Europe’s top court on Tuesday struck down an EU law forcing telecoms operators to store private phone and email data for up to two years, judging it too invasive, despite its usefulness in combating terrorism.
By allowing EU governments to access the data, “the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” the European Court of Justice (ECJ) said.
Advocate General Pedro Cruiz Villalon declared the legislation illegal and told the European Union’s 28 member states to take the necessary steps to withdraw it.
The decision to scupper the 2006 Data Retention Directive comes as Europe weighs concerns over electronic snooping in the wake of revelations about systematic US surveillance of email and telephone communications.
The revelation that US agencies collected data on millions of European citizens — and even tapped the phone of German Chancellor Angela Merkel — sparked a wave of controversy and prompted lawmakers on both sides of the Atlantic to rethink their data surveillance laws.
Last month President Barack Obama put forward a long-awaited plan to end Washington’s bulk collection of telephone records, although critics said the measures should be extended beyond just phone records.
The court’s decision reinforced a general European stance strongly upholding individuals’ rights to privacy, contrasting with a US position that often supports more invasive policies in the interests of public security.
The 2006 directive called for EU states to store individuals’ Internet, mobile telephone and text metadata — the time, date, duration and destination, but not the content of the communications themselves — for six months to two years.
This data could then be accessed by national intelligence and police agencies.
But the Luxembourg-based ECJ, examining Austrian and Irish cases, declared the law invalid because it conflicted with the basic rights to privacy and expectation of personal data being protected.
The court found it “exceeded the limits imposed by compliance with the principle of proportionality”.
The law should be more restrictive, both in terms of what data are captured and authorities’ access to them to ensure that “interference is actually limited to what is strictly necessary,” the court said.
While it noted the law was useful in fighting serious crime, it ruled there was insufficient oversight to prevent abuse and ensure the data’s destruction at the end of the retention period
In particular, it said the law’s failure to stipulate that the data must be retained in the EU in order to guarantee it would not be used for illicit purposes was dangerous.
Cecilia Malmstrom, the EU’s commissioner for home affairs who has been working to reform the directive, said Brussels would carefully assess the verdict and will adequately respond to the problems raised.
“Welcome clarity brought by the Court of Justice on the Data Retention Directive, in line with the Commission’s critical evaluation report,” she said on Twitter.
[Laptop with human eye with digital binary on Shutterstock]