European governments must not oblige network operators to indiscriminately retain bulk customer communications data, the European Union's top court reaffirmed on Wednesday.
The ruling by the Court of Justice of the EU came in response to a question from the U.K.'s Court of Appeal, which is examining the legality of the U.K.'s 2014 Data Retention and Investigatory Powers Act, and a similar question from the Swedish telecommunications regulator.
But the ruling also calls into question the validity of the U.K.'s more recent Investigatory Powers Act, which received Royal Assent last month.
That law requires telecommunications companies to retain communications data, including calls made and lists of websites visited, and make it available to tens of thousands of government employees, including tax inspectors and food safety regulators.
"It will now be for the Court of Appeal to determine the case," said a Home Office spokesman, referring to the challenge to the 2014 act. "The Government will be putting forward robust arguments to the Court of Appeal about the strength of our existing regime for communications data retention and access."
Meanwhile, he said, "Given the importance of communications data to preventing and detecting crime, we will ensure plans are in place so that the police and other public authorities can continue to acquire such data in a way that is consistent with EU law and our obligation to protect the public."
The CJEU ruled Wednesday that EU law forbids the general and indiscriminate retention of traffic data and location data.
That ruling calls into question the U.K.'s 2014 and 2016 acts.
However, the CJEU gave the U.K. government some leeway, saying the law does allow targeted retention of certain data for the purpose of fighting serious crime, provided that governments limit the data retained to what is strictly necessary. In all cases, the retained data must stay within the EU and an independent authority must review all requests to access the data, it said.
Lobby group Privacy International's legal officer, Camilla Graham Wood, said that, like its predecessor, the new Investigatory Powers Act did not contain the necessary safeguards, and called on the U.K. government to urgently fix it so that access to data is properly authorized.
"The court has rightly recognized that our communications data is no less sensitive than the content of our communications. This is something that the UK Government has willfully ignored, allowing a large number of public bodies to access our personal data without a warrant," she said.
The CJEU's position on data retention is relatively recent. EU law used to allow -- and even require -- much greater retention of communications data, until a challenge from Digital Rights Ireland in 2014 prompted the CJEU to declare the 2006 Data Retention Directive invalid because of its interference with the fundamental rights to respect for privacy and the protection of personal data.