Service operators in Europe may no longer be forced to keep records of their users’ communications activity for up to two years, following a ruling by the European Union’s Court of Justice that Data Retention Directive is invalid under European law. The rules meant that telecoms providers had to keep traffic, location and other data, but not the content of communications.
Announced today in a statement, the court said that requiring the retention of data and allowing national authorities to access the data “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data”. It added that the subsequent accessing of this data without the user’s knowledge could also contribute to “a feeling that their private lives are the subject of constant surveillance”.
The issue was brought in front of the Court of Justice following requests from The High Court in Ireland and Verfassungsgerichtshof (Constitutional Court in Austria), both of which asked the CoJ to consider the validity of the law under the Charter of Fundamental Rights of the EU – namely the right to respect for private life and the fundamental right to the protection of personal data.
Ultimately, while the court recognized that some mechanism for accessing and keeping data may be necessary, the current Data Retention Directive was too vague and didn’t provide enough safeguards to make it fit for purpose:
Although the retention of data required by the directive may be considered to be appropriate for attaining the objective pursued by it, the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary.
The court also noted that the data directive doesn’t provide sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data – and that “the directive permits service providers to have regard to economic considerations when determining the level of security which they apply (particularly as regards the costs of implementing security measures) and that it does not ensure the irreversible destruction of the data at the end of their retention period”. The directive doesn’t even stipulate that the collected data is kept within the EU either.
Featured Image Credit – Alexander Klein/AFP/Getty Images