The EU’s highest court recently ruled that the “general and indiscriminate” retention of communications and location data by governments is illegal, in a decision which casts doubt on the legality of the UK’s new Investigatory Powers Act (the Act). The Court of Justice of the European Union (CJEU) provided its ruling in response to a legal challenge originally brought by two British members of parliament concerning the legality of UK security services’ bulk surveillance of communications data. The CJEU concluded that article 15(1) of Directive 2002/58/EC and various articles of the EU Charter of Fundamental Rights limit EU Member States’ ability to harvest communications data, as well as the purposes for which such data may be collected. Namely, that access should be only to fight serious crime, should be kept within the EU, and should be subject to prior approval from a court or independent administrative office.

As a result of the CJEU decision, targeted retention of communications data as contemplated under the Act may be acceptable, but some of the bulk powers introduced by the Act are not, nor would the Act’s contemplated goal of sharing information gathered with security services outside of the EU. The UK legal challenge will return to the Court of Appeal and the UK government has promised to put forward “robust arguments” against the CJEU’s decision. In the meantime, the provisions of the Act which have already come into force remain in effect, but it is likely that the Act will be subject to parliamentary review following the CJEU’s decision.

TIP: This decision is another reminder that as companies wait for Brexit there is confusion around UK privacy laws. We will continue to monitor these developments.