The General Data Retention Act (GDPR from the General Data Protection Regulation) of Germany violates EU law, decided Europe's highest court on Tuesday, dealing a blow to member states that collect data to fight crime and ensure national security.
The law can only be applied in cases where there is a serious threat to national security defined in very strict terms, the Court of Justice of the European Union (CJEU) said. The decision comes after major attacks by Islamist militants in France, Belgium and Britain in recent years. Governments argue that access to data, especially that collected by telecommunications carriers, can help prevent such incidents, while communications providers and civil rights activists oppose such access.
The latest case began when Deutsche Telekom and internet service provider SpaceNet AG challenged Germany's data retention law, arguing that it violated EU rules. The German court then sought advice from the CJEU, which said that this type of data retention may only be permitted under very strict conditions.
"The Court confirms that EU law precludes the general and indiscriminate retention of movement and location data, except in the case of a very serious threat to national security," the judges said.
However, the same court also left a loophole "to combat serious crime, Member States may, strictly respecting the principle of proportionality, provide for, among other things, the targeted or rapid retention of such data and the general and indiscriminate retention of IP addresses ".