The European Court of Justice (ECJ) has ruled against a European Union directive which mandates that telecom operators must retain all their customers' communications data for up to two years.
"The Court of Justice declares the Data Retention Directive to be invalid," it said in a statement today.
Europe's data retention directive telecoms was introduced in 2006 following the Madrid bombings two years earlier, intended as a measure to help authorities combat serious crime and terrorism.
Under the directive, operators are expected to store traffic, location and subscriber data for between six months and two years. Authorities can then access that information in order to identify who contacted whom and when, without knowing the contents of the communication in question.
According to the court: "By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data."
Courts in Austria and the High Court of Ireland had asked the ECJ to examine whether the directive was consistent with the Europe's Charter of Fundamental Rights, which is meant to guarantee a respect for private life and the protection of personal data.
While the ruling is a major win for opponents of the directive, it doesn't mean its end in countries that had passed national legislation enacting it. The national courts will now need to resolve local disputes in accordance with the ECJ's ruling.
Online rights advocate Digital Rights Ireland brought a case regarding the directive against Irish authorities in 2006. Its chairman TJ McIntyre said: "This is the first assessment of mass surveillance by a supreme court since the Snowden revelations. The ECJ's judgement finds that untargeted monitoring of the entire population is unacceptable in a democratic society."
According to the court, the directive "exceeded the limits imposed by compliance with the principle of proportionality" and didn't ensure the interference it caused with the two fundamental rights was limited to what was "strictly necessary".
The ECJ found several problems with the directive — including the fact that it involved a blanket storage requirement without any exception or limitation for the seriousness of the crime, and that authorities could access the data without court review so long as it was "serious crime" under each nation's law.
The directive also lacked requirements for operators to protect the data against the risk of abuse and that it didn’t require data be retained within the EU, the court said.