The European Court of Justice (ECJ) has declared the 2006 Data Retention Directive retroactively "invalid", citing infringement on rights to privacy and protection of personal data.
Issued in the wake of the London and Madrid bombings, the law obliged telecoms companies to retain metadata for six months to two years, and make it available to police upon request.
The supreme courts of Ireland and Austria requested that the ECJ rule on the issue after Digital Rights Ireland and the province of Carinthia brought cases against the respective countries for implementing the directive.
Thomas McIntyre, chair of Digital Rights Ireland, said: "This is the first assessment of mass surveillance by a supreme court since the Snowden revelations. The ECJ's judgement finds that untargeted monitoring of the entire population is unacceptable in a democratic society."
Noting that metadata can include the time, place and recipient of a communication, as well as the frequency of contact between two parties, the court said that the habits of everyday life could be deduced from it.
It added that the fact the user was not informed about it could lead to a feeling that "private lives are the subject of constant surveillance", a sore issue in much of Europe after extensive American and British spying programmes were revealed last year.
Civil liberties advocate Privacy International said: "If the Data Retention Directive fails to meet the requirements of human rights law, then the mass surveillance programs operated by the US and UK governments must equally be in conflict with the right to privacy."
In further criticism, the court highlighted the directive's lack of focus towards its ostensible objective of fighting crime, as well as its failure to outline what circumstances justify accessing the data and the lack of prior review by an independent judiciary.
The court was also dissatisfied with the safeguards in place to protect data being used illegally, noting there was no requirement in the directive that data remain within the EU.