A UK court has ruled today that the government’s ever-growing powers to track and monitor its population must be restrained and that the UK cannot continue to flout its international obligations to respect privacy and protect personal data. For the first time in over a decade, the British government must stem its insatiable appetite for surveillance powers.

Internet of things: the greatest mass surveillance infrastructure ever? Read more

The decision came in a challenge to the Data Retention and Investigatory Powers Act brought by MPs David Davis and Tom Watson, who are represented by the human rights organisation Liberty, and in which Privacy International and the Open Rights Group also intervened.

The decision is first and foremost a simple one – that the UK must comply with European law which, according to the European court of justice’s digital rights Ireland judgment, forbids blanket data retention measures that aren’t accompanied by a strict regime regulating access to retained data. Even this is a significant finding, a living example of deep integration of – and dialogue between – EU mechanisms and member states and of the uniquely influential role the ECJ is empowered to play in human rights matters.

The decision also encapsulates – and progresses – some of the biggest surveillance debates of modern times. This case will play a decisive role in the future of surveillance law in Britain, which, come September, will be at the top of the legislative agenda.

The most prominent of the high court’s findings, and the one in which they followed the ECJ to the letter, is that access to retained data “must be made dependent on a prior review by a court or an independent administrative body”.

The significance of this cannot be understated. Under British law, access to retained data by police and local authorities is subject to no independent review or authorisation. They simply authorise their own access to an individual’s personal information. Some internal authorisation processes exist but none rigorous enough to prevent the government abusing this power, as the numbers suggest: law enforcement and intelligence agencies access communications data around 500,000 times a year.

In his report last month, David Anderson QC recognised the need, across the UK’s surveillance authorities, to involve independent authorisation by judges, or what Anderson refers to as “judicial commissioners”. He stopped short of recommending judicial commissioners play a role in authorising access to communications data. The high court was not so cautious, declaring that independent authorisation is necessary in exactly that situation.

In dismissing the government’s complaints about the practical barriers to implementing judicial authorisation, the high court noted that such complaints were mostly related to procedural difficulties, and that implementing prior judicial approval should not be “particularly cumbersome”. It was satisfied the government could work out the details of such authorisation, including those pertaining to cases requiring “special consideration” such as those involving access to data involving communications with lawyers, MPs or journalists.

This finding represents a leap forward in privacy protection for ordinary Britons. Long have privacy advocates argued that communications metadata deserves stronger protections. Subjecting access to that data to the scrutiny of an independent judge gives metadata the protection it deserves, ensuring that each instance be judged on its necessity and proportionality. This is a step forward in keeping with the increasing value of even isolated pieces of data in an era of ubiquitous digital devices.

For the first time in over a decade, the British government must stem its insatiable appetite for surveillance powers

A second important aspect of the decision is its contribution to “the metadata debate” – whether data about communications deserves the same level of protection under law as the content of communications. The court didn’t say that interception of content is equally as intrusive as access to metadata. However, what it did say is almost as important – that the interception of one email or phone call cannot be analogised with “a general retention regime on a potentially massive scale”. For privacy advocates, this is a long-fought victory; recognition that there is something uniquely intrusive about mass surveillance, and the ability to cross-reference and analyse multiple datasets for patterns and correlations, that cannot and should not be weighed by reference to traditional notions of targeted interception.

At first glance, this decision might appear to be a relatively dry application of EU law. However, it is far more than that. It is a timely restraint on the government’s seemingly insatiable appetite and a reminder to the Home Office, already gearing up for a legislative debate on new surveillance powers in the autumn, that there are limits to what the state can do in the name of national security.

Finally, the high court’s finding is a vindication of those who were appalled at the government’s audacity in rushing such invasive powers through as emergency legislation, over a harried four-day period in July 2014. The government will be quick to contest this ruling. But it will be difficult for them to escape the criticism that they acted inappropriately in hastily ushering in blatantly noncompliant legislation that threatens privacy without, at the very least, an opportunity for public scrutiny and debate.