Not that it directly affects U.S. legal and constitutional considerations on the NSA phone records program, it is still worth noting that last week the European Court of Justice declared the EU Data Retention Directive was a violation of the fundamental rights of EU citizens under the Charter of Fundamental Rights of the European Union — that’s the equivalent of the Bill of Rights in the U.S. A fundamental right is a legally protected right – such as the right to due process, the right to equal protection under the law, or the right to free speech – or the inalienable rights in the US Declaration of Independence.
The Charter provides for fundamental rights of respect for private life (Article 7), which includes private communications, and protection of personal data (Article 8). The EU Data Retention Directive required that telecoms and ISPs retain phone records and some internet service records for at least six months and up to two years and make these available to government agencies as needed for law enforcement. The requirement that telecoms hold on to phone record data instead of the NSA storing the data is likely to be part of the White House proposals for NSA reforms in response to public concerns over domestic spying.
The courts are ultimately the arbiter of what are rights, and what infringements are allowed. In order to infringe on a fundamental right, the government must prove that it serves a significant governmental purpose that cannot be achieved in some other way. Even when that is proved, the infringement must then be narrowly tailored. It is the latter which the EU Court appears to state has not been done – that is, the data retention directive did not narrowly tailor the means of meeting the government’s interest of law enforcement. This ruling then leaves open the ability of the EU to revisit the directive and tailor it in a way that is narrower. The Court described six ways in which the directive is too broad. The EU could issue a new directive that addresses those six objections.
Notably the directive was intended to harmonize activities in which many EU member states were already engaged. And the directive was phrased in terms of law enforcement, where the EU has some standing, not national security where the EU has very little standing. We should expect that EU member states that have a history of this type of activity will continue to require telecoms and ISPs to store the data for national security purposes. However, this ruling will balkanize the data, making pan-EU law enforcement and anti-terrorism analysis more difficult.