Data regulations in Europe should prevent spies and national governments from accessing data of phone and internet users, unless in circumstances of serious national security threats, the top EU court has ruled.
The judgement on Tuesday, from the European Court of Justice, was made in relation to a series of linked cases from France, the UK and Belgium - which have all experienced recent terror attacks and have upped surveillance as a result.
It added that it would allow for a limited timing of data retention where "a serious threat" was posed, and that data collection should be on an individual level.
A follow-up review should be conducted by an independent authority while for urgent cases, this should be carried out "promptly," the ruling said.
"Today’s judgement reinforces the rule of law in the EU," said Caroline Wilson, the legal director of Privacy International, a privacy campaign group that initially brought the case.
"In these turbulent times, it serves as a reminder that no government should be above the law.
"Democratic societies must place limits and controls on the surveillance powers of our police and intelligence agencies."