Europe’s highest court has declared that the UK’s current data retention laws are unlawful.

The Data Retention and Investigatory Powers Act (“DRIPA”) came into effect in 2014. It allows the UK Government to require telecoms providers to retain their customers’ traffic data for 12 months. UK authorities can request access to this data if “proportionate and necessary” and for a specified purpose. These include the interests of national security, the economy, tax or public health.

Yesterday’s ruling by the EU Court of Justice makes three key points:

  1. Authorities should only be able to access retained data if strictly necessary to fight serious crime. This means that the purposes set out in DRIPA are too broad.
  2. Authorities must get approval from a judge or an independent body before they can access retained data.
  3. Retained data must be stored within the EU.

DRIPA is set to expire at the end of this year, but the ruling is significant because the new Investigatory Powers Act (which was approved last month) adopts a very similar framework.

Looking ahead, the Government will need to decide whether to amend the Investigatory Powers Act to comply with the Court of Justice's ruling. If they choose not to, it’s likely to be challenged in the courts. Brexit might not help the Government to avoid this challenge. The ruling also referred to similar cases brought to the European Court of Human Rights, so campaigners might also take their fight to Strasbourg if the Investigatory Powers Act isn’t changed.

The Government will also be influenced by the wider data privacy landscape. Similar concerns over surveillance led to the Court of Justice striking down the US Safe Harbor arrangement in the Schrems judgment in 2015. The ruling therefore carries broader potential post-Brexit consequences. If the Investigatory Powers Act is left unchanged, it might result in the UK being deemed not to provide equivalent protection to the EU, and pose a considerable obstacle to post-Brexit data transfers with EU member states. Given that there appears to be a political consensus around the new EU data protection regime - and the need to allow post-Brexit data transfers - it's very likely that the UK will take steps to ensure that its laws comply with the Court of Justice's latest ruling.