On 17 July 2015, the High Court declared the operative provision of the Data Retention and Investigatory Powers Act 2014 (“DRIPA“) to be inconsistent with EU law, in response to a judicial review claim brought by Conservative MP David Davis and Labour MP Tom Watson (R (Davis & Watson) v Secretary of State for the Home Department [2015] EWHC 2092 (Admin)).

DRIPA was introduced by the coalition government last year, following a judgment of the Court of Justice of the European Union (“CJEU“) that struck down the Data Retention Directive 2006/24/EC (the “Directive“), which had been implemented in the UK by the Data Retention (EC Directive) Regulations 2009 (the “2009 Regulations“). Following that judgment, some telecommunications service providers expressed the view that there was no longer any legal basis for them to retain communications data and indicated that they would start to delete data that had been retained under the 2009 Regulations.

The coalition government considered that this development threatened the ability of UK law enforcement and intelligence agencies to use communications data to investigate criminal activity. It therefore rushed DRIPA through Parliament in an emergency three day fast-track process.

DRIPA gave the defendant Secretary of State powers to issue retention notices to telecommunications service providers requiring them to retain communications data for up to a year. “Communications data” as defined by DRIPA did not include the content of the communication but did include the time and duration of a communication, the telephone number or email address of the originator and recipient, and sometimes the location of the device from which the communication was made. The claimants applied for judicial review, contending that s.1 of DRIPA was invalid under EU law as it was not accompanied by an access regime which had sufficiently stringent safeguards to protect citizens’ rights under the Charter.

The High Court (Bean LJ and Collins J) ruled that s. 1 of DRIPA, which was the operative provision, was incompatible with Article 7 (Respect for private and family life) and Article 8 (Protection of personal data) of the Charter of Fundamental Rights of the European Union (“the Charter“).  The Court granted the application on the basis that “decisions of the CJEU as to what EU law is are binding on the legislatures and courts of all Member States.” In response to the Defendant’s attempts to rely on the jurisprudence of the European Court of Human rights, the Court said that, in this case, the “subtleties of the relationship between UK domestic courts and the European Court of Human Rights” did not arise. The CJEU had, in its Digital Rights Ireland decision, deemed the Directive to be in breach of Articles 7 and 8 of the Charter. It followed that an “identically worded domestic statute would have been found to have exceeded the same limits.” The Court deemed a reference to the CJEU unnecessary given that the Digital Rights Ireland decision was clear and national courts could act in light of that decision.

In order to be lawful, DRIPA would have to be accompanied by an access regime which provided adequate safeguards for the rights protected by Articles 7 and 8 of the Charter. The Court held that the points made by the CJEU in Digital Rights Ireland were made with such emphasis that they were to be understood as “having laid down mandatory requirements of EU law“:

  1. the protection of the right to respect for private life required that derogations and limitations in relation to the protection of personal data had to apply only in so far as was strictly necessary. DRIPA therefore had to lay down clear and precise rules governing its scope and impose minimum safeguards to give effective protection against the risk of abuse and unlawful use of data;
  2. any legislation establishing a general retention regime for personal data had to be  restricted to the purpose of preventing, detecting and prosecuting precisely defined serious offences; and
  3. access to the data retained had to be made dependent on a prior review by a court or an independent administrative body whose decision sought to limit access to the data and its use to what was strictly necessary for the purpose of attaining the objective pursued, and which intervened following a reasoned request of those authorities. The Court dismissed the argument that a requirement of judicial approval prior to the access of data would be unnecessarily bureaucratic or cumbersome.

The Court made an Order “disapplying s.1 of DRIPA to the extent that it permits access to retained data which is inconsistent with EU law” but suspended that Order until 31 March 2016, to allow Parliament reasonable opportunity to legislate for proper safeguards. Given the plain public importance of the case, the Secretary of State was granted permission to appeal. Indeed, the government has confirmed that it intends to appeal the judgment.