More than 60 privacy groups and activists have demanded that member states still engaging in blanket data retention of communications info – despite it being ruled unlawful – are referred to the EU's top court.

In an open letter (PDF) to the European Commission, the signatories refer to two landmark privacy judgments, in 2014 and 2016, which ruled invalid an EU directive that allowed states to require telcos to collect and retain communications data en mass.

Although this information – which includes traffic data on numbers called, IP addresses and location data – isn't the content of the communications, it is "no less sensitive", the 62 signatories argued.

"Such retention applies to every user, including people who are not suspected of any crime or wrongdoing," the group said in a statement.

Following the legal challenges, the Court of Justice of the European Union has twice ruled general and indiscriminate retention of data as contravened rights – provided for in the EU Charter of Fundamental Rights.

Most recently, the CJEU said that the national legislation at issue in the case "exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society".

In the letter, the groups quoted this section of the judgment:

Such legislation does not require there to be any relationship between the data which must be retained and a threat to public security. In particular, it is not restricted to retention in relation to (i) data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime ... National legislation such as that at issue in the main proceedings therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society.

Despite this, many member states still allow for blanket data retention. A report from Privacy International last year identified those that had yet to update national laws so that they were in line with the CJEU's decisions.

"We have found that at least 17 EU Member States still implement national measures mandating general and non-targeted bulk data retention, thus directly infringing the CJEU's interpretation of data retention law," the letter stated.

Privacy International said that it was "concerned by attempts by some member states to circumvent the jurisprudence of the CJEU", and the lack of transparency offered by nations, as they "continue to discuss behind closed doors how to address the implications" of the rulings.

In addition to raising concerns about the practice, groups in 11 member states have gone one step further and filed complaints against those governments – which includes the UK – to the commission, calling on it to refer the nations up to the CJEU, "which should logically strike down all current data retention national frameworks".

In the UK, the complaint has been filed by Privacy International, the Open Rights Group and Liberty, with the latter's advocacy director Corey Stoughton saying the government "knows full well that it'’s breaking the law".

She added: "Every single day intelligence agencies collect details of thousands of our calls and messages in arrogant defiance of the courts. By invading our privacy they undermine our free press, our freedom of speech and our ability to explore new ideas."

The UK government is in the process of redrafting Part 4 of its Investigatory Powers Act, which relates to retention of communications data, having been told most recently by the High Court in April that it does not comply with EU law.

Both Liberty and Privacy International have a number of cases against the government's spy regimes, including on other parts of the IPA, with some of these still waiting a decision from the CJEU.

The member states in which complaints have been filed are: Belgium, Czech Republic, France, Germany, Ireland, Italy, Poland, Portugal, Spain, Sweden and the UK.

The other countries that have been identified as still collecting bulk data are: Austria, Bulgaria, Croatia, Cyprus, Hungary, Luxembourg and Slovenia. ®