The general law for data retention (GDPR from the General Data Protection Regulation) of Germany violates EU law, decided Europe's highest court on Tuesday, dealing a blow to member states that collect data to fight crime and ensure national security.
The law can only be applied in cases where there is a serious threat to national security defined in very strict terms, the Court said Europeanς Ένωσης (CJEU από το Court of Justice of the European Union). Η απόφαση έρχεται μετά από μεγάλες επιθέσεις ισλαμιστών μαχητών στη Γαλλία, το Βέλγιο και τη Βρετανία τα τελευταία χρόνια. Οι κυβερνήσεις υποστηρίζουν ότι η access on data, especially that collected by telecommunications operators, can help prevent such incidents, while communications providers and civil rights activists oppose this access.
The latest case began when Deutsche Telekom and internet service provider SpaceNet AG challenged Germany's data retention law, arguing that it violated EU rules. The German court then sought advice from the CJEU, which said that this type of data retention may only be permitted under very strict conditions.
"The Court confirms that EU law precludes general and indiscriminate data retention movementand location, except in the case of a very serious threat to national security," the judges said.
However, the same court also left a loophole "to combat serious crime, Member States may, strictly respecting the principle of proportionality, provide for, among other things, the targeted or rapid retention of such data and the general and indiscriminate retention of IP addresses ".