Under the Directive Internet providers and other telecom companies were required to log and store vast amounts of information, including who their subscribers communicate with, and what IP-addresses they use.
The local authorities could then use this information to fight serious crimes, but it was also been frequently used by third parties, in online piracy cases for example.
Today the Court ruled that the data collection requirements are disproportionate. In a case started by Digital Rights Ireland the Court effectively annulled the directive, and it’s now up to the individual member states to change local laws accordingly.
“The Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality,” the Court states.
“By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” it adds.
The judgement has far-reaching implications for large telecom companies, but also for smaller businesses including many VPN providers. With the new ruling these companies are no longer required to log extensive amount of user data as was required under the EU Directive.
While many ISPs are waiting to see what local Governments decide, the Swedish provider Bahnhof immediately announced that it would wipe all subscriber data it stored.
“Bahnhof stops all data storage with immediate effect. In addition, we will delete the information that was already saved,” Bahnhof CEO Jon Karlung says.
There’s also resistance against the Court decision. The Dutch Minister of Justice Fred Teeven, for example, wants local ISPs to continue storing user data for law enforcement purposes.
The European Court of Justice judgement is a clear victory for privacy activists, but mostly for the public who will regain some of their online privacy. While the ruling specified that some data retention may be needed, broad and mandatory retention laws and NSA-style data dragnets are no longer the standard.