The highest court in the European Union has ruled against legislation that requires operators to retain subscribers’ traffic and location data for up to two years.

The European Court of Justice declared the data retention directive was “invalid” because “the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data”.

The rule was introduced in 2006 so that authorities could better fight terrorism and organised crime.

But the legislation places a significant burden of data-gathering on operators, which are required to retain a range of data including the identity of people with whom a subscriber has communicated, as well the time and location of that communication, and its frequency.

In short, the legislation obliged operators to collect so-called subscriber metadata although not the actual content of the communication. Still, the court concluded such information provided “very precise information on the private lives of persons whose data are retained….”

The court said although the retention of data required by the directive may be appropriate for security reasons, the interference with fundamental rights “is not sufficiently circumscribed to ensure that the interference is actually limited to what is strictly necessary”.

The court points to a number of instances of this tendency, including the way the directive cover all individuals and electronic traffic without differentiation.

In addition, the directive is vague about timing, setting retention time between six months and two years without stating the objective criteria on which period of retention is determined.

The Court of Justice was asked to make a ruling by courts in Austria and Ireland. The law has also been controversial in Germany.