Blanket data retention is illegal under EU law, court says
-
Bulk data gathering and retention from citizens is illegal under EU law (Photo: Bob Mical)
By Eszter Zalan
The “general and indiscriminate retention” of emails and electronic data by governments is illegal under EU law, the bloc’s highest court has ruled.
National governments can order only targeted data retention in order to fight serious crime, the European Court of Jutstice (ECJ) decided on Wednesday (21 December).
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Don't miss out on
Our exclusive news stories and investigations. Influential. Investigative. Independent.
Why join?
Watch our founder Lisbeth Kirk explain the reasons in this 30-second video.
Already a member?
The decision serves a blow to the UK's so-called snooper’s charter, the Investigatory Powers Act, a 2016 law that orders all kinds of firms - including telecoms operators, social media companies and data storage firms - to collect and retain data and give the authorities free access.
The decision sets an EU standard for data retention for surveillance purposes that needs to be respected by member states.
“The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance" the court said in the summary of the ruling.
"Consequently, only the objective of fighting serious crime is capable of justifying such interference."
It said any law that orders blanket data retention "exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society".
The British government said it was "disappointed" after the ECJ said the "indiscriminate" collection of data was against EU law, the BBC reported.
The legal challenge was originally brought to court by Brexit secretary David Davis when he was a backbench MP, but he withdrew from the case when he was appointed minister.
His original concern was with the Data Retention and Investigatory Powers Act, a 2014 that mandated firms to collect and store data for government requests. The 2016 law substantially extended the government's powers, and its demands on firms.
The case now returns to the UK Court of Appeal, and the UK government said it would not make any changes until the court had ruled on the legal challenge to the legislation.
In a related case, the Luxembourg court said Sweden's telecom regulator was similarly in breach of EU law when it required telecom companies to hold onto the sensitive data.
The case involved Swedish telecom company Tele2, which stopped retaining the data following a similar ruling by the ECJ in 2014.
Site Section
Related stories
- Europol in massive data breach on terrorism probes
- German court strikes blow against EU data-retention regime
- EU court to deliver judgement on data retention
- EU parliament quietly keeps visitors' wi-fi data
- EU's top court overturns German data-retention law
- EU defends airline data-sharing after court ruling
