The EU's data-retention law "interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data," the European Court of Justice in Luxembourg said in a statement after a ruling on Tuesday.
The criticism of the EU's own rules adds to pressure on lawmakers to deliver tougher data protection measures following revelations that U.S. spies snooped on conversations of EU leaders. Those leaks caused a transatlantic spat and a clamour for agreements to halt eavesdropping exposed by former NSA contractor Edward Snowden.
"The court has rejected the principle of mass surveillance of EU citizens without suspicion and says it's incompatible with the charter of fundamental rights," said Simon McGarr, a Dublin-based lawyer for Digital Rights Ireland, an Irish campaign group that took the case. "It's a whole new court if it's going to start making decisions like this."
While the EU is justified in requiring collection of data to combat crime, it hasn't set enough limits to make sure that only information that is strictly necessary is stored, the court said.
The EU law of 2006, drafted in the wake of terrorist attacks in London and Madrid, requires phone and Internet providers to store details of connections on their network in case needed for law enforcement authorities. They must keep the information for at least six months and delete it after two years.
The judgment won't lead to a blanket-ban on data storage, the European Commission said in a statement. Instead, nations may need to scale back the scope of their rules to take into account the court's criticism, it said.
The ruling "confirms the critical conclusions" of a 2011 report that said some of the law's provisions were disproportionate, said EU Home Affairs Commissioner Cecilia Malmstroem. The EU will take account of negotiations on new data protection rules, she said.
Authorities are increasingly seeking access to the data held by telecoms operators, the EU said. Some 2.66 million such requests were made in 2012, it said. Most EU countries insist that the data is only handed over to authorities by order of a judge.
Internet service providers and telecoms companies in the EU "must be cautious" as a result of Tuesday's ruling because "there may indeed be a risk that retaining large volumes of traffic data for a long time" would violate separate EU rules on data protection and privacy, said Tom De Cordier, a lawyer at Allen & Overy in Brussels. Some countries may have rules in place that don't breach fundamental rights and could still be enforced, he said.
Tuesday's ruling was triggered by challenges by Digital Rights Ireland and an Austrian man who took cases to the Irish and Austrian courts claiming that authorities exceed their powers.