The European Court of Justice has struck down an EU-wide law on how private data can be collected and stored, judging it too invasive – despite its usefulness in combating organised crime and terrorism.
By allowing EU governments to access the data, “the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data”, the court said on Tuesday.
The decision to scupper the Data Retention Directive, which was issued in 2006, comes as Europe weighs concerns over electronic snooping in the wake of revelations about systematic US snooping of email and telephone communications.
The directive called for the European Union’s 28 member states to store individuals’ internet, mobile telephone and text metadata – the time, date, duration and destination, but not the content of the communications themselves – for six months to two years, with national intelligence and police agencies having access.
The Luxembourg-based European Court of Justice, examining Austrian and Irish cases, declared the law invalid because it conflicted with the basic rights to privacy and expectation of personal data being protected.
While it noted the genuine interest of the law in fighting serious crime, the court found the law “exceeded the limits imposed by compliance with the principle of proportionality”.
The law should be more restrictive both in terms of what data are captured and authorities’ access to them to ensure that “interference is actually limited to what is strictly necessary”, the court said.
There was also insufficient oversight to prevent abuse and ensure the data’s destruction at the end of the retention period, and the law failed to stipulate that the data must be retained in the EU, it said.
The court’s decision reinforced a general European stance strongly upholding individuals’ rights to privacy, contrasting with a US position that often supports more invasive policies in the interests of public security.