Legal: Europe’s top court has ruled that the EU’s 2006 electronic surveillance rules breach the European Charter of Fundamental Rights.
European rules requiring telecommunications firms to keep user data for up to two years are illegal, the EU’s top court has said, a decision that will force the European Commission and EU member states to re-visit their privacy laws.
The 2006 “Data Retention Directive” was written following terror attacks in Spain, the UK and US.
It required communications carriers to “retain traffic and location data as well as related data necessary to identify the subscriber or user” for between six and 24 months, although “it does not permit the retention of the content of the communication or of information consulted”, according to court documents.
Challenges to the law were filed in Austrian and Irish courts, arguing the rules violated the EU Charter of Fundamental Rights. In 2012 Austria’s Constitutional Court and Ireland’s High Court asked the European Court of Justice in Kirchberg if the directive breached “the fundamental right to respect for private life and the fundamental right to the protection of personal data”.
On Tuesday, the ECJ said that indeed the rules did.
“Particularly serious manner”
The judges stated that “by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for” both sets of protections.
Among other objections, the ECJ said the directive: applied “in a generalised manner [to] all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception”; included no clear criteria on when national authorities could access the telecommunications data, nor on precisely how long companies should store the user information; and did not require data to remain within the EU, another requirement of the charter.
Following the decision, TJ McIntyre, chairman of Digital Rights Ireland, which brought the Irish case, said in a statement that: “This is the first assessment of mass surveillance by a supreme court since the Snowden revelations. The ECJ’s judgement finds that untargeted monitoring of the entire population is unacceptable in a democratic society.”
European justice commissioner Viviane Reding of Luxembourg wrote on her Twitter feed: “#EU citizens+ #EU Charter of Fundamental Rights win. Guaranteeing security+ respecting #dataProtection must go hand in hand. #dataRetention.”
Reviews launched across Europe
“The court’s ruling applies retroactively to the day the directive entered into force,” law firm Hunton & Williams said on its privacy blog, meaning 2006.
The European Commission, European Parliament and European Council will now have to re-draft EU electronic surveillance legislation, as will potentially several European national governments, a process that could take several years.
“In order to determine the validity of our legislation with the requirements of the ECJ, a detailed examination of the judgement and its impact on our national legislation is currently in progress, involving all stakeholders in the topic,” Luxembourg’s justice ministry said in a statement on Tuesday.
A spokesperson for Britain’s Home Office told the Guardian newspaper: “We are considering the judgment and its implications carefully.”
“The European Commission will now carefully asses the verdict and its impacts,” European home affairs commissioner Cecilia Malmström said in a statement.
The ECJ cases were C-293/12 and C-594/12 (Digital Rights Ireland and Seitlinger and Others).