Last week the European Court ruled that the EU Data Retention Directive, which requires electronic communciations services and public communication networks – that is telcos and ISPs - retain customer data for up to two years is invalid.

The Directive had previously required telecoms service providers to keep traffic and location data as well as other information needed to identify the user, but not the content of the communication.

The Court’s ruling effectively relieves telcos and ISPs of the requirement to retain data because this would be an infringement of the fundamental human rights of their customers.

It recognized there is a need for data to be retained for fighting serious crime but considered that a failure to address issues of proportionality interfered with individuals’ fundamental rights to respect for their private life and to the protection of their personal data.

Bridget Treacy, who leads the privacy and cyber security practice at law firm Hunton & Williams, said the court’s criticisms of the Directive “are consistent with European concerns voiced in the wake of last summer’s revelations of the NSA’s covert surveillance activities”.

She said the court found the Directive had a number of specific failings - it covers all individuals, all means of communication and all traffic data, without limitation; it fails to set out the criteria that national law enforcement agencies would need to satisfy to gain access to the data, or restrictions on use; the data retention periods do not distinguish categories of data on the basis of people concerned or the nature of the investigation, or limit the retention period to what is necessary; there are insufficient safeguards to protect data from abuse, or unlawful access or use ;the Directive does not require the data to be retained within the EU.

Alex Rabbetts, CEO of uk colo provider MigSolv said he thought the ruling raised further questions.

“For data centers, one could suggest it may mean less data that is required to be stored, but the reality is that there are wider implications,” Rabbets said.

“ ISPs, (and some data center operators), currently retain records of more than just telephone records, they retain information on email transactions and web sites visited too. Are they to continue to hold this data or not? Some urgent clarification will be needed.

“If an ISP retains the data because it is not clear from this ruling whether they should or not, they could fall foul of the law by doing so. Conversely, if they don’t hold the data and it is deemed that this is a separate requirement, they could be in breach from this perspective.”

Sam Maccherola, general manager EMEA and APC, Guidance Software also commented.

“Perhaps counterintuitively, the Data Retention Directive, current data protection law and the revised proposal for a data protection regulation possess a common technical denominator. They impose a similar burden on data controllers. That is, the need to identify what data you hold and where, albeit for radically different purposes,” Maccherola said.

“On the one hand, the forthcoming data protection regime looks set to embody, for example, a right to be forgotten; whereas the old retention directive imposed the costly exercise of data retention, though not, per data protection principles, for longer than is necessary.

“So, regardless of this week’s judgment, operators face a familiar basic governance burden: to know where data is, to keep it for a determined period of time and to delete it at the first legal opportunity.”