(CN) - A data-mining directive in Europe is a "wide-ranging and particularly serious interference with fundamental rights," the EU's highest court ruled Tuesday.
Passed by both houses of the EU legislature in 2006, the law required providers of telephone and electronic communications to collect traffic and location data - but not content - and retain the information for two years.
Lawmakers said the directive "harmonized" communication-data retention across the EU since it tasked member states with ensuring that communication companies collected, kept and then dumped the data in question.
But digital privacy watchdog groups - like Digital Rights Ireland in this case - said the scheme undermined previous laws that better protected the personal data of EU citizens, all in the name of surveillance.
This past December, an adviser to the European Court of Justice said that, while the law expressly prohibited collecting the content of people's communications, it authorized a map of citizens' lives that could be traced by law enforcement even years later.
In its ruling Tuesday, the Luxembourg-based high court said the data retained under the law would have allowed such a clear look into the private lives of EU residents that the supposed ends - public safety and crime fighting - did not justify the means.
"The data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them," the court wrote.
Adopting its adviser's opinion, the court agreed that the scheme would lead to citizens "feeling that their private lives are the subject of constant surveillance." That level of scrutiny cannot be justified by public security concerns, the court added.
"As for whether the interference caused by the directive is limited to what is strictly necessary, it should be observed that the directive requires the retention of all traffic data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony," the decision states. "It therefore applies to all means of electronic communication, the use of which is very widespread and of growing importance in people's everyday lives. Furthermore, the directive covers all subscribers and registered users. It therefore entails an interference with the fundamental rights of practically the entire European population."
In striking down the law, the court said this lack of scope - and a vague prescription for how and when member states and communications providers should destroy retained data - entails "a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary."
Also on Tuesday, the high court said Hungary broke the law when it eliminated its independent data-protection watchdog in favor of a government-run agency.
The European Commission sued after Hungarian lawmakers voted to reform its data-protection system and ousted the head of that office before his term expired.
Specifically, regulators argued that Hungary broke EU law by tying its new data-protection system too closely to the president and prime minister and failing to consult with the former watchdog on any of the proposed changes.
The decision by the EU's high court Tuesday notes that, while European law gives member states wide latitude to implement the data protection scheme, it also requires that all supervisory authorities must be free of government influence and interference.
"The court has held that the mere risk that the state scrutinizing authorities could exercise a political influence over the decisions of the supervisory authorities is enough to hinder the latter in the independent performance of their tasks," the opinion states. "First, there could be 'prior compliance' on the part of those authorities in the light of the scrutinizing authority's decision-making practice. Secondly, in view of the role adopted by those authorities as guardians of the right to private life, EU law requires that their decisions - and, therefore, the authorities themselves - remain above all suspicion of partiality."
Forcing independent watchdogs out of office prematurely could lead to compromises in their independence and integrity - even if the order stems from a change in national law, the court added.