EU Top Court: Germany’s Blanket Data Retention Law is Illegal

A small win for privacy advocates and a blow to member states banking on blanket data collection to fight crime and safeguard national security.

EU flags

Germany’s general data retention law violates EU law, the Court of Justice of the European Union (CJEU) ruled recently, dealing a blow to member states banking on blanket data collection to fight crime and safeguard national security.

According to Europe’s top court, the law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms.

“The Court of Justice confirms that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security,” the judges said. “However, in order to combat serious crime, the member states may, in strict compliance with the principle of proportionality, provide for, inter alia, the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses.”

The ruling comes after major attacks by Islamist militants in France, Belgium, and Britain in recent years. These attacks have prompted governments to argue that access to data can help prevent such incidents, while operators and civil rights activists oppose such practices.

The latest case was triggered after Telekom Deutschland and internet service provider SpaceNet AG challenged Germany’s data retention law arguing it breached EU rules.

The German court subsequently sought the advice of the CJEU, which said such data retention could only be allowed under very strict conditions.

According to the eco association, which backs SpaceNet, Germany’s blanket data storage requirement costs the industry millions of euros.

In a different case, the CJEU said financial market regulators could not use EU laws against insider dealing and market manipulation to force telecom providers to hand over the personal data of traders suspected of these violations.

That case was triggered by two individuals who challenged the French Financial Markets Authority after it asked telecoms operators to forward personal data from phone calls made by the two based on French laws.

“The general and indiscriminate retention of traffic data by operators providing electronic communications services for a year from the date on which they were recorded is not authorised, as a preventive measure, for the purpose of combating market abuse offences including insider dealing,” the CJEU said.

We applaud the CJEU’s decision to protect the privacy of users in the EU and are hoping that more of such verdicts will follow in the future. In the meantime, we’d like to be extra sure that no one is watching and are relying on a good VPN to keep our Internet whereabouts to ourselves. And yes, we suggest you do the same…