Article page checkbox is not checked in page info.
Towards new EU data retention rules
Towards new EU data retention rules
Silvia González Vidal and Hendrik Mildebrath, Members' Research Service
Issues at stake
-
Since the 2014 annulment of the Data Retention Directive by the Court of Justice of the European Union (CJEU) and despite judicial efforts to harmonise data retention practices across the EU, national data retention regimes remain fragmented. Member States have adopted divergent national regimes (or none at all) and efforts towards alignment have stalled.
-
Law enforcement and judicial authorities cite fragmentation as a source of operational challenges, while service providers refer to it as a source of compliance burdens.
-
While CJEU case law has established general data retention requirements, the finer details remain unsettled.
-
The European Commission is therefore assessing the need for a new EU framework, with a possible proposal expected in the near term.
-
Member States, EU agencies, civil society, and industry are divided over the scope of a new framework and necessary safeguards. The European Parliament is set to scrutinise any proposal closely for its compliance with fundamental rights.
Purpose statement
This European Parliamentary Research Service paper aims to inform Members on issues related to a forthcoming Commission initiative. It highlights the main choices which may shape the initiative and which Members may wish to explore ahead of formal Commission adoption. Based on documentary and other sources, it reflects the information available at the time of writing.
For further information on this topic, Members and staff of the European Parliament may contact the authors: Silvia González Vidal (silvia.gonzalezvidal@europarl.europa.eu ) and Hendrik Mildebrath (hendrik.mildebrath@europarl.europa.eu), EPRS.
This briefing is complemented by the EPRS briefing 'Renewed debate on a future EU data retention framework', which examines selected issues relevant to a potential future legislative proposal, and the earlier EPRS briefing 'Mapping CJEU limits on data retention frameworks', which provides an introduction to the CJEU's case law on data retention.
Developments and insights – European Commission
After years of reflection following the annulment of the EU Data Retention Directive in 2014, the Commission is now preparing a formal answer to the repeated calls by the Council1 for a new EU-wide data retention framework. In June 2023, the Commission launched and co-chaired the High-Level Group (HLG) on access to data for effective law enforcement. The experts largely agreed that 'a harmonised EU framework regulating the retention of metadata for law enforcement purposes is needed'. Following up on the group's recommendations, the Commission committed to launching an impact assessment with a view to updating the EU rules on data retention in its European internal security strategy (ProtectEU) and its Roadmap for lawful and effective access to data for law enforcement. In preparation for this impact assessment, the Security in the Digital Age Unit (HOME D4) within the Commission's Directorate-General for Migration and Home Affairs recently launched a call for evidence and a public consultation, with the support of Council. Originally, the Commission had planned to finalise the impact assessment in the first quarter of 2026, but the results have not yet been published. The Commission has suggested that it could present a proposal by the end of the second quarter of 2026, subject to a positive outcome from the consultation. While past Council documents indicated support for and openness to a legislative proposal, the prospects for such a proposal now appear more uncertain owing to reservations expressed by at least one influential Member State.
Why is the initiative important?
Law enforcement authorities increasingly rely on electronic data in the course of criminal investigations. This not only includes access to content data, but also to non-content data, such as subscriber information, internet protocol (IP) addresses, device location data, and records of the timing and duration of communications. Non-content data helps to identify suspects or victims, and to reconstruct the factual circumstances of a crime. However, the ability of authorities to access such information depends on whether the relevant data are available, presupposing that they have been retained by communications services providers.
National data retention frameworks
National data retention frameworks typically require communications services providers to carry out general or targeted retention of users' communications (non-content) data and allow national authorities limited or unlimited access to those data, often based on targeted requests. Generalised retention implies that all or the majority of categories of non-content data are retained without any differentiation, limitation, or exception being made. Targeted retention means that the retention of such data is limited, for instance, through temporal, personal, or geographical limitation criteria.
In 2006, the EU adopted the (meanwhile defunct) Data Retention Directive. The directive required providers to retain certain categories of communication traffic and location data for the investigation and prosecution of serious crimes. However, in 2014, the CJEU annulled the directive in its Digital Rights Ireland judgment (joined cases C-293/12 and C‑594/12). The Court held that the directive’s framework on general and indiscriminate retention of personal data constituted a disproportionate interference with the fundamental rights to privacy and data protection.
Since the annulment of the directive, the EU has lacked a common legal framework on data retention for law enforcement purposes. Member States have adopted different national approaches, varying in scope, types of data covered, retention periods and safeguards, while a few Member States have no data retention rules in place.2 While CJEU jurisprudence has settled general data retention requirements, the finer details remain uncertain.
| Data retained |
AT |
DE |
EE |
ES |
FR |
IE |
IT |
PL |
PT |
SI |
|---|---|---|---|---|---|---|---|---|---|---|
| Duration of the communication | √ | √ | √ | √ | √ | √ | √ | √ | √ | √ |
|
Date and time of the communication | √ | √ | √ | √ | √ | √ | √ | √ | √ | √ |
|
Data volume of the communication | √ | √ | X | √ | √ | X | √ | X | √ | √ |
| Missed calls (inc. number of rings) | √ | X | √ | √ | √ | √ | √ | √ | X | √ |
|
Start and end of the communication | √ | √ | √ | √ | √ | √ | √ | √ | √ | √ |
|
Connection/disconnection from the service | √ | √ | √ | X | √ | √ | √ | X | √ | √ |
|
Type of communication (e.g. voice, SMS ...) | √ | √ | √ | √ | √ | √ | √ | X | √ | √ |
|
Type of network technology (e.g. Wi-Fi, 3/4G network) | X | X | √ | √ | √ | √ | √ | X | √ | √ |
|
Identifiers of the receiver(s) of a communication | √ | √ | √ | √ | √ | √ | √ | √ | √ | √ |
|
Identifiers of the forwarded, routed or transferred receiver(s) | √ | X | √ | √ | √ | √ | √ | √ | √ | √ |
|
Identifiers of the attempted receiver(s) | √ | √ | √ | X | X | √ | √ | √ | X | √ |
Data source: European Commission and Milieu, Study on the retention of electronic communications non-content data for law enforcement purposes - Final Report, Publications Office, September 2020.
| Data retained | AT | DE | EE | ES | FR | IE | IT | PL | PT | SI |
|---|---|---|---|---|---|---|---|---|---|---|
|
Location at the start of the communication (e.g. cell towers, Wi-Fi hotspots) | √ | √ | √ | √ | √ | √ | √ | √ | √ | √ |
|
Location at the end of the communication (e.g. cell towers, Wi-Fi hotspots) | X | X | X | √ | √ | √ | √ | √ | X | √ |
Data source: European Commission and Milieu, Study on the retention of electronic communications non-content data for law enforcement purposes - Final Report, Publications Office, September 2020.
A common data retention scheme could create a level playing-field and legal certainty for communications services providers, ensure consistent protection of end-users across the EU, and improve cross-border law enforcement investigations and cooperation. As consistently demonstrated by CJEU case law, data retention is also closely intertwined with data protection considerations. While data protection and freedom of expression are often viewed as competing with security objectives, they may well contribute to attaining them. Data protection rules can improve the reliability of datasets, improve certainty that admissibility standards for evidence are met, facilitate cross-border data sharing through trust in equivalent standards, and simplify handling of datasets from different countries in a single investigation. By contrast, digital rights advocacy organisations, led by European Digital Rights (EDRi), oppose the adoption of a new EU data retention framework on the grounds that (i) law enforcement authorities can already access an ample amount of data collected by communications providers, (ii) there is insufficient evidence that data retention frameworks significantly improve law enforcement outcomes, (iii) less intrusive yet equally effective investigative methods are available, and (iv) existing mechanisms would sufficiently facilitate cross-border cooperation between law enforcement authorities.
Member States and interested parties' opinions
Member States' positions
In May 2025, the vast majority of Member States expressed support – or at least openness – to a harmonisation of data retention rules at EU level. However, many Member States signalled that their support was subject to reservations. They noted that a future legislative proposal would 'have to provide sufficient tools and leave the necessary margin of discretion … while at the same time respecting fundamental rights and the case-law of the CJEU'. They considered that a directive laying down minimum rules would be the appropriate legislative instrument.
Most Member States reaffirmed their support for future EU legislation during an exchange of views in September 2025. The majority of Member States stressed the need to remain within the limits set by the CJEU, while some argued that a future framework should go beyond codifying the case law and reassess necessity and proportionality in the light of technological developments and evolving crime patterns. The 15 Member States responding to a 2025 Presidency of the Council of the EU survey supported EU rules for over-the-top (OTT) providers, viewed targeted retention as insufficient, and agreed that national security should remain outside EU law. By contrast, views diverge on including criteria to target the collection of traffic and location data, on appropriate retention periods, on the definition of serious crime (combating which may legitimise the targeted retention of traffic and location data), and on the rules and conditions to access retained traffic and location data. These and other controversies will be examined in greater detail in a parallel briefing entitled 'Renewed debate on a future EU data retention framework'.
Calling for a more permissive regime
A group of Member States advocates a more permissive regime, often expressing frustration with the constraints imposed by CJEU case law. France strongly contested the CJEU’s interpretation, viewing its strict privacy standards as incompatible with national security imperatives. However, in the context of retaining and accessing IP addresses to identify copyright infringers and impose enforcement measures, a recent judgment of the French Council of State signals convergence with CJEU standards. Slovakia has argued that the current legal environment places a disproportionate emphasis on privacy at the expense of fundamental rights of crime victims. Estonia contended that the targeted retention alternatives suggested by the Court are technically impractical and fail to meet investigative needs.
Prioritising compliance with case law
By contrast, other Member States approach a new framework with caution. With no mandatory data retention in force since 2010 due to constitutional challenges, Germany has historically supported an EU approach that is fully compliant with the EU Charter of Fundamental Rights. However, while the previous coalition government favoured a 'quick freeze' model (preserving data only upon suspicion), the current Federal Cabinet has adopted a legislative proposal that would require internet access providers to store IP addresses for three months , in line with the government coalition agreement. Austria, Romania, Slovenia, and the Netherlands currently have no general mandatory data retention laws for criminal investigation purposes, relying instead on data preserved for business purposes or specific preservation orders, though the Netherlands has become vocally supportive of a new EU-wide regime to resolve domestic legal uncertainty.3
Council Presidency efforts
Recent Council Presidencies support harmonisation as part of their strategic approaches. The 2025 Danish Presidency announced it would 'focus on access to data for effective law enforcement and the obligations of providers to process data for law enforcement purposes'. The 2026 Cyprus Presidency included 'strengthening law enforcement capabilities and cooperation among Member States and EU Agencies, tackling transnational and organised crime, and addressing new threats stemming from technological developments' in its priorities.
Stakeholder views
In a 2025 joint report on the common challenges in cybercrime, the European Union Agency for Criminal Justice Cooperation (Eurojust) and the European Union Agency for Law Enforcement Cooperation (Europol) emphasised that legal uncertainty resulting from the invalidation of the Data Retention Directive still hinders the availability of data for investigations. In particular, the two agencies warn that traffic data are routinely deleted before requests from law enforcement authorities are received, which can delay or derail investigations and weaken cross-border cooperation in the absence of a common EU data retention framework.
The European Data Protection Board (EDPB), in response to the HLG's recommendations, supported the prospect of a harmonised EU-wide data retention regime, stressing that any such framework must strictly adhere to CJEU case law. The EDPB cautioned against imposing retention obligations on all current and future data handlers, noting that such an approach may amount to blanket retention requirements and to mass surveillance. In addition, the EDPB stressed that the CJEU's reasoning in the La Quadrature du Net II ruling (case C-470/21), justifying the general retention of IP addresses, cannot be used to justify wider retention of other types of revealing data such as traffic and location data.
In their submission to the Commission’s call for evidence in June 2025, Connect Europe and GSMA, representing telecom and online-service providers, highlighted significant concerns about the fragmentation of data retention regimes across Member States and the resulting legal uncertainty regarding compliance with CJEU case law. They also emphasised the operational and financial burdens of general and long-term data retention obligations, called for a cost-compensation mechanism and urged regulatory flexibility, particularly in relation to technical implementation.
Similarly, Microsoft 4 welcomed efforts to establish a harmonised EU framework, but stressed that any new regime must respect fundamental rights, reflect technical constraints and be strictly limited to what is necessary for the investigation and prosecution of serious crime. It further argued that retention obligations should be limited to basic subscriber information and traffic data already held by providers and potentially require exemptions for small and medium-sized enterprises (SMEs) and business to business (B2B) providers where obligations would be disproportionate.
Civil society organisations, by contrast, oppose a new EU-wide framework on data retention that would oblige electronic communications providers to retain extensive volumes of communication traffic and location data beyond what is strictly necessary for service provision or billing purposes. Instead, digital rights organisations led by EDRi urged the Commission to focus on enforcement efforts, in particular by initiating infringement proceedings against those Member States whose data retention regimes do not comply with CJEU jurisprudence.
European Parliament views
Parliament has continually advocated a high level of data protection in legislative and non-legislative procedures. In view of the (at the time) 28 different legal frameworks on data retention, Parliament adopted a resolution in December 2018 urging the Commission to evaluate a new legislative proposal on data retention that upholds the principles of purpose limitation, proportionality and necessity. Two years later, Parliament focused its attention on compliance. In its November 2020 resolution, it called on the Commission to initiate infringement proceedings against Member States that had failed to repeal national transposition acts ensuing from the annulled Data Retention Directive. In its resolution of March 2021, Parliament urged the Commission to apply the conclusions of the CJEU case law, including La Quadrature du Net I (joined cases C‑511/18, C‑512/18 and C‑520/18) and Privacy International (case C‑623/17) rulings, to all reviews of adequacy decisions as well as ongoing and future negotiations. In the context of the Pegasus spyware scandal, Parliament set up a committee of inquiry and, in its recommendation of June 2023, derived key standards for spyware surveillance operations from CJEU case law relating to data retention.
Future debates within the European Parliament are likely to reflect the recurring tension between the demand for robust safeguards and strict respect for fundamental rights, on the one hand, and the pressure to respond to the operational needs of law enforcement and judicial authorities in an increasingly digital environment, on the other. Any Commission proposal would be subject to close parliamentary scrutiny, particularly regarding the scope of retained data, the strength of safeguards and remedies, and the overall compatibility of the framework with the EU Charter of Fundamental Rights and CJEU case law.
References
- H. Mildebrath and S. González Vidal, Mapping CJEU limits on data retention frameworks, Briefing, EPRS, July 2025
- Council Presidency, Presidency Outcome Paper - Future rules on data retention in the European Union, November 2025
- Council Presidency, Future rules on data retention in the European Union - Compilation of comments, October 2025
- Council Presidency, Future rules on data retention in the European Union - Presidency Paper, September 2025.
- General Secretariat of the Council, Data retention - Situation in Member States, April 2019
- European Commission, Evaluation report on the Data Retention Directive (Directive 2006/24/EC), COM(2011) 225 final, April 2011
- Eurojust and EJCN, The effect of Court of Justice of the European Union case-law on national data retention regimes and judicial cooperation in the EU, Report, November 2024
- European Commission and Milieu, Study on the retention of electronic communications non-content data for law enforcement purposes - Final Report, Publications Office, 2020
- M. Mattera, Data Retention, Cullen International, July 2025
- E. Kosta and I. Kamara, Data Retention in Europe and Beyond, Oxford University Press, pp. 117-294
- M. Zubik et al., European Constitutional Courts towards Data Retention Laws, Springer, 2021
- H. Mildebrath and S. González Vidal, Renewed debate on a future EU data retention framework, Briefing, EPRS, June 2026
Endnotes
Classification
Policy areas: Area of Freedom, Security and Justice | Democracy
Committees: Legal Affairs (JURI)
Disclaimer
This document is prepared for, and addressed to, the Members and staff of the European Parliament as background material to assist them in their parliamentary work. The content of the document is the sole responsibility of its author(s) and any opinions expressed herein should not be taken to represent an official position of the Parliament.
Copyright
© European Union.
The reuse of this document is authorised under a Creative Commons Attribution 4.0 International (CC-BY 4.0) licence.
https://creativecommons.org/licenses/by/4.0/deed.en
To use or reproduce elements that are not owned by the European Union, permission may need to be sought directly from the respective rightsholders.