Mass surveillance has come under scrutiny once again, now that the UK Court of Appeal has asked the Court of Justice of the European Union (CJEU) to clarify whether it intended to “lay down mandatory requirements of EU law with which the national legislation of member states must comply,” following its decision last year that the EU’s Data Retention Directive was unlawful. In April of last year, the CJEU, in the Digital Rights Ireland case, declared the Data Retention Directive invalid because it disproportionately infringed individuals’ privacy rights. For more information on this decision, please see our previous post here.

In July of last year, the UK government enacted the Data Retention and Investigatory Powers Act (DRIPA) as temporary replacement legislation. DRIPA broadly requires Internet and telephone providers to keep communications data for a year and to disclose that information to law enforcement agencies when requested.

However, Conservative Parliament member David Davis and Labour Parliament member Tom Watson opposed the new legislation and launched a judicial review. They argued that the faults with the Data Retention Directive had been repeated in DRIPA because it allows police and security services to spy on citizens without sufficient privacy safeguards.

In July of this year, the High Court ruled that DRIPA was “inconsistent with European Union law” because sections 1 and 2 breached the public’s rights to protect personal data and to respect private life and communications under the EU Charter of Fundamental Rights. The High Court ordered that section 1 be disapplied, but suspended that order until March 31, 2016, to give the UK government and Parliament time to enact new legislation. Since this ruling, the UK government has drafted a new Investigatory Powers Bill, which is intended to become law by the end of 2016 to coincide with the expiry of DRIPA.

Home Secretary Theresa May subsequently appealed the High Court’s ruling and highlighted the importance of the power to retain communications data in the fight against crime. The Court of Appeal took a different approach to the High Court decision stating that, in its provisional view, the Digital Rights Ireland case “does not lay down mandatory requirements of EU law with which national legislation must comply,” at least where national access rules were concerned, and were “simply too general” to be seen as mandatory requirements of national data retention laws.  However, in light of the fact that six member states (Austria, Slovenia, Belgium, Romania, Holland and Slovakia) have already applied the Digital Rights Ireland judgment and invalidated national data retention legislation, it has asked the CJEU to clarify certain points from its decision last year.

It’s not uncommon for cases referred to the CJEU to take some time to conclude, but the Court of Appeal asked the CJEU to “look favourably on a request from this court for the expedition of a reference.” Even with the expedition that has been sought, it is questionable whether the CJEU will make a decision before the scheduled enactment of the Investigatory Powers Bill, later in 2016.

While we await the outcome of the CJEU hearing, Internet and telephone providers should continue to comply with the provisions of DRIPA (at least until the end of March 2016), and other companies should monitor national developments in the individual member states in which they operate.