While Obama might be happy to keep telling people that the NSA isn't interested in reading your texts, the kind of legislation that makes it possible for countries like the US and the UK to spy on citizens and store huge amounts of metadata on who's calling who and when, is entirely invalid according to the European Court of Justice (CoJ).
The law the court investigated, was the Data Retention Directive, a piece of legislation that came about in 2006, which requires telecoms companies to store metadata on customers for at least six months and potentially up to two years, during which time law enforcement and security agencies can request access to the data. Initially instigated in the wake of the London and Madrid public transport bombings, it was designed to help the police and other organisations track down terrorists, but it's now been declared invalid after both Ireland's High Court and Austria's Constitutional Court were asked to examine the law and deferred to the EU court.
The report from the CoJ was one of condemnation, suggesting that privacy laws were being broken by the data retention: “The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.”While it did acknowledge the use for such data and that no doubt law enforcement could find it an important tool for apprehending some individuals, “the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.”
It also suggested that the climate created by such data collection would be one of fear and suspicion, that one's private life was being invaded and that there were no guarantees in place to prevent the data being used for its original intentions. In-fact, the only reason an agency might need for looking at the data is to be investigating a “serious crime,” as defined by the particular country. This could be anything depending on where you go.
Perhaps the most worrying part of the directive though, is the fact that it doesn't even specify that the data has to be stored within the EU, so it could easily be stored elsewhere, with control handed over to another country.
KitGuru Says: There's a few countries I can think of that would love to – and probably do – have that data. It's good to see another EU Court, following on from the Human Rights' Court, decrying mass data collection and retention.
However this ruling is more than just good news, it could mean that ISPs have a precedent to halt data retention. That's huge.[Thanks Wired]