilities following the CJEU's ruling.
In January, UK Prime Minister David Cameron said that UK law enforcement agencies would be given new "comprehensive" powers to monitor communications and access data associated with those communications if he was still prime minister after this year's UK general election.