European Union laws requiring communications providers to retain metadata are invalid because they seriously interfere with fundamental privacy rights, the Court of Justice of the EU (CJEU) ruled this morning.
The EU's Data Retention Directive requires telecommunications and internet providers to retain traffic and location data as well as related data necessary to identify the subscriber or user. This is required for the prevention, investigation, detection and prosecution of serious crime, in particular organised crime and terrorism.
However, the High Court of Ireland and the Constitutional Court of Austria doubted the validity of the directive, and asked the CJEU to investigate whether it violates the fundamental rights to respect for private life and to the protection of personal data enshrined in the Charter of Fundamental Rights of the EU, the court said.
The CJEU found the directive interferes with those rights and declared it invalid, a decision welcomed by campaigners for online privacy.
The European Commission said it will assess the court's verdict and its effects.
Member of the European Parliament Sophie in't Veld said: "It is good that the legislature gets a slap on the wrist. Now we can finally delete this unsound law," adding that future laws to combat terrorism must comply with civil rights.
European Digital Rights Group (EDRi) executive director Joe McNamee called the law an affront to the fundamental rights of European citizens and said the decision marked the end of "eight years of abuses of personal data."
And in the UK, Open Rights Group director Jim Killock said: "Blanket data collection interferes with our privacy rights. We must now see the repeal of national legislation that obliges telecoms companies to collect data about our personal phone calls, text messages, emails and internet usage."
The court said retaining such data makes it possible to know how, when and with whom service users communicate, how often they call, and where they call from. That, in turn, could provide precise information on the private lives of the persons whose data are retained, including where they live, their daily habits, and their social lives, the court said. Requiring that telecommunications operators retain the data and allow the authorities to access it interferes with the fundamental rights to respect for private life and to the protection of personal data - and, because those data are retained and used without informing the user the directive is likely to generate a feeling that people's private lives are the subject of constant surveillance, the court added.
Although the court acknowledged that retention of data can help fight serious crime and improve public security, it identified several ways in which the EU legislature had exceeded the limits of proportionality in adopting the directive.
The directive is too general, covering all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception. It also makes no requirement for review by a court or an independent body before providing access to the data. In addition, the directive imposes a retention period of at least six months without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued.
The directive included insufficient protections to prevent the data from being accessed unlawfully, and did not require that the retained data be stored within the EU, as explicitly required by the Charter of Fundamental Rights, the court added.
The CJEU's ruling is binding for national courts who have to dispose of cases in accordance with the Court's decision.