EU countries cannot force telecom operators to keep all their customers’ data, the EU’s top court ruled on Wednesday, weighing in on a privacy debate that has raged since Edward Snowden’s 2013 leak on mass surveillance by British and U.S. spies.
Attacks in Europe from France to Belgium—and, on Monday, in Berlin—have reinforced calls for security agencies to be given greater powers, while privacy advocates say mass retention of data is ineffective in the fight against such crimes.
The Court of Justice of the European Union (ECJ) said its ruling was based on the view that holding traffic and location data en masse allowed “very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained”.
Such interference with people’s privacy could only be justified by the objective of fighting serious crime and access to data should be subject to prior review by a court or independent body except in urgent cases, it said.
Governments could demand targeted data retention subject to strict safeguards, the ECJ statement said, but the data must be stored within the EU given the risk of unlawful access.
The court was responding to challenges against data retention laws in Britain and Sweden on the grounds that they were no longer valid after the ECJ struck down an EU-wide data retention law in 2014.
The ruling will make uncomfortable reading for the British government, which passed a new data retention law in November, and for many other European governments which had submitted observations to the court.
Get Data Sheet, Fortune’s technology newsletter
“This is a pretty big deal for the U.K.,” Bird & Bird partner, Graham Smith, said.
“On the face of it, there is quite a lot in the data retention bit of the Investigatory Powers Act (IPA) that does not comply with the conditions that the Court of Justice has laid down,” he said.
Privacy International, an advocacy group that intervened in the case, said the ruling raised questions about the legality of provisions in the British bill requiring telecom operators to store data for up to 12 months “for reasons that go far beyond what is strictly necessary for fighting serious crime”.
A number of British politicians—including Brexit minister David Davis—had filed a legal challenge against the IPA’s predecessor, a 2014 surveillance law, part of which was suspended by a British court.
Swedish telecoms operator Tele2 had told its regulator that it would stop retaining data after the ECJ struck down the EU Data Retention Directive.