Germany's general data retention law violates EU law, Europe's top court ruled on Tuesday, dealing a blow to member states banking on blanket data collection to fight crime and safeguard national security.
The law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms, the Court of Justice of the European Union (CJEU) said.
The ruling comes after major attacks by Islamist militants in France, Belgium and Britain in recent years.
Governments argue that access to data, especially that collected by telecoms operators, can help prevent such incidents, while operators and civil rights activists oppose such access.
The latest case was triggered after Deutsche Telekom unit Telekom Deutschland and internet service provider SpaceNet AG challenged Germany's data retention law arguing it breached EU rules.
The German court subsequently sought the advice of the CJEU which said such data retention can only be allowed under very strict conditions.
"The Court of Justice confirms that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security," the judges said.
"However, in order to combat serious crime, the member states may, in strict compliance with the principle of proportionality, provide for, inter alia, the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses," they said.
According to eco – Association of the Internet Industry, which backs SpaceNet, Germany's blanket data storage requirement costs the industry millions of euros.
In another case, the CJEU said financial market regulators cannot use EU laws against insider dealing and market manipulation to force telecoms providers to hand over the personal data of traders suspected of these violations.
The case was triggered by two individuals who challenged the French Financial Markets Authority after it asked telecoms operators to forward personal data from telephone calls made by the two based on French laws.
"The general and indiscriminate retention of traffic data by operators providing electronic communications services for a year from the date on which they were recorded is not authorised, as a preventive measure, for the purpose of combating market abuse offences including insider dealing," the CJEU said.
The cases are C-793/19 SpaceNet and C-794/19 Telekom Deutschland, C-339/20 VD and C-397/20 SR.
($1 = 0.9984 euros)
(Reporting by Foo Yun Chee; editing by Jason Neely)