EU court scraps data surveillance law
The EU court in Luxembourg has struck down a law on internet and phone surveillance, saying its loose wording opens the door to untoward snooping on private lives.
It said in its verdict on Tuesday (8 April) the “data retention directive” constitutes a “particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data” in Europe.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
It also said Europeans are likely to feel “their private lives are the subject of constant surveillance” if the bill is left intact.
The directive, passed in 2006, has already been transcribed into national law in most member states.
It obliges internet and phone companies to store data on who contacts whom, when, how often, and from which locations, for between six months and two years so that government agencies can use it to hunt down “serious crime”.
The ruling means the EU directive is null and void. Individual EU countries can still keep the national measures in place if they want, but they are likely to see a flood of legal challenges if they do.
Tuesday’s verdict comes after Austria and Ireland asked the EU tribunal to intervene following challenges by rights groups, local governments, and, in Austria, by 11,130 private applicants.
The court said the definition of “serious crime” is too “general.”
It criticised that the law “applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime”.
It complained that government access is “not made dependent on the prior review by a court or by an independent administrative body”.
It also complained the law “does not require that the data be retained within the EU,” opening the door to security breaches from outside Europe.
Jan Philip Albrecht, a German Green MEP at the heart of European Parliament law-making on data issues, described the verdict as “a major victory for civil rights in Europe”.
“Today's ruling is even more embarrassing for the German federal government and the EU commission, who continue to advocate in favour of data retention and other types of unfounded, unjustified blanket surveillance, for example through the air passenger data system,” he added.
Joe McNamee, the director of European Digital Rights, a Brussels-based NGO, noted: "After eight years, this affront to the fundamental rights of European citizens has finally been declared illegal.”
The European Commission was not available for comment on Tuesday morning amid a crisis meeting in its press service.
An EU official told EUobserver one option is to table a new version of the directive taking into account the court’s objections. But a new bill would take years to put together, and work is unlikely to begin before the May elections.
The contact added: “The commission has fined some member states for not transposing the measures quickly enough. So does this mean they will have to give the money back?”
Meanwhile, EU justice commissioner Viviane Reding did not wait for the executive to draft a common line.
“Glad #CJEU confirmed: we need independent #DataProtection authorities to uphold fundamental rights,” she tweeted.
“#CJEU confirms: #security not a 'super right' overruling the protection of personal data,” she added.