The French case involves two suspects, VD and SR, accused of insider dealing, corruption, and money laundering. They claimed that the French Financial Markets Authority had no right to obtain personal data from telephone calls that had been stored for a year in case the info might be useful for criminal investigators.
The ECJ found that the EU's Market Abuse Directive and the Market Abuse Regulation could not ignore the EU's Directive on privacy and electronic communication.
Those rules, the ECJ said, "do not authorise the general and indiscriminate retention by operators providing electronic communications services of traffic data for a year from the date on which they were recorded for the purpose of combating market abuse offenses including insider dealing."
German telecom firms SpaceNet and Telekom Deutschland challenged the German legal requirement that companies retain traffic and location data for all customers' communications.
The ECJ determined that EU law disallows national legislation that requires indiscriminate retention of telecom traffic and location data to fight crime and protect public safety.
"EU law precludes national legislation which provides, on a preventative basis, for the purposes of combating serious crime and preventing serious threats to public security, for the general and indiscriminate retention of traffic and location data."
The German law's requirement that telecom firms retain traffic data for 10 weeks and location data for four weeks could allow "very precise conclusions to be drawn concerning the private lives of the persons whose data are retained," the ruling explains.
The ECJ ruling says that mandatory data retention in defense of national security is allowable when there is a "a serious threat to national security that is shown to be genuine and present or foreseeable." Any such accommodation, the court says, must be subject to judicial review and must be of limited duration related to a specific threat.