Just as we’d resigned ourselves to the fact that the best 2016 was going to offer by the way of cheer was a new Star Wars film, and the prospect of a few mince pies and a tonne of mulled wine, Europe’s top court has given us a very welcome early Christmas present.

For anybody with an interest in protecting democracy, privacy, freedom of expression, a free press and the safety and cybersecurity of everybody in the UK, Wednesday’s EU court of justice judgment is cause for celebration.

In a landmark ruling – its first major post-referendum judgment involving the UK – the court ruled that our government is breaking the law by collecting all our internet and phone call records, then opening them up freely to hundreds of organisations and agencies.

This was a challenge brought by Labour deputy leader Tom Watson (and initially Brexit minister David Davis), and represented by Liberty, to the Data Retention and Investigatory Powers Act (Dripa) – a temporary “emergency” law covering state surveillance, rushed on to the statute books in a matter of days in 2014.

If police wanted to root through your bedroom drawers, you’d expect them to have a warrant and a bloody good reason

It makes communications companies store records of all our emails, texts, phone calls and internet correspondence. This treasure trove of private information can then be accessed by a huge number of organisations and government agencies – from police forces to HMRC – and of course by hostile powers and terrorist hackers too.

If police wanted to root through your bedroom drawers, you’d expect them to have a warrant and a bloody good reason. But if they want to dip into this deeply sensitive personal data, they have a year’s supply of information sat waiting and can grant themselves permission. No need for sign-off from a judge. No need to suspect someone of a crime.

We argued that this breached British people’s rights – and on Wednesday the judges agreed. They said this national data hoard lets the state draw “very precise conclusions” about people’s private lives – including “everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them […] information that is no less sensitive, having regard to the right to privacy, than the actual content of communications”.

The judges also said it’s not right to gather data on innocent people – that instead it must only be harvested where there is suspicion of serious crime. And they said if someone is spied on, they have a right to know about it afterwards so that they can challenge it if it was wrong, and so we all know the true scale of the state’s surveillance regime.

These are simple, vital safeguards to introduce fairness, accountability and transparency into an otherwise shady world.

Dripa expires on 31 December. So why does any of this matter? Because a new law – the Investigatory Powers Act – has been passed to replace it. Think of it as the Death Star of surveillance laws – huge, impenetrable, and capable of doing massive damage.

It replicates all the same powers found unlawful yesterday – but it goes much further. It forces service providers to generate and store records of all our internet histories. Every site we visit, every app we open, every piece of software we download.

What do your internet searches give away, when you think about it, that might be dangerous in the wrong person’s hands? Your religion? Sexual interests? Health concerns? Political views?

As with Dripa, this can then be accessed by hundreds of public bodies – everyone from the Department for Work and Pensions to the Gambling Commission. No need for a judge to authorise access. No need for suspicion of crime.

After yesterday’s ruling, the unlawfulness of these new powers is beyond question too.

They’re also a major threat to our cybersecurity. These records are stored in vast databases which – at a time when companies and governments are under increasingly debilitating attacks from hackers – create goldmines for criminals and foreign spies. And it’s set to cost an estimated £170m.

But there’s more. Under the Investigatory Powers Act, the state has the ability to indiscriminately hack phones and computers, intercept our communications and build and acquire huge databases containing sensitive information on millions of people – which could include everything from your Oyster card logs to Facebook back-ups.

The government has announced it will try to fight the EU court’s ruling. Instead of wasting public money battling unwinnable cases, we urge it to swallow its pride, shoulder the responsibility of being democratic leaders and amend the act to create a targeted surveillance system – not one that sweeps up everyone’s private lives and swamps our spies with too much data.

The British state has used fear, spin and the guise of counter-terrorism to sneak through totalitarian-style surveillance laws. But our message to the government is clear: the jig is up. Since the Investigatory Powers Act passed, more than 200,000 people have signed a petition calling for its repeal – and if the government doesn’t act, Liberty will see them in court.

There’s reason to hope in 2017. This is a big victory, and it will be the first of many. And we all know what happened to the Death Star in the end.