By JAMES KANTER
The New York Times
A top court on Tuesday struck down a European Union law, adopted in response to deadly terrorist attacks, that required telecommunications companies to retain information about calls and emails for up to two years.
The European Union passed the legislation in 2006 after bombings on the mass transit systems in London and Madrid, with the goal of aiding security forces in tracking those suspected of terrorism and other serious crimes. The retained data typically indicates the people who were involved in a communication, where they were and how often they communicated, but it does not reveal the content of the conversations or messages.
However, the law “exceeded the limits” of proportionality, according to the European Court of Justice, whose headquarters are in Luxembourg.
Privacy advocates in Ireland and Austria had pressed their home governments to pursue the case, which gained urgency in light of disclosures in the last year of widespread electronic surveillance in Europe by the United States’ National Security Agency.
The court said that the law, known as the Data Retention Directive, “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.”
Any law must not go beyond “what is strictly necessary,” the court said.
Lawmakers at the European Parliament immediately called for a system that would do a better job of balancing privacy rights with the needs of security agencies. Legislation that addresses some of those issues is still slowly working its way through the body.
Any new rules “should in particular enshrine a high level of data protection — which is all the more essential in the digital age — thus avoiding disproportionate interferences with the private lives of citizens,” Martin Schulz, the president of the European Parliament, said on Tuesday.
The proposed legislation, in the works since 2010 and introduced in 2012, would establish fines that could run to billions of euros and affect American technology giants like Amazon and eBay if they failed to adhere to rules limiting the sharing of personal data. Companies like Google and Facebook would also need to seek clearance from European officials before complying with warrants issued by United States courts seeking private data.
In light of the court ruling, the European Commission, which is responsible for introducing legislation in the European Parliament, must now decide whether it needs to present new rules for how telecommunications companies retain data or whether the legislation now in the pipeline will be sufficient.
The judgment “brings clarity,” Cecilia Malmstrom, the European Union commissioner for home affairs, said in a statement. “The European Commission will now carefully assess the verdict and its impacts” and take its work forward “in light of progress” on the other digital-privacy legislation.
Either way, the job of deciding how to proceed will fall to the next commission, which will be chosen after European parliamentary elections in May.