European data protection supervisor Peter Hustinx has ruled the EU's Data Retention Directive, requiring all ISPs to store traffic and location data, to be contrary to the fundamental right to privacy and data protection.
He has formally "adopted an opinion" that it does not meet the provisions because the necessity for data retention "has not been sufficiently demonstrated", data retention could be regulated in a less privacy-intrusive way, and there is too much scope for individual member states to decide the purposes for which the data might be used and who can access it.
He said: "Although the commission has clearly put much effort into collecting information from the member states, the quantitative and qualitative information provided by the member states is not sufficient to draw a positive conclusion on the need for data retention as it has been developed in the directive.
"Further investigation of necessity and proportionality is therefore required, and in particular the examination of alternative, less privacy-intrusive means."
He has asked the commission to consider all options, including repealing the directive and replacing it with a "more targeted" measure.
He said that if new information showed the necessity for the directive, there should be harmonised rules on the obligation to retain data and its access and use by "competent authorities", there must be a clear and precise purpose which cannot be circumvented, and the scope should be proportionate and not go beyond what is necessary.
Hustinx has said the availability of traffic and location data can play an important part in criminal investigations.
But he has also expressed serious doubts about the necessity for retaining information on such a large scale because of the right to privacy, which is enshrined in the Convention on Human Rights, itself justiciable in law, regardless of the views of the commission or governments – a major concern for ISPs.