The directive is too general, covering all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception. It also makes no requirement for review by a court or an independent body before providing access to the data. In addition, the directive imposes a retention period of at least six months without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued.
The directive included insufficient protections to prevent the data from being accessed unlawfully, and did not require that the retained data be stored within the EU, as explicitly required by the Charter of Fundamental Rights, the court added.
The CJEU's ruling is binding for national courts who have to dispose of cases in accordance with the Court's decision.
Sign up for CIO Asia eNewsletters.