Defendants can't deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled.

The case marked an interesting challenge to the U.K.'s Regulation of Investigatory Powers Act (RIPA), which in part compels someone served under the act to divulge an encryption key used to scramble data on a PC's hard drive.

Failure to do so could mean a two-year prison sentence or up to five years if the case involves national security.

The appeals court heard a case in which two suspects refused to give up encryption keys, arguing that disclosure was incompatible with the privilege against self incrimination.

One of the suspects had been ordered not to move house without permission under a terrorism-prevention act. The man defied the order, and he and another man were arrested, according to the ruling from the England and Wales Court of Appeal Criminal Division.

Police also seized encrypted material on a disc belonging to the first man. When the second man was arrested, police saw he had partially entered an encryption key into a computer.

In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person's will.

"The key to the computer equipment is no different to the key to a locked drawer," the court found. "The contents of the drawer exist independently of the suspect; so does the key to it. The contents may or may not be incriminating: the key is neutral."

The right against self incrimination is not without bounds, as suspects also can't refuse to give a DNA sample if properly compelled.

RIPA, passed in 2000 by the U.K. Parliament, is intended to give police new powers to conduct covert surveillance and wiretap operations in respect to new communication technologies.

The third part of RIPA concerning the disclosure of encryption keys came into force in October 2007. It was delayed since when RIPA was approved, law enforcement wasn't seeing wide use of encryption. It was also one of the more controversial parts of RIPA, as critics said companies could be at risk if law enforcement mishandled their data.

To obtain a key, a so-called "Section 49" request must first be approved by a judicial authority, chief of police, the customs and excise commissioner or a person ranking higher than a brigadier or equivalent. Authorities can also mandate that recipients of a Section 49 request not tell anyone except their lawyer that they have received it.