EU court scraps data surveillance law
The EU court in Luxembourg has struck down a law on internet and phone surveillance, saying its loose wording opens the door to untoward snooping on private lives.
It said in its verdict on Tuesday (8 April) the “data retention directive” constitutes a “particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data” in Europe.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
It also said Europeans are likely to feel “their private lives are the subject of constant surveillance” if the bill is left intact.
The directive, passed in 2006, has already been transcribed into national law in most member states.
It obliges internet and phone companies to store data on who contacts whom, when, how often, and from which locations, for between six months and two years so that government agencies can use it to hunt down “serious crime”.
The ruling means the EU directive is null and void. Individual EU countries can still keep the national measures in place if they want, but they are likely to see a flood of legal challenges if they do.
Tuesday’s verdict comes after Austria and Ireland asked the EU tribunal to intervene following challenges by rights groups, local governments, and, in Austria, by 11,130 private applicants.
The court said the definition of “serious crime” is too “general.”
It criticised that the law “applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime”.
It complained that government access is “not made dependent on the prior review by a court or by an independent administrative body”.
It also complained the law “does not require that the data be retained within the EU,” opening the door to security breaches from outside Europe.
Jan Philip Albrecht, a German Green MEP at the heart of European Parliament law-making on data issues, described the verdict as “a major victory for civil rights in Europe”.
“Today's ruling is even more embarrassing for the German federal government and the EU commission, who continue to advocate in favour of data retention and other types of unfounded, unjustified blanket surveillance, for example through the air passenger data system,” he added.
Joe McNamee, the director of European Digital Rights, a Brussels-based NGO, noted: "After eight years, this affront to the fundamental rights of European citizens has finally been declared illegal.”
The European Commission was not available for comment on Tuesday morning amid a crisis meeting in its press service.
An EU official told EUobserver one option is to table a new version of the directive taking into account the court’s objections. But a new bill would take years to put together, and work is unlikely to begin before the May elections.
The contact added: “The commission has fined some member states for not transposing the measures quickly enough. So does this mean they will have to give the money back?”
Meanwhile, EU justice commissioner Viviane Reding did not wait for the executive to draft a common line.
“Glad #CJEU confirmed: we need independent #DataProtection authorities to uphold fundamental rights,” she tweeted.
“#CJEU confirms: #security not a 'super right' overruling the protection of personal data,” she added.