EU Court Rejects Data Surveillance Law
The EU court in Luxembourg has declared "invalid" a law that required telecoms firms to store citizens' communications data for up to two years.
The court said tha the "Data Retention Directive" constitutes a "particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data" in Europe.
It also said Europeans are likely to feel "their private lives are the subject of constant surveillance" if the bill is left intact.
"By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data," the court in Luxembourg ruled.
The Data Retention Directive was adopted in the aftermath of the terroristic attacks in Madrid in 2004 and London in 2005 as there was a sense of urgency to harmonize the European efforts to investigate and prosecute the most serious crimes.
The Directive requires European member states to ensure that telecommunication operators retain traffic and location data generated or processed by service and network providers for the purpose of investigation, detection and prosecution of serious crimes, as defined by national law. The data must be retained for a minimum of six months to a maximum of two years (to be decided by Member States in transposing the Directive into national laws).
In 2011 the Commission issued an evaluation report, which concluded that data retention has proven useful in criminal investigations against the harm caused by crime and terrorism, also including critical conclusions on the design of the Directive in particular when it comes to the balance between security and respect of the privacy of EU citizens.
But the court's ruling means the EU directive is null and void. Following the decision, national legislation needs to be amended with regard to aspects that become contrary to EU law.
Constitutional courts in several European countries (Germany, Romania, the Czech Republic and to some extent Cyprus and Bulgaria) found national data retention laws to be unconstitutional.
It also said Europeans are likely to feel "their private lives are the subject of constant surveillance" if the bill is left intact.
"By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data," the court in Luxembourg ruled.
The Data Retention Directive was adopted in the aftermath of the terroristic attacks in Madrid in 2004 and London in 2005 as there was a sense of urgency to harmonize the European efforts to investigate and prosecute the most serious crimes.
The Directive requires European member states to ensure that telecommunication operators retain traffic and location data generated or processed by service and network providers for the purpose of investigation, detection and prosecution of serious crimes, as defined by national law. The data must be retained for a minimum of six months to a maximum of two years (to be decided by Member States in transposing the Directive into national laws).
In 2011 the Commission issued an evaluation report, which concluded that data retention has proven useful in criminal investigations against the harm caused by crime and terrorism, also including critical conclusions on the design of the Directive in particular when it comes to the balance between security and respect of the privacy of EU citizens.
But the court's ruling means the EU directive is null and void. Following the decision, national legislation needs to be amended with regard to aspects that become contrary to EU law.
Constitutional courts in several European countries (Germany, Romania, the Czech Republic and to some extent Cyprus and Bulgaria) found national data retention laws to be unconstitutional.