Germany's highest court on Tuesday overturned a law that let anti-terror authorities retain data on telephone calls and e-mails, saying it posed a "grave intrusion" to personal privacy rights and must be revised.
The court ruling was the latest to sharply criticize a major initiative by Chancellor Angela Merkel's government and one of the strongest steps yet defending citizen rights from post-Sept. 11 terror-fighting measures.
The ruling comes amid a European-wide attempt to set limits on the digital sphere in the name of protecting privacy, that includes disputes with Google Inc. over photographing citizens for its Street View maps and a vote against letting U.S. authorities see European bank transfers to track down terror cells.
The Karlsruhe-based Federal Constitutional Court ruled that the law violated Germans' constitutional right to private correspondence and failed to balance privacy rights against the need to provide security. It did not, however, rule out data retention in principle.
The law had ordered that all data — except content — from phone calls and e-mail exchanges be retained for six months for possible use by criminal authorities, who could probe who contacted whom, from where and for how long.
"The disputed instructions neither provided a sufficient level of data security, nor sufficiently limited the possible uses of the data," the court said, adding that "such retention represents an especially grave intrusion."
The court said because citizens did not notice the data was being retained that caused "a vague and threatening sense of being watched."
Nearly 35,000 Germans had appealed to the court to overturn the law, which stems from a 2006 European Union anti-terrorism directive requiring telecommunications companies to retain phone data and Internet logs for a minimum of six months in case they are needed for criminal investigations.
Civil rights activists who had fiercely opposed the law welcomed the ruling.
"The government must not only refrain from collecting data, it must also protect citizens from the excessive gathering of information and building of profiles by the private sector," Germany's federal data protection watchdog, Peter Schaar, said in a statement.
Germans are sensitive to privacy issues, based on their experiences under the Nazis as well as in the former East Germany's Communist dictatorships.
Ignacio Czeguhn, a professor with Berlin's Free University noted that while Tuesday's ruling was limited to the government it could have an impact on the private sector as well.
"This (ruling) raises the question, of course, what happens if a company does this?" he asked.
Security experts argue the information is crucial to being able to trace crimes involving heavy use of the Internet, including tracking terror networks and child pornography rings.
Germany's top security official, Interior Minister Thomas de Maiziere, expressed disappointment at the ruling and said the government would propose narrower legislation quickly.
"It would be inappropriate to criticize a ruling by the constitutional court, but I have to say that it does not instill happiness," he told reporters.
Justice Minister Sabine Leutheusser-Schnarrenberger said, however, it might take Germany some time to revise the law.
"This is not the time to rush ahead on a national level," she said in a press conference. "This is why I would not want to set a deadline now."
The court ruled telecom data must not be stored in Germany before there is a new law and existing data must be erased.
Other EU member states implementing the EU-wide directive have ordered even longer storage.
Britain requires Internet service providers to store records of Web and e-mail traffic — though not their content — for a year, but a government proposal there to set up a vast central database of phone and Internet traffic met with strong opposition and was dropped.
The Netherlands also set 12 months for most data storage in a contentious decision, prompting the Dutch digital rights group Bits of Freedom to applaud the German ruling.
"This is a groundbreaking ruling with big consequences for the Netherlands, where the same mistakes have been made as in Germany only to a larger degree," said spokesman Axel Arnbak. "This ruling goes to show: protest pays."
In Sweden, where the EU directive has yet to be implemented, Justice Minister Beatrice Ask was quoted as saying the German ruling showed "that we have been right in that that it concerns sensitive issues that demand very difficult judgments."
Austrian Infrastructure Minister Doris Bures — whose office has drafted its own version of the law — lauded the court decision.
"Maximum data protection and maximum protection of basic rights have to be the guidelines," for complying with EU directive, she said.
In Spain, telecom companies also have to retain data for whole year, but police are required to have a court order to access the data.
That condition seems to have been enough to prevent any significant protests in a country with a long history of fighting violent Basque separatism and more recently, Islamic terror groups, said Ruben Sanchez, spokesman for the consumer rights federation called FACUA.
The decision in Germany, Sanchez said, "might serve as a wake up call for governments not to overdo things."