The Investigatory Powers Tribunal (IBT) has ruled that a case brought against the UK's spy agencies over the legality of mass surveillance should be elevated to the European Court of Justice (ECJ).
The decision means that the ECJ will have the final say as to whether the UK's collection of bulk communications data, granted under the Investigatory Powers Act, is legal.
Privacy International, the UK-based privacy and online rights charity, first brought a case against MI5, GCHQ and MI6 in 2014 in an attempt to strike down the ability for agencies to use blanket hacking warrants, a key element of the Investigatory Powers Bill.
The group previously argued that the collection of bulk communications data (BCD) had no basis in UK law, and that spy agencies had breached articles eight and 10 of the European Convention on Human Rights (ECHR), which guarantee the rights to privacy and free speech.
Since then, numerous cases have been heard relating to the legality of mass surveillance, which often includes the collection of personal web histories and mobile communications.
Privacy International lawyers argued last week that UK citizens were subject to some of the most wide-reaching surveillance, and that the right to privacy, guaranteed by the constitution, should limit the powers of security agencies.
Friday's decision, in a battle that has seen rulings in favour of both sides of the argument, will see the case referred to the ECJ, stating that "both parties either agreed or saw the necessity for a reference to the Grand Chamber, and the need for it is, we suggest, obvious from this judgment".
Part of the court's responsibility will be to consider a case brought against the agencies in December 2016 by Labour MP Tom Watson.
The subsequent ruling by the ECJ said that powers afforded by the Data Retention and Investigatory Powers Act, the previous UK law governing the collection of data, were unlawful. It also added that data collected in bulk should only be accessible for the purposes of detecting and preventing serious crime.
The IBT also ruled in October 2016 that GCHQ, MI5 and MI6, through the use of BCD, had breached UK privacy laws and illegally collected data between 1998 and 2015 - this only applied during that period, however, prior to the agencies publicly announcing the tactic.
However, Friday's ruling did acknowledge the importance of surveillance for UK spy agencies, adding that BCD was "essential to the protection of the national security of the United Kingdom". It also said that applying the Watson decision to UK law "would effectively cripple the security and intelligence agencies' bulk data capabilities".
"We welcome the tribunal's recognition that collecting bulk personal data and communications data are vital national security capabilities," said a government spokesperson, speaking to the Guardian. "As litigation is ongoing, it would not be appropriate to comment further."
The case will now decide whether EU laws apply, particularly the Charter of Fundamental Rights of the European Union, which enshrines political and social rights into EU legislation. However, the tribunal decided not to expedite the case, and it is therefore likely that it will be several years before a decision is made by the ECJ, beyond the date set for the UK to leave the European Union.
Bigger salaries, more burnout: Is the CISO role in crisis?
Cheap cyber crime kits can be bought on the dark web for less than $25
UK businesses patchy at complying with data privacy rules
Data privacy professionals are severely underfunded – and it’s only going to get worse
Four years on, how's UK GDPR holding up?
Multicloud data protection and recovery
Intelligent data security and management
How to extend zero trust to your cloud workloads
The threat prevention buyer's guide
Top data security trends
