This decision has immediate consequences for us here in Germany. As our own constitutional court ruled that the law implementing the directive was invalid, we did not have a data retention law for some time now, since lawmakers wanted to wait out this decision.
So data retention is dead here in Germany and will fall in many other European countries. It is still possible that the court will allow for a severely restricted version of data retention and of course the police can access ISP billing logs if they have a court order, but blind mass-surveillance is a thing of the past.
It most certainly can. This was already a contentious issue in Germany, maybe with a slight majority in the government in favor of it or at least people who support it in the right places to implement it, but it was far from an uncontroversial issue, even inside the government (i.e. the coalition parties). Germany was already the last country not to have data retention. (Of course also because the constitutional court ruled against it, but political pressure against it was responsible, too.)
The government could ram it through when there were no court objections quite yet but with them the dissenting voices inside government certainly get amplified. Also, while violating the constitution has been quite a sport for the government in Germany in recent years, court decisions that ruled laws unconstitutional have been respected.
I’m quite optimistic, but there obviously remains a danger of this being implemented some years down the line.
I have no idea what this means on the European level and for other individual countries, though.
When it comes to security, don't live in hope that the bad actors (in this case, governments) won't do what's possible because of something that's fungible (law).
I’m quite willing to believe that there are bad actors within the government, I do not believe that the government as a whole could be characterised as a bad actor regarding security.
Also, while secret services may do all kinds of bullshit hidden in the dark something like the data retention law is out in the open and consequently comparably much easier to contain. It’s possible to have a proper discussion about it. (I think this also quite neatly illustrates the value of having those discussions out in the open, both when it comes to the courts that decide on it and to the political pressures. If it happens in secret it is much, much harder to control and contain. Policy that is decided on in secret – even if by elected representatives or people appointed by elected representatives – is just much more dangerous.)
At least in Germany it wasn't the government collecting the data, they simply forced the ISPs to do so. And when the court ruled the law invalid the ISPs were more than happy to stop the data retention because it cost them a lot of money.
ah so instead of properly security cleared people in one or two security services having access to it every ISP from DBP down to a mom and pop organization may have access.
Will the average ISP pay to put all its staff who have acess to those records with access through TS (DV clearance) clearance its not cheap. And what happens when some of the staff fail vetting - oops your now out of a job.
Oh and this woudl mean that ISP's would have to have judicial oversight.
Of course it can not. But making it illegal is a huge step towards the right direction. Now if the EU members abide to this ruling, it will make it very hard for government officials to get away with alleged privacy breaches.
While I'm not assuming Germany's system is perfect, it is very likely some governments operate more under the consent of the governed than the US government.
Well, lucky you. Here in the Netherlands the politicians have jumped on this law as an excuse to pass domestic laws for data retention. Although this excuse is now gone the laws are already in place and this court ruling might not mean that my government is obliged not to spy on me.
This ruling also doesn't necessarily prevent outsourcing of the spying to the USA.
The .nl law is presumably not permissible for the same reasons that the directive was, so a challenge should have good chances. Assuming that this ruling establishes a precedent valid within .nl, of course.
As far as I know, this does not set a formal precedent for Dutch courts. But it is far from uncommon for courts to take inspiration from other courts, especially from the ECJ, and perhaps even more so in a case like this.
Don't forget the fact that the NSA is everywhere, can intercept and store everything and is above the law (or at least: above the law as it should be (or be interpreted)).
Germany still allows the presence of several huge NSA surveillance sites. Having them inside the country certainly allows for easy tapping of German infrastructure.
I think you are overly optimistic here. Data retention is still perfectly legal and I'm sure it will continue in many European countries. They are just no longer required to have a data retention law. It now depends on the lawmakers and the constitutional courts of the respective countries to take actions.
But I agree with you, in Germany data retention is now very unlikely to happen. For the countries that have implemented it already, it's going to be very hard to reverse, though.
The court found the DRG to be disproportionate, not well circumscribed and prone to abuse. But it also said that a more limited form of data retention is in the public interest.
So I'm pretty sure the debate isn't over. There will be some form of data retention everywhere.
So data retention is dead here in Germany and will fall in many other European countries. It is still possible that the court will allow for a severely restricted version of data retention and of course the police can access ISP billing logs if they have a court order, but blind mass-surveillance is a thing of the past.
Yay!