The U.K. government’s mass surveillance powers were deemed unlawful on Tuesday in a court ruling that could force changes to the country’s spy laws.

Three judges at London’s Court of Appeal found that a sweeping data retention law, which allowed authorities to access people’s phone and email records, was not subject to adequate safeguards. The court ruled that access to the private data “should be restricted to the objective of fighting serious crime.” The court also said that such data should not be turned over to authorities until after a “prior review by a court or an independent administrative body.”

The case was originally brought by the Labour Member of Parliament Tom Watson following the introduction of the 2014 Data Retention and Investigatory Powers Act. That law expired in 2016 and has since been replaced by the Investigatory Powers Act, which expanded the government’s surveillance authority further, retroactively legalizing controversial spy tactics exposed in documents leaked by Edward Snowden. Human rights group Liberty, which represented Watson in the case, said Tuesday’s ruling meant parts of the Investigatory Powers Act – dubbed the “Snoopers’ Charter” by critics – would now need to be reformed.

“Yet again a U.K. court has ruled the government’s extreme mass surveillance regime unlawful,” said Martha Spurrier, Liberty’s director, in a statement. “This judgment tells ministers in crystal clear terms that they are breaching the public’s human rights. … When will the government stop bartering with judges and start drawing up a surveillance law that upholds our democratic freedoms?”

Watson said he was “proud to have played my part in safeguarding citizens’ fundamental rights.” He called on the government to “ensure that hundreds of thousands of people, many of whom are innocent victims or witnesses to crime, are protected by a system of independent approval for access to communications data.”

The Data Retention and Investigatory Powers Act forced telecommunications companies to store records on their customers’ emails and phone calls for 12 months. The Investigatory Powers Act broadened the data retention system by allowing the government to compel phone and internet companies to store not just email and phone records, but also logs showing the websites customers visited and the apps they used. Law enforcement agencies can then access this information without a court order or warrant for a broad range of reasons, not necessarily related to suspected criminal activity. They can obtain the data, for instance, if they judge it to be for the “purpose of protecting public health,” “in the interests of the economic well-being” of the U.K., or “for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department.”

The Court of Appeal ruling is the latest in a series of blows for the U.K. government on surveillance. It partly reaffirms a December 2016 judgment in the European Union’s top court, which found that the British government’s data retention powers were “highly invasive” and exceeded “the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society.” At least three other major legal cases challenging the country’s spy powers remain ongoing.

Ben Wallace, the U.K. government’s security minister, was dismissive of Tuesday’s decision. “This judgment relates to legislation which is no longer in force and … does not change the way in which law enforcement agencies can detect and disrupt crimes,” he said in a statement. Wallace claimed that the ruling would “not undermine the [data retention] regime” because the government had already acted preemptively in November by introducing safeguards that rein in police officers’ ability to self-authorize access to people’s private data. However, the significance of the ruling is that it will ensure the changes restricting police access to the data are bound into law and cannot be rolled back in future.

Critics believe more reforms are still required. They point out that the government has as of yet failed to address legal breaches identified in the earlier December 2016 European Union court ruling. That ruling stated that to be compliant with human rights law, the government must notify people – after investigations have been completed – if their data has been accessed and must also commit to keeping people’s private data within the EU. Spurrier described the government’s existing safeguards as “window-dressing for indiscriminate surveillance of the public.”