Europe's highest court has issued a preliminary finding that would limit the ability of member states to use national security or the fight against terrorism to sidestep European Union data privacy laws.
The legal opinion will have major implications for the debate over how far security and spy agencies can oblige private companies to hold on to the personal data of consumers and citizens.
It could also complicate the EU and UK's efforts to work out a data protection agreement after Brexit, once the UK is out of the EU's data protection regime.
A European Court of Justice (ECJ) advocate general issued an opinion which would limit the right of national security agencies to force telecoms companies and internet providers to retain the personal data of users.
Advocate General Campos Sánchez-Bordona said that a national court could permit its security agencies to force telecoms to retain personal data only "on an exceptional and temporary basis" and only if it was justified by "overriding considerations relating to threats to public security or national security."
The preliminary ruling is a direct challenge to member states who have long argued that national security and terrorism concerns should mean intelligence and police authorities are exempt from EU data protection rules.
With the rise of the internet and the potential use of technology by terrorist groups, security agencies have routinely obliged telecoms companies and internet providers to retain the personal data of consumers and citizens for a period of time.
This has led to a number of cases being taken to national and later European courts by privacy campaigners.
The issue has also led to court action regarding the transfer of personal data by hi-tech giants Facebook and Google from Europe to the United States.
Austrian activist Max Schrems fought a seven year legal battle against Facebook, arguing that US intelligence agencies have routinely used the data of EU citizens, transferred by Facebook to the US, for surveillance purposes.
The ECJ has in several recent cases curtailed the right of national security agencies in Europe to oblige companies to engage in the "indiscriminate" retention of personal data.
Today's opinion states that EU data protection rules already exclude certain activities relating to national security.
Such activities are carried out by public authorities and do not oblige telecoms companies and internet providers to hold on to citizens' data.
The opinion holds that when such companies are under an obligation from law enforcement agencies, the activities in question are "brought … into an area governed by EU law."
Such EU laws afford citizens the protection of privacy, which can be enforced against private companies.
The data privacy directive still applies "irrespective of whether those obligations are imposed on such providers for reasons of national security," the advocate general held.
The legal opinion is not binding on the court, which will issue its full ruling later. In 80% of cases an advocate general's opinion is upheld by the full court.
Industry observers say this is the latest in an ongoing battle through the European courts which pits the jealously-guarded member state competence of national security and advocates of greater privacy for citizens in the digital sphere.
"The court keeps saying (to member states) you can't keep obliging electronic providers to retain data systematically for everything," says one source. "It has to be targeted. There has to be some kind of exigency."
The source adds: "As far as the EU is concerned, there is no competence for national security. But what the advocate general is saying is that where that becomes an obligation for companies that are operating within the internal market then it becomes an EU problem as well."
The EU and UK are hoping to negotiate a so-called "adequacy" agreement on data protection by the end of this year, since after Brexit the UK will be leaving the EU's data protection regime, the General Data Protection Regulation (GDPR).
The adequacy agreement would mean both sides recognising each other's data protection rules so that personal data can still flow between the UK and EU for commercial reasons.
However, if the advocate general's opinion is upheld by the full court, it could complicate that agreement, or leave it open to legal challenge.
That is because an ECJ ruling that restricts the rights of national security agencies to force internet providers to retain data would set a potentially higher standard of data protection in the EU compared to the UK.
Privacy campaigners have long claimed that UK security agencies are just as prone to using data held by such companies to spy on citizens as their US counterparts.
Unless the UK adheres to a new higher standard in the EU, industry observers believe, then any adequacy agreement struck between both sides would be open to legal challenge.
Today's opinion centres on four queries sent to the Luxembourg court by the judicial authorities in France, Belgium and the UK.