EU's highest court strikes down mass surveillance under the Data Retention Directive

The European Court of Justice, the highest court in the EU, has invalidated the European Parliament's Data Retention Directive, which required phone companies and ISPs to store your clicks, email subjects and to/from info, your location data, and other sensitive "metadata" for up to two years. The ECJ cited the UN Human Rights Committee's condemnation of this sort of data-retention and its call for the USA to halt its surveillance. We have Digital Rights Ireland and AK Vorrat Austria to thank for the ruling.

Finland has led EU nations in rejecting mass surveillance, with its Minister of Communications, Krista Kiuru, declaring that Finland "wants the be a model country in privacy." However, the UK, one of the world's most prolific and lawless surveillance states, is likely to insist on keeping the data-retention law and expanding it in accord with the "Snooper's Charter" plan that the Conservative party keeps reintroducing.

While the decision comprehensively rejects the current directive, some states may put up a fight to keep their laws, while others could take this opportunity to become champions of their citizens' privacy. The Finnish Minister of Communications, Krista Kiuru, has already declared a full review of Finnish law in the light of the decision, declaring that "if [Finland] wants the be a model country in privacy, Finnish legislation has to respect the fundamental rights and rule of law." The German and Romanian data retention laws have already been declared unlawful by their national constitutional courts. Governments advocating retention, like the UK, may argue that they can still maintain their existing data retention laws, or there may even be an attempt to introduce a whole new data retention directive that would attempt to comply with the ECJ's decision.

However the data retention regime unwinds in Europe, this decision sends an important signal to other countries in the world who are considered the same path as the EU. Brazil's online activists have been fighting hard to keep data retention out of their flagship Internet Bill of Rights, the Marco Civil. The law, which is about to be considered by the Brazilian Senate, would require ISPs to record personal data for one year, and other service providers log keep private information on their users for six months. New laws requiring mandatory data retention by companies in the United States have also been championed by the Obama administration's Department of Justice, and have been proposed by the Whitehouse as a "solution" to the NSA spying scandal. As the ECJ's decision shows, the indiscriminate recording and storage of every aspect of innocent civilians' online lives is a travesty of human rights, no matter where that collected data is housed.

Data Retention Directive Invalid, says EU's Highest Court [Danny O'Brien/EFF]