EU Data Retention Ruling May Roil US-European Relations

A major European court ruling regarding electronic privacy this week has the potential to shake up trans-Atlantic commerce and maybe impact the privacy debates in the United States over government snooping, analysts say.

On Tuesday, the European Union's highest court struck down a controversial directive that encouraged telecommunication and mobile phone companies to retain users' private data records for up to two years.

The EU's European Court of Justice invalidated the 2006 EU Data Retention Directive on privacy grounds, noting in its opinion that "the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data."

The Court seemed particularly concerned by the directive's breadth of data collection.

"The directive covers, in a generalized manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime," according to an ECJ press release. ​By invalidating the directive, phone companies and mobile data providers will no longer record user's locations, calls and social contacts without the user's knowledge or consent.

The ruling comes in the wake of a nearly year-long series of revelations about U.S. data collection activities leaked by former National Security Agency contractor Edward Snowden, now living in temporary asylum in Russia.

In what some observers consider a nod to the Snowden leaks, the court said the directive could lead to Europeans feeling they have become "the subject of constant surveillance."

"This was the singlemost controversial surveillance Directive ever adopted by the E.U.," said Axel Arnbak, a researcher at the Institute for Information Law at the University of Amsterdam.

"This really was the first time the EU court in Luxemburg was asked about its interpretation of privacy since the adoption of the EU Charter of Fundamental Rights in 2009," he said.

While EU member nations could now begin debating electronic surveillance programs specific to their borders, the court's firm rejection of the 2006 directive means that any new programs could also be challenged in court.

"Mandated government surveillance," Arnbak said, "strikes at the heart of democracy."

Impact in the US

The ruling leaves new questions in its wake. Among them, what conflicting EU and U.S. laws on data collections will mean for commerce, and concerns for the future of President Barack Obama's proposed NSA reforms on surveillance and data collection.

"Law is culture," said Bennet Kelley, founder of the Los Angeles-based Internet Law Center. "What you do in law speaks about who you are as a people. The EU has a different viewpoint about privacy...than the U.S.."

Data commerce across the Atlantic, said Kelley, is governed by something called the "European Safe Harbor."

Before any data can leave an EU member nation, U.S. telecommunications firms must certify they follow privacy policies and programs similar to the more stringent EU protections, creating a "safe harbor" for data privacy.

However, Kelley said, regulators on both sides of the Atlantic have long known that many U.S. safe harbor certifications are actually false, creating a serious potential problem for U.S. companies doing business in the EU.

This week's court ruling, he said, will only make commerce more difficult.

"Even before Snowden, there were concerns about the EU Safe Harbor," Kelley said.

"There's already skepticism in Europe because of that, and then you throw in Snowden, it creates more distrust. Having one more element of differentiation between the U.S. and EU is just not helpful."

The ruling also comes just a few weeks after President Obama proposed allowing U.S. telecommunications companies to engage in exactly the sort of data collection the ECJ just rejected.

As part of his overhaul of U.S. electronic surveillance efforts, President Obama wants to remove what's known as the "bulk metadata collection program" from the NSA and make mobile phone and data companies responsible for electronic record-keeping.

"Now it seems like it'd be a hard ask," Kelley said.

Researcher Axel Arnbak agreed.

"Not only its courts, but the EU Parliament and Commission have quite strongly responded to the Snowden revelations and this data retention ruling," Ambak said. "Those in the U.S. that seek to preserve privacy and freedom in the digital age have an extra tool in their kit."

The U.S. Supreme Court this week declined to hear a challenge to the NSA bulk metadata collection program.