The European Union’s top court ruled Wednesday (21 December) against the bulk retention of emails and other electronic data by EU member states, such as that under new British legislation.
The European Court of Justice said EU law does however allow member states to retain data in targeted and supervised ways to fight serious crime.
“The members states may not impose a general obligation to retain data on providers of electronic communications services,” the court said in a statement.
“EU law precludes a general and indiscriminate retention of traffic data and location data,” it added.
It said member states could allow, as a preventive measure, “targeted retention of that data solely for the purpose of fighting serious crime.”
But it said such retention must be “limited to what is strictly necessary” regarding categories of data, means of communication, the people concerned and the duration of retention.
In the wake of the attack on Charlie Hebdo, calls for more intensive data surveillance to fight terror are gaining strength. But in France, data retention was neither able to prevent nor illuminate the attacks. EurActiv Germany reports.
The decision could spell trouble for British legislation granting new bulk surveillance powers for police and intelligence services that critics have denounced as the most far-reaching of any western democracy.
The Investigatory Powers Act would, among other measures, require websites to keep customers’ browsing history for up to a year and allow law enforcement agencies to access them to help with investigations.
Edward Snowden, the former US National Security Agency contractor turned whistleblower, said the powers “went further than many autocracies”.
Critics have dubbed it a “snooper’s charter” and say that, in authorising the blanket retention and access by authorities of records of emails, calls, texts and web activity, it breaches fundamental rights of privacy.
The EU directive imposing data retention obligations on electronic communications services, such as telecoms operators or Internet access providers, is no longer valid, said the European Court of Justice in a landmark ruling.
The British government was quick to react to the decision by the court in Luxembourg.
“We are disappointed with the judgment from the European Court of Justice and will be considering its potential implications,” said a Home Office spokesman.
“It will now be for the Court of Appeal to determine the case. The Government will be putting forward robust arguments to the Court of Appeal about the strength of our existing regime for communications data retention and access.”
“Given the importance of communications data to preventing and detecting crime, we will ensure plans are in place so that the police and other public authorities can continue to acquire such data in a way that is consistent with EU law and our obligation to protect the public.”
EU negotiators wrapped up talks on a major data protection reform last night (15 December) that will tighten privacy laws and determine how companies handle consumers’ personal data.
- Court of Justice of the European Union: The Member States may not impose a general obligation to retain data on providers of electronic communications services (21 Dec. 2016)