Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

EU court asked to rule in case concerning legitimacy of UK data retention laws

The EU's highest court has been asked to rule on whether EU countries are bound by a judgment it issued last year when drawing up their own national laws on data retention.23 Nov 2015

The Court of Appeal in London has asked the Court of Justice of the EU (CJEU) whether it intended to "lay down mandatory requirements of EU law with which the national legislation of member states must comply" when it ruled that the EU's Data Retention Directive was unlawful.

In its April 2014 judgment, the CJEU made a number of criticisms of the Directive which led it to rule that the legislation disproportionately infringed on individuals' privacy rights.

Its criticisms of the Directive included that the legislation failed to set out sufficient controls and safeguards to limit law enforcement agencies' access to communications data, and did not impose stiff enough data security obligations. It also said the Directive gave EU countries too much freedom to set lengthy data retention periods and criticised it for allowing telecoms companies subject to the Directive to store communications data outside of the EU, among other things.

The UK government drew up new stop-gap national data retention laws to replace existing rules which were deemed invalid in light of the CJEU's ruling. The The Data Retention and Investigatory Powers Act (DRIPA) came into force in July 2014 and broadly requires telecoms providers to retain information about customers' communications and to disclose that information to law enforcement agencies when asked to do so.

However, a legal challenge against DRIPA, fronted by two UK MPs, was launched shortly after the new legislation coming into force. Conservative MP David Davis and Labour MP Tom Watson, backed by human rights campaign group Liberty, raised concern that the faults raised with the Data Retention Directive had been repeated in DRIPA and questioned whether the Act respected people's privacy rights.

In July this year the High Court in London ruled that DRIPA was inconsistent with EU law and ordered that section 1 of the Act be "disapplied". Section 1 of the Act does not lay down clear and precise enough rules on the use of communications data, the High Court said. It also took issues with the fact that access to the data, provided for under section 1, is also not dependent on a prior review by a court or independent body.

The order that section 1 of the Act be disapplied was suspended until 31 March 2016 to give the government time to pass fresh legislation.

Since the July ruling the UK government has laid out plans for an overhaul of surveillance laws. It intends for its draft new Investigatory Powers Bill to be in force by the end of 2016. That timing would coincide with the expiry of DRIPA, owing to the fact a sunset clause is inserted into the Act. However, the UK government has simultaneously pursued an appeal against the High Court's judgment on DRIPA before the Court of Appeal.

In a ruling issued on Friday last week, the Court of Appeal said it doubts if he CJEU intended its comments on the failings of the Data Retention Directive to be read as mandatory EU law requirements for national data retention laws.

The Court of Appeal said that some of the "critical observations of the CJEU" were "simply too general" to be seen as mandatory requirements of national data retention laws. However, the UK judges have asked the CJEU to clarify the point.

The Court of Appeal also considered the extent of protections given to personal data under both EU law and the European Convention on Human Rights (ECHR). The protections are "more specific" under EU law than under the Convention, the UK judges said, but they asked the CJEU to clarify whether it intended to "go beyond the case law" of the European Court on Human Rights, which interprets the ECHR when settling disputes, to "lay down more stringent requirements for the protection of personal data than those established in the ECHR jurisprudence".