The European Court of Justice has declared invalid the EU Data Retention Directive, which requires telecoms providers to store the communications data of EU citizens for at least six months.
This data includes traffic and location data regarding fixed and mobile telephony, internet access and email, but does not include content.
The directive requires telecoms providers to make this data available, on request, to law enforcement authorities for the purpose of investigation, detection and prosecution of serious crime and terrorism.
The Data Retention Directive was adopted following the terror attacks in Madrid in 2004 and London in 2005 to harmonise European efforts to investigate and prosecute the most serious crimes.
The aim was to give the authorities better tools to investigate and prosecute organised crime and terrorism.
The court said the directive “entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary", reports Reuters.
"Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance," the court said.
More on the EU Data Retention Directive
But a memo issued by the European Commission said the ruling means that national legislation needs to be amended only with regard to aspects that become contrary to EU law.
“Furthermore, a finding of invalidity of the directive does not cancel the ability for member states under the e-Privacy Directive (2002/58/EC) to oblige retention of data,” the EC said.
Cecilia Malmström, commissioner for home affairs, said the court ruling brings clarity and confirms the critical conclusions in terms of proportionality of the Commission's evaluation report of 2011 on the implementation of the Data Retention Directive.
The EC said the evaluation report concluded that data retention has proved useful in criminal investigations into crime and terrorism.
“The European Commission will now carefully asses the verdict and its impact,” said Malmström.
She said the EC will “take its work forward in light of progress made in relation to the revision of the e-Privacy Directive and taking into account the negotiations on the data protection framework".
The Austrian and Irish courts had asked the European Court of Justice to rule whether the directive was in line with the EU's Charter of Fundamental Rights. The directive has also caused public outcry in Germany.
In February 2009, the European Court of Justice disappointed privacy advocates by ruling that the directive was legal, in response to objections by Ireland and Slovakia.