E.U.’s Data Retention Directive requires ISPs to keep customer telecom and Internet traffic data for at least six months and up to two years for possible use by law enforcement.
The legislation is highly controversial and has faced court challenges in Germany, Romania and Sweden.
EFF said European authorities have found that ISP’s compliance with the requirements from data retention legislation was unlawful.
Investigators found data retention periods were as high as 10 years, well in excess of the 24-month maximum set in the directive and in some cases data retention was not limited to traffic data, but included data relating to the contents of communications.
The experience in Europe makes clear that mandatory data retention regimes are disproportionate and unnecessary, the EFF said.
"We continue to believe that the legitimate needs of law enforcement can be met by a more targeted data preservation regime, without the collateral damage inflicted by the directive," the EFF said in a statement.