Privacy Trumps Security as EU Court of Justice Invalidates Data Retention Directive

In 2006, responding to terrorist attacks in London and Madrid, the European Commission impelemented a data retention directive (the “Directive”) seeking to harmonize EU member states’ retention of certain electronic data that is generated or processed by providers of electronic communications services or public communications networks. The Directive requires, among other things, that Internet service providers retain details of network user communications and information necessary to identify particular users for at least six months and, in some cases, up to two years.