Emergency surveillance legislation rushed through Parliament last year was ruled unlawful by the High Court this morning.
Parts of the Data Retention and Investigatory Powers Act (DRIPA) are not compatible with EU rights on privacy and the protection of personal data, the court ruled.
It marks a victory for privacy campaigners and MPs Tom Watson and David Davis, who brought the case to court seeking the judicial review with human rights organisation Liberty after DRIPA was introduced by the coalition government in 2014.
The MPs argued the legislation was ill-thought out and pointed out MPs had just one day to discuss it before it was rushed through with Royal Assent a year ago today.
DRIPA forces communications companies to record and keep user data for one year, covering correspondence including emails, calls and texts.
Public bodies like spy agency GCHQ, but also councils, can authorise their own access to this data, with human rights group Liberty claiming half a million access requests were granted last year.
However, the High Court today found that DRIPA fails to provide clear and precise rules ensuring data can only be accessed to prevent and detect serious offences.
It also found that courts or an independent body should decide on any data access requests.
The ruling stated: "The need for that approval to be by a judge or official wholly independent of the force or body making the application should not, provided the person responsible is properly trained or experienced, be particularly cumbersome."
DRIPA will remain in force until the end of March 2016, at which time it will be scrapped and the government forced to introduce revised laws.
MP David Davis said: "The court has recognised what was clear to many last year, that the government's hasty and ill-thought through legislation is fatally flawed. They will now have to rewrite the law to require judicial or independent approval before accessing innocent people's data."
Watson added: "There must be independent oversight of the Government's data-collection powers and there must be a proper framework and rules on the use and access of citizens' communications data."
The news comes as Home Secretary Theresa May plans to revive the Snooper's Charter, a permanent piece of legislation to compel ISPs and web firms to hold meta data on customers for at least a year.
The Investigatory Powers Bill, dubbed Snooper's Charter, blocked by the Liberal Democrats during the coalition, to bolster security services' abilities to intercept information.
But following the decision on DRIPA, Liberty's legal director, James Welch, said May must now commit to surveillance that respects privacy and democracy.
The Open Rights Group, which also worked on the judicial review, added its weight behind this argument, saying the High Court ruling means the Investigatory Powers Bill (the new Snooper's Charter bill) must respect human rights.
Executive director Jim Killock said: "Now that the High Court has agreed that DRIPA does not comply with EU law, we hope that the Government will listen to these concerns.
"In autumn, the Government will present the Investigatory Powers Bill to parliament. This should not be, as rumoured, an attempt by the Home Secretary to re-introduce the Snoopers' Charter, but an opportunity to introduce an effective surveillance law that is compatible with human rights."
The Home Office told IT Pro the government will appeal against the review's findings.
Security Minister John Hayes said: "We disagree absolutely with this judgment and will seek an appeal.
"Communications data is not just crucial in the investigation of serious crime. It is also a fundamental part of investigating other crimes which still have a severe impact, such as stalking and harassment, as well as locating missing people, including vulnerable people who have threatened to commit suicide.
"The effect of this judgment would be that in certain cases, communications data that could potentially save lives would only be available to the police and other law enforcement if a communications company had decided to retain it for commercial reasons. We believe that is wrong."
AI layoffs could spark a new wave of offshoring
Hackers are using these malicious npm packages to target developers Windows, macOS, and Linux systems
Data (Use and Access) Act comes into force
UK businesses patchy at complying with data privacy rules
Data privacy professionals are severely underfunded – and it’s only going to get worse
Four years on, how's UK GDPR holding up?
Multicloud data protection and recovery
Intelligent data security and management
How to extend zero trust to your cloud workloads
The threat prevention buyer's guide
