The Electronic Frontier Foundation (EFF) has called on European privacy authorities to scrap legislation that requires internet service providers (ISPs) to retain customer data.
The EU's 2006 Data Retention Directive requires ISPs in Europe to retain customer telecom and internet traffic data for at least six months and up to two years for possible use by law enforcement authorities.
The directive is highly controversial and has faced court challenges as each member state has implemented it in their own law, the EEF said, citing cases in German, Romania and Sweden.
In addition, the EEF said European privacy authorities have found that at national level telcos and ISPs' compliance with the obligations required from national traffic data retention legislation was unlawful.
Investigators found data retention periods were as high as 10 years, well in excess of the 24-month maximum set in the directive, and in some cases data retention was not limited to traffic data, but included data relating to the contents of communications.
The experience in Europe makes clear that mandatory data retention regimes are disproportionate and unnecessary, the EEF said.
"We continue to believe that the legitimate needs of law enforcement can be met by a more targeted data preservation regime, without the collateral damage inflicted by the 2006 directive," the EEF said in a statement.