The European Union's top court on Tuesday dealt a blow to law-enforcement agencies' spying on phone and internet records, saying the lives of citizens should not be "the subject of constant surveillance."
The European Court of Justice scrapped EU legislation allowing the indiscriminate collection of such communication data in crime-fighting efforts, finding that the rules were too broad and offered too few privacy safeguards.
"The judgment finds that untargeted monitoring of the entire population is unacceptable," said T.J. McIntyre, chairman of Digital Rights Ireland, who filed the original lawsuit.
Other rights groups also hailed a landmark victory for privacy, but governments stressed they still need to access phone records to prevent or investigate serious crimes such as terrorism.
"Data retention for the purpose of investigating serious crimes is necessary and that remains the case," German Interior Minister Thomas de Maiziere said after the ruling, urging quick agreement on more narrowly defined new legislation.
Germany highlighted the ambivalence toward the directive. The most populous of the EU's 28 nations never implemented it amid court challenges and domestic political differences, exposing Berlin to EU fines for non-compliance.
However, Britain's Home Office, which handles issues of law and order in the country, said saving communication data "is absolutely fundamental to ensure law enforcement have the powers they need to investigate crime, protect the public and ensure national security." Britain's GCHQ surveillance agency has close ties with the United States' National Security Agency.
Tuesday's verdict nullifies the EU data retention directive, rendering national laws very vulnerable to local court challenges.
The 2006 legislation required telecommunication firms to store phone calls or some online communication records for at least six months and up to two years. The data typically reveals who was involved in the communication, where it originated, when and how often—but not its content.
Still, the Luxembourg-based court ruled the legislation provided "very precise information on private lives," including daily habits and social relationships that represented a "particularly serious interference with fundamental rights."
The court said the rules must be narrowed down to ensure any privacy infringement will be restricted to "what is strictly necessary" for fighting serious crimes.
Beyond invading privacy, Green European Parliament lawmaker Jan Philipp Albrecht said the data collection also "totally failed to lead to any noticeable improvement in law enforcement."
In an apparent nod to the leaks disclosing U.S. surveillance agencies' alleged mass spying on communication overseas, the EU court also said the legislation's failure to ensure that the storage of communication data was retained within the EU represents a potential breach of the bloc's privacy laws.
Privacy advocates in Ireland and Austria brought cases against national legislation based on the EU directive to their countries' top courts, which in turn sought advice from the Luxembourg judges.
Explore further: New Chinese law reinforces government control of cyberspace (Update)