The Court of Justice of the EU said that the Data Retention Directive disproportionately infringes on individuals' privacy rights.
It ruled that, on the whole, the Directive was invalid because it "has exceeded the limits imposed by compliance with the principle of proportionality" in terms of the interference with individuals privacy and protection of personal data rights, as guaranteed under the EU Charter of Fundamental Rights.
The Directive requires telecoms and other electronic communications businesses to retain identifying details of phone calls and emails, such as the traffic and location, to help the police detect and investigate serious crimes. The details exclude the content of those communications.
However, privacy campaigners in Austria and human rights advocacy group Digital Rights Ireland both challenged whether the Directive complied with individuals' privacy rights. Their separate cases in Austria and Ireland were referred to the CJEU.
The Court said that the Directive places an obligation on providers of publically available electronic communications services to store "data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users’ communication equipment, and to identify the location of mobile communication equipment".
Compiling this data makes it possible to draw "very precise conclusions" about individuals' private lives, "such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them".
The Court said that this collection and storage of the data constitutes a serious interference with individuals' privacy and their rights to the protection of their personal data and considered whether or not the interference with those rights was justified.
It found that the retention of the data for the purposes of allowing law enforcement bodies to access the data to help detect and prevent serious crime "genuinely satisfies an objective of general interest". This is because "the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques", it said.
However, it said that the extent of interference with individuals' privacy and personal data protection rights was not proportionate to serving that purpose. The CJEU found that Directive was too wide ranging in allowing data about individuals to be collected and retained even where "there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime".
In addition, it said that the Directive does not contain sufficient controls and safeguards to limit law enforcement agencies' access to the data retained.
"Not only is there a general absence of limits in [the] Directive but [it] also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental [privacy and personal data protection] rights ..., may be considered to be sufficiently serious to justify such an interference," the CJEU said.
"On the contrary, [the] Directive simply refers ... in a general manner to serious crime, as defined by each member state in its national law. Furthermore, [the Directive] does not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use," it added.
The CJEU also criticised the Directive for allowing individual member states too much freedom to decide how long, between the minimum and maximum periods of six month and two years respectively, to require telecoms businesses in their country to retain the data for.
It said the Directive ought to have explained that data should only be retained for as long as is "strictly necessary" and that the type of data collected and its "possible usefulness for the purposes of the objective pursued or according to the persons concerned" were factors that should help determine how long data retention periods should be.
The CJEU also criticised the fact that the Directive "does not ensure that a particularly high level of protection and security is applied by those providers by means of technical and organisational measures" and said that it does not guarantee that data be irreversibly destroyed at the end of the retention periods.
The Court further criticised the fact that the Directive allows providers of publically available electronic communications services to store data that is subject to the framework outside of the EU. It said that enabling data retention to be outsourced outside of the trading bloc fails to ensure the protection of the security of the data.
The ruling broadly follows the views expressed by a legal advisor to the Court in a non-binding opinion issued in the case in December. Advocate General Pedro Cruz Villalón recommended that the CJEU find the Data Retention Directive to be incompatible with privacy rights. He called for the Directive to be scrapped once a replacement framework has been put in place with greater controls and safeguards around the access to and use of the data collected.