This is getting interesting.
The European Union’s highest court on Tuesday struck down the bloc’s data-retention law, dealing a blow to law-enforcement authorities that claim they need easy access to telecommunications data to fight organized crime and terrorism.
The ruling by the European Court of Justice also creates uncertainty for telecom providers in the EU, who have been collecting and storing user data since the 2006 law was enacted.
The court said the data-retention directive violates EU citizens’ “fundamental rights to respect for private life and to the protection of personal data,” because it doesn’t sufficiently limit the instances in which authorities can access the collected information.
The EU adopted the data-retention directive in 2006, in the aftermath of deadly terrorist attacks in Madrid and London. It requires telecom providers in the 28-country bloc to hold on to data about their users’ traffic and location for as long as two years, although it left a lot of leeway to member states when they implemented the directive into national legislation.
Tuesday’s ruling said the law gave disproportionate weight to law-enforcement concerns and not enough to citizens’ privacy.
“The fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance,” the court said in a written statement.
Data-privacy advocates celebrated the ruling. “After eight years, this affront to the fundamental rights of European citizens has finally been declared illegal,” said Joe McNamee, executive director of European Digital Rights, one of whose members initiated the challenge to the data-retention law.
Because most of the 28 EU states have enacted their own national legislation, telecom providers in those countries will have to continue storing data according to those laws, said an official at the European Commission, the EU’s executive body. But the EU court ruling opens the door to legal challenges against data collection in national courts, the official said.
Christopher Kuner, a partner at law firm Wilson Sonsini Goodrich & Rosati in Brussels, said that Tuesday’s ruling puts pressure on EU legislators to adopt a new version of the data-retention law.
“The question is what happens in the meantime. What happens with the data that has already been collected and ongoing requests” for access from national authorities, he said.
The court said that although, in general, collecting and holding personal data to fight crime was in line with EU law, the current legislation was too broad. It didn’t set sufficient limits for what data should be retained, for how long and when it could be accessed by law-enforcement authorities, the judges said.
They also said that data has to be stored within the EU to ensure it is sufficiently protected.
The data collected, “taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented,” the court said.
European Commission spokesman Michele Cercone said the commission will now study the ruling in detail to see what further legislative action is needed.
Etno, the biggest telecom lobby group in the EU, said it was looking forward to discussing the implications of the ruling with European legislators.
“Etno members have…raised the shortcomings of a generalized data retention obligation, even before the adoption of the directive,” Chairman Luigi Gambardella said in a written statement. “Such a broad obligation needs to be proportionate and strictly necessary in a democratic society for the protection of legitimate aims.”
