The European Court of Justice has declared invalid the EU Data Retention Directive following a challenge brought by Digital Rights Ireland, finding the directive to be "an interference with the fundamental rights of practically the entire European population".
Ignore for a moment the bureaucratic term "data retention". Concealed behind that dull language the directive established a type of mass surveillance which requires internet service providers (ISPs) and telephone companies to record details about your location, your text messages, your emails and your internet use.
The information stored is almost everything bar the actual content of a phone call, email or text message. For every citizen there is a database of who called who, when, and for how long; the sender and recipient of every text message and email; and (by recording mobile phone locations) the movements of every person at all times. This information is then stored for up to two years and can be accessed by gardai without a warrant, subject only to an internal rubberstamping procedure.
The directive was passed in 2006 following a fast-track procedure in the EU institutions which cynically took advantage of the tragic London and Madrid bombings to rush through the law in just three months. Even then, however, critics pointed out that it was a disproportionate measure which was open to abuse.
In its judgment the European Court of Justice agreed with those criticisms, holding that the directive was neither necessary nor proportionate as a means of targeting crime or terrorism. In particular, it found that the directive was invalid on four grounds.
First, it was excessive in establishing monitoring of the entire population rather than those who might be linked to serious crime.
Second, it did not provide effective control over access and use of the data – in particular by not insisting that a court should approve requests for data.
Third, it required that data should be stored on all citizens for an extended period without any clear justification as to why that period was chosen.
Finally, the directive didn't establish adequate security for the stored data, making it open to attack by hackers and (by implication) foreign intelligence services.
The court therefore found that the law interferes in a "particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data" and could not be upheld.
In particular, the court held that this type of indiscriminate surveillance on the entire population was likely to have a chilling effect which would "generate in the persons concerned the feeling that their private lives are the subject of constant surveillance".
This is a significant decision for Irish law. The Digital Rights Ireland case will now return to the High Court in Dublin which will decide whether Irish data retention law is unconstitutional in light of the European Court of Justice ruling.
It is difficult to see how the national law implementing the directive can stand up to challenge now that the directive itself has been held invalid. Consequently it is very likely that new Irish legislation will be proposed.
More generally the judgment will have fundamental implications both throughout Europe and worldwide. The decision itself is effective throughout all 28 member states and will provide greater privacy protection for over half a billion EU citizens.
It will almost certainly be followed by more cases in other member states by national civil rights groups challenging local data retention laws. It also comes at a time when data protection law throughout Europe is under review and will help to establish high standards for any new law.
Finally, this is the first major ruling on surveillance following the Edward Snowden revelations and is clearly influenced by the abuses which he exposed.
The judgment will be of central importance to other cases, pending against the UK government, challenging internet surveillance by the British intelligence service GCHQ.
In effect, the European Court of Justice has set out a position which directly rejects the type of indiscriminate mass surveillance carried out by the US and UK governments as being unacceptable in a democratic society.
TJ MCINTYRE IS CHAIRMAN OF DIGITAL RIGHTS IRELAND AND A LECTURER IN THE UCD SUTHERLAND SCHOOL OF LAW