In March of 2006, Brussels introduced a Data Retention Directive to the European Union which required telecom companies to retain all EU citizens’ communications metadata for at least six months, and for up to two years. Today, the EU’s highest court discarded this Directive, holding that it infringed on basic human rights.

The metadata in question included information necessary to personally identify the telecom subscriber, traffic data, location data, time of communication, frequency and length of communications. The metadata in question here is comparable to the metadata collected by the NSA.

In a press release, the Court summarized its position on five major problems with the Directive:

1. It was overly broad. The Directive covered all electronic communication and traffic without restricting the scope of data collection to the smallest necessary to fight serious crime.
2. The Directive didn’t have proper access limits. It allowed access to the metadata to fight serious crime, but what is serious crime? The Directive didn’t give objective standards to decide whether a particular access request qualified for a serious crime or not.
3. The retention time-periods were arbitrary. It set the minimum period at 6 months, and maximum period at 24 months, but gave no guidelines for telecom companies to decide exactly how long to retain data, nor did it acknowledge distinctions between the different data categories.
4. There weren’t enough protections against the risk of abuse. Personal data stored within the EU is subject to a higher level of required security, and the Directive improperly gave companies the ability to consider the economic cost of implementing strict security policies. It also didn’t ensure the data would be destroyed after the retention period.
5. It didn’t require the data to stay within the EU. When personal data is processed in a EU state, with only a few exceptions, it must remain fully within the EU. The Directive didn’t restrict the export of private data out of the EU.

The Court very carefully weighed the crime-fighting advantages of bulk metadata collection, but ultimately found that the impact on “the essence of the fundamental rights to respect for private life and to the protection of personal data” were simply too great to justify the Directive, and it exceeded the EU principle of proportionality used when examining privacy related laws.

This ruling obviously only affects EU citizens, but the lessons learned here impact us domestically. The fact that another major world power is willing to reject the notion that security and public safety justify bulk metadata collection acts as yet another speedbump for the NSA’s policies. The Court also wholly rejects the argument that these collection programs only store “just metadata” and not the contents of those communications; it explicitly acknowledges that metadata is clearly personally identifiable, and the mere collection of that metadata constitutes a grievous invasion of personal privacy.