The European Union’s top court struck down rules requiring Internet and phone companies to store swathes of customer data, saying they trample on citizens’ right to privacy.
The EU’s data-retention law “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” the European Court of Justice in Luxembourg said in a statement after a ruling today.
The criticism of the EU’s own rules adds to pressure on lawmakers to deliver tougher data protection measures following revelations that U.S. spies snooped on conversations of EU leaders. Those leaks caused a transatlantic spat and a clamor for agreements to halt eavesdropping exposed by former NSA contractor Edward Snowden.
“The court has rejected the principle of mass surveillance of EU citizens without suspicion and says it’s incompatible with the charter of fundamental rights,” said Simon McGarr, a Dublin-based lawyer for Digital Rights Ireland, an Irish campaign group that took the case. “It’s a whole new court if it’s going to start making decisions like this.”
While the EU is justified in requiring collection of data to combat crime, it hasn’t set enough limits to make sure that only information that is strictly necessary is stored, the court said.
The 2006 EU law of, drafted in the wake of terrorist attacks in London and Madrid, orders phone and Internet providers to store details of connections on their network in case needed for law enforcement authorities. They must keep the information for at least six months and delete it after two years.
The judgment won’t lead to a blanket-ban on data storage, the European Union said in a statement. Instead, nations may need to scale back rules to take into account the court’s criticism, it said.
The ruling “confirms the critical conclusions” of a 2011 report that said some of the law’s provisions were disproportionate, said EU Home Affairs Commissioner Cecilia Malmstroem.
EU governments and lawmakers had been set to agree on new new data-protection proposals that could empower regulators to fine companies as much as 100 million euros ($138 million) before talks stalled over U.K. demands for more time to analyze any impact on business.
Phone companies will seek clarification on “what implications this ruling will have,” said Luigi Gambardella, the chairman of the European Telecommunications Network Operators’ Association, a group that includes Deutsche Telekom AG and Orange SA. Companies already face different rules across the EU on how to store and distribute data.
Law enforcement authorities are increasingly seeking access to the data held by telecoms operators, the EU said. Some 2.66 million such requests were made in 2012, it said. Most EU countries insist that the data is only handed over to authorities by order of a judge.
Internet service providers and telecoms companies in the EU “must be cautious” as a result of today’s ruling because “there may indeed be a risk that retaining large volumes of traffic data for a long time” would violate rules on data protection and privacy, said Tom De Cordier, a lawyer at Allen & Overy in Brussels. Some countries may have rules that don’t breach fundamental rights and could still be enforced, he said.
Today’s ruling was triggered by challenges by Digital Rights Ireland and an Austrian man who took cases to the Irish and Austrian courts claiming that authorities exceed their powers.
The cases are: C-293/12 Digital Rights Ireland and C-594/12 Seitlinger