Article page checkbox is not checked in page info.
Renewed debate on a future EU data retention framework
Renewed debate on a future EU data retention framework
Hendrik Mildebrath and Silvia González Vidal, Members' Research Service
Summary
Although the Court of Justice of the European Union (CJEU) continued developing EU data retention standards after invalidating the former EU Data Retention Directive in 2014, national interpretations diverge and efforts towards alignment have stalled. Law enforcement and judicial authorities report operational challenges arising from this fragmentation, sometimes precluding timely access to communications-related data necessary for identifying suspects and victims, reconstructing criminal activity, and generating investigative leads.
In response to these issues and to calls from the Council, the European Commission is assessing the need for a new EU framework. Any legislative action would require a series of politically and legally sensitive design choices. Controversy may arise in relation to the legitimacy and appropriate scope of renewed EU legislative intervention; the operationalisation of the CJEU's system of graduated objectives and safeguards; the adequacy of retention periods; the design of access conditions and safeguards; and, possibly, the need to regulate automated processing of retained datasets.
This briefing builds on the overviews provided in the EPRS briefings 'Towards new EU data retention rules' and 'Mapping CJEU limits on data retention framework'.
Introduction
Since the CJEU annulled the 2006 EU Data Retention Directive in its landmark Digital Rights Ireland judgment in 2014 (joined cases C-293/12 and C-594/12), the EU has lacked a common legal framework governing the retention of electronic communications data for law enforcement purposes. Although the CJEU has progressively clarified constitutional limits on data retention under the e-Privacy Directive, the finer details remain unresolved, national interpretations diverge, and efforts towards alignment have stalled. Some Member States lack retention obligations altogether, while in others the scope, conditions, and safeguards for retaining data and accessing it vary significantly.
This legal fragmentation has generated growing concern among both public authorities and private actors. Law enforcement authorities argue that inconsistent national frameworks create operational obstacles for criminal investigations and hinder effective cross-border cooperation. By contrast, communication services providers point to significant compliance burdens and legal uncertainty arising from the coexistence of multiple national systems.
Source: Milieu, Study on the retention of electronic communications non-content data for law enforcement purposes, European Commission, September 2020, p. 112.
Against this backdrop, the European Commission is now actively assessing the need for a new EU-wide framework on data retention. Following repeated calls from the Council for an EU data retention framework, the Commission established the high-level group on access to data for effective law enforcement in 2023, whose experts broadly concluded that a harmonised EU framework regulating the retention of metadata for law enforcement purposes is needed. Building on these recommendations, the Commission announced, in both its ProtectEU Internal Security Strategy and its Roadmap on lawful and effective access to data for law enforcement, that it would launch an impact assessment with a view to updating EU data retention rules. The Commission is currently assessing the feedback collected in the respective call of evidence and public consultation. In an update to the Council at the end of last year, the Commission indicated that it planned to finalise the impact assessment by the first quarter of 2026 and that a legislative proposal could follow by the end of the second quarter of 2026, subject to the outcome of the consultation process. While past Council documents indicated support for and openness to a legislative proposal, the prospects for such a proposal now appear more uncertain owing to reservations expressed by at least one influential Member State.
Background
The renewed push for an EU data retention framework reflects the central role that electronic communications data play in modern criminal investigations. Law enforcement authorities do not only rely on content data, but also on non-content or 'metadata' (including subscriber information, internet protocol (IP) addresses, traffic data, and location data) to identify suspects and victims, reconstruct criminal activities, and establish investigative leads. Access to such information by law enforcement authorities, however, presupposes that electronic communications service providers retain such data and provide them with access.
Data retention frameworks typically serve to oblige communications services providers to carry out general or targeted retention of users' communications (non-content) data and allow national authorities either limited or unlimited access to the data, often based on targeted requests. Generalised retention implies that all or the majority of categories of non-content data is retained without any differentiation, limitation, or exception. Targeted retention means that the retention of such data is limited, for instance, through temporal, personal, or geographical criteria.
Source: Milieu, Study on the retention of electronic communications non-content data for law enforcement purposes, European Commission, September 2020, p. 50.
A common data retention scheme could create a level playing-field and legal certainty for electronic communications service providers, ensure consistent protection of end-users across the EU, and improve cross-border law enforcement investigations and cooperation. As consistently demonstrated by CJEU case law, data retention is also closely intertwined with data protection, privacy, and freedom of expression considerations. While data protection and security do not categorically compete, the resurging debate on the legitimacy and design of EU intervention suggests that fundamental tensions and diverging interpretations will resurface.
Any legislative intervention would require a series of politically and legally sensitive design choices, some of which would likely face pushback from stakeholders. Controversy may arise in relation to justifying a renewed EU legislative intervention; defining the appropriate personal and material scope of retention obligations; operationalising the CJEU's hierarchy of objectives; harmonising retention periods; preserving access to commercially retained data; the design of access conditions and safeguards; and, possibly, regulating the use of algorithmic analysis or automated processing of retained or retainable data.
Issues to watch
Legitimacy of renewed EU legislative intervention
While anecdotal evidence is often criticised for lacking representativeness, robust quantitative evidence demonstrating the effectiveness of data retention regimes remains limited, if not absent altogether. This evidentiary gap is often invoked to challenge the necessity or proportionality of data retention rules and to support calls for more stringent transparency and reporting obligations.
Already in 2005, a broad range of stakeholders, including civil society organisations and regulators, challenged the necessity of the past Data Retention Directive, pointing to a lack of supporting evidence. In its 2011 Member State consultation on the envisaged revision of the former Data Retention Directive, the Commission acknowledged a continued perception that there was limited evidence of the value of data retention for law enforcement and public security purposes by itself, or in comparison with alternative investigative methods.
More recently, a 2020 study for the European Commission concluded that law enforcement respondents 'were unable to provide precise and reliable statistics on the number of cases for which non-content data were determinative evidence during investigations and prosecutions', although qualitative interviews suggested an indirect value of data retention in some cases.
A first academic study published in 2026 examined the impact of data retention on crime prevention across 11 Member States over 2000-2019. It reports a lagged but significant reduction in aggregate crime rates after the introduction of a retention scheme, with effects appearing only after at least one year and strengthening over time. However, the crime-reducing effect of data retention schemes appears to be caused by deterrence (perception of surveillance) rather than incapacitation (arrests and prosecution).
In a similar vein, CJEU and European Court of Human Rights (ECtHR) case law do not so far refer to quantitative evidence but recognise that proportionate data retention may be necessary for effective law enforcement. In Škoberne v Slovenia (2024), the ECtHR explicitly stated 'Although this point has not been demonstrated by any empirical data, the Court has no doubt that the tracing of telecommunications traffic … could be of considerable importance for effective law enforcement and effective public security measures'.
Box 1– A constitutional obligation to adopt a data retention framework?
The CJEU has recognised that positive obligations may arise under the Charter of Fundamental Rights of the European Union, requiring public authorities to adopt measures to safeguard private and family life and/or an individual's physical and mental integrity – a position also acknowledged by the 2025 Danish Council Presidency. However, whether this amounts to an actual obligation to establish a data retention framework remains unsettled, but is likely to arise only in exceptional circumstances. While one academic argues that the complete abandonment of data retention could breach a state's positive duty to protect life, physical integrity and individual freedom, others contend that no such constitutional obligation can be assumed, given the wide margin of appreciation afforded to legislatures and the limited empirical evidence of effectiveness. If EU lawmakers were to legislate, voluntarily or not, they would have to balance competing rights and interests in accordance with Article 52(1) of the Charter.
Additionally, civil society organisations and academics have repeatedly suggested that the preservation of and access to commercially retained data (through 'expedited retention orders' or 'quick freeze') would offer a more privacy-preserving alternative, thereby calling into question the necessity of indiscriminate data retention. Most Member States permit such re-use of commercially retained data and some Member States have used it as a stop-gap measure in the absence of a broader data retention scheme. However, Member States and their authorities maintain that divergences in the scope of quick freeze powers and in the duration and categories of commercially processed data,1 limit the effectiveness of this law enforcement tool. Nevertheless, several Member States expressed interest in maintaining the possibility of accessing metadata that providers already store should a new framework be adopted. Besides quick freeze, alternatives to data retention, such as login traps, are being discussed.
Excluding data retention for national security from EU law
Member States have signalled that, in contrast to the current situation under EU data protection and privacy laws, they would prefer to exempt all national data retention measures adopted for national security purposes from the scope of EU law. To advance towards this outcome, Member States might suggest excluding data retention for national security purposes from the scope of any future data retention framework, the existing e-Privacy Directive, and other applicable secondary laws, such as EU data protection rules. This would reduce the cases in which Member States are 'implementing Union law' within the meaning of Article 51(1) of the Charter, and thereby narrow the scope of the data retention scenarios to which the Charter applies.
Nevertheless, this does not imply that data retention measures would fall entirely outside the scope of supranational judicial review. Data retention for national security purposes may still be subject to control by the European Court of Human Rights. Additionally, the CJEU has shown a clear willingness to defend the reach of fundamental rights and may do so incidentally when assessing whether national data retention measures unduly restrict treaty provision. In line with Mayer, Schlikker, Bäcker/Moini, and Boehm/Cole, the CJEU may consider that national mass surveillance programmes and data retention schemes interfere with the EU's fundamental freedoms and, by extension,2 the Member States would have to comply with EU fundamental rights. Ewer/Thienel oppose this notion.
Given the uncertain effectiveness of this approach in limiting supranational judicial review – the fact that similar efforts presented a major sticking point in the negotiations on the now withdrawn e-Privacy Regulation proposal, and the likelihood of strong opposition from civil society organisations – the costs, benefits, and design of this approach would require careful consideration. Critics may argue that excluding national security-related data retention from the scope of EU secondary law risks diminishing opportunities for supranational oversight and judicial review, raising concerns over accountability, transparency and the risk of disproportionate surveillance.
Operationalising the CJEU's system of graduated objectives and safeguards for retaining traffic and location data
The CJEU has ruled that legislative and administrative measures may require the retention of traffic and location data that can reveal sensitive information only to combat serious crime, or pursue certain objectives of equal or greater importance, and only where proportionate safeguards are guaranteed. Traffic and location data can be retained indiscriminately for safeguarding national security. By contrast, measures requiring the retention of traffic and location data to combat serious crime must ensure, on the basis of objective and non-discriminatory criteria, that only strictly necessary and relevant data is retained. The Court found that this could be achieved by targeting the retention of data through temporal, personal, geographical or other distinctive limitation criteria. In line with the principle of proportionality, traffic and location data retained for combating serious crime can also be used to pursue objectives of greater importance such as safeguarding national security. Each tier must include appropriate safeguards, with the level of protection varying by objective and intrusiveness (graduated system of safeguards).
Managing divergent notions of national security
Should the Member States fail to exclude data retention for national security purposes from the scope of any future EU data retention framework and related secondary law (see section above), issues may arise as to Member States' diverging notions of national security and the outer limits of their prerogative to define national security under EU law. This is exemplified by the expansive interpretation of national security in France. L. M. Landerer holds that France is 'creatively exploiting' the requirement of pursuing objectives of national security to indiscriminately retain data, with the Public Prosecutor continuously affirming such a threat since 1994, effectively turning general data retention into the rule rather than the exception. The French Council of State and the Court of Cassation considered this approach to be legitimate. Disagreement on whether the French approach complies with CJEU case law persists.
Circumscribing the notion of serious crimes
The CJEU has clarified that the retention of traffic and location data capable of revealing sensitive information is permissible only for the purpose of combating serious crime or pursuing certain objectives of equal or greater importance, and only where such retention is targeted and subject to additional safeguards. The Court also specified that it is generally for the Member States to define serious crimes, but that they may not distort the concept by including within it offences which are manifestly not serious. Where serious crime is mentioned at EU level, it differs from one instrument to another. The EU legislator usually delimits serious crime by the nature, severity and punishment of the crime.
Most Member States responding to a 2025 Council Presidency survey agree that the EU data retention regime relating to traffic and location data could be limited to the purpose of combating serious crime, but diverge on how the category of 'serious crime' should be circumscribed (see Table 2 below). While some advocate a catalogue of specific categories of crimes, others favour a case-by-case approach that permits data retention whenever the investigative benefits are sufficiently great to outweigh the privacy impact as mitigated by the applicable safeguards. Member States consider that a range of crimes – including crimes against the person, economic and financial crimes, as well as crimes against the state and public safety – would qualify as serious. Others refer to the categories enumerated in Article 12(1)(d) in conjunction with Annex IV of the e-Evidence Regulation. Some also advocate that online crimes like stalking and hate speech should be covered. They contend that, despite moderate penalties, these crimes risk de facto impunity without improved access to data for investigations.
Ensuring that retention of sensitive traffic and location data is appropriately targeted
To align with CJEU case law, Member States have introduced different forms of targeted retention, but thresholds and criteria vary considerably. According to the European Union Agency for Criminal Justice Cooperation (Eurojust) and the European Judicial Cybercrime Network (ECJN), while general limitations such as restricting retention periods do not qualify as targeting conditions as interpreted by the CJEU, some Member State authorities have nonetheless considered 'their data retention regime to be targeted by virtue of these general limitations'. G. Robinson argues that only a small number of Member States have enacted or proposed national targeted data retention regimes. Experts disagree over whether these approaches risk circumventing targeting requirements and effectively turning the exception of general data retention into the rule. European Digital Rights (EDRi) suggests that Belgium and Denmark 'have adopted legislation on targeted data retention, but the measures in both countries are in fact general and indiscriminate data retention in disguise'.
In relation to a possible EU-level data retention framework, Member States responding to a 2025 survey by the Council Presidency raise three main concerns that targeted retention may (i) undermine the effectiveness of law enforcement investigations, (ii) create significant technical and operational challenges, and (iii) give rise to constitutional issues. Instead of firmly committing to CJEU targeting standards, they propose designing 'a system that allows for an adequately graduated and differentiated retention regime, with limitations defined in terms of data categories and retention periods, accompanied by strengthened security requirements and strict access rules and purpose limitations, user information, complaint mechanisms and legal remedies as well as general oversight'.
The high-level group flagged similar concerns. Some experts suggested focusing on targeting access instead of retention. By contrast, the Meijers Committee strongly opposes this view as it would be contradictory to the limits set by the CJEU. Safeguards on access would not compensate for a lack of safeguards in the initial data retention.
Is the CJEU out of touch with reality?
A 2023 report by the French Senate's Committee of Laws noted that some stakeholders attributed the CJEU's case law on data retention to an insufficient appreciation of operational realities by judges in Luxembourg. The rapporteurs questioned this explanation, noting that in the Court's most significant data-retention cases approximately 20 Member States had submitted observations outlining the practical constraints and operational requirements of their law-enforcement and intelligence services.
Conditions permitting the indiscriminate retention of IP addresses
The La Quadrature du Net II (LQDN II) judgment (case C-470/21) has prompted a debate over whether and under which circumstances the retention of source IP addresses can be considered as a non-serious interference permitting their general retention for detecting and prosecuting ordinary crime.3 In prior case law, the CJEU had determined that retaining IP addresses generally constitutes a serious interference if combining such data with other contextually available information could reveal sensitive private life details. On that basis, retention of IP addresses was considered justifiable only for combating serious threats or for certain objectives of equal or greater importance (e.g. safeguarding national security). However, the subsequent LQDN II judgment confirmed that cases exist where retention arrangements rule out sensitive private life insights, rendering IP addresses generally retainable for identifying and prosecuting copyright infringements. This would require that Member States prescribe specific legal, organisational, and technical measures, including the watertight separation of the different categories of data retained.4
The design of any future EU data retention framework would depend on whether LQDN II and earlier judgments are read as broadly permitting the indiscriminate retention of source IP addresses. Some classify the LQDN II judgment as a doctrinal turnaround, while others suggest that it merely nuances previous jurisprudence, and yet others view it as a context-specific judgment limiting its precedential value. M. Maurer and E. Tuchtfeld argue that the CJEU failed to adequately consider the severity of the interference and its necessity in light of less intrusive alternatives, suggesting that the judgment should not serve as a blueprint for a future EU data retention law, or only with careful nuance. M. Rojszczak shares the view that the interference is serious, arguing that the CJEU did not sufficiently consider authorities' potential to combine data and draw inferences and questioning whether TOR5 users' IP addresses are truly low-sensitivity data.6 By contrast, the Bavarian State Minister of the Interior, for Sport and Integration, Joachim Herrmann, supports the CJEU's proportionality assessment in LQDN II and considers that 'quick freeze' is not a viable alternative. He considers that the threat levels have changed in Europe and that the compulsory retention of IP addresses would be compatible with Union law.
The European Union Agency for Law Enforcement Cooperation (Europol) and Eurojust as well as the high-level group suggest retaining both IP addresses and port numbers. EDRi flags that this may lead to potentially serious interference with the right to privacy. The German government envisages partially storing port numbers at a national level.
Retention periods
According to CJEU case law, the retention period of traffic and location data must be limited in time to what is strictly necessary by clear and precise rules. If justified, the retention period may be extended. Data retention periods vary across Member States and depend on the type of data retained. A controversial example involves Italy, which maintains an expansive regime with a de facto 72-month retention period of traffic data for serious crimes of particular social concern (particolare allarme sociale). Despite disproportionality concerns raised by the Italian Data Protection Authority and some academics for failing to meet the CJEU's requirement of strict necessity, the Italian Court of Cassation has repeatedly held that the measure complies with the principle of proportionality, since the regime 'limits the duration of storage and entrusts the judicial authority with the effective control'.
Member States generally recognise that uniform retention periods across the EU enhance predictability and facilitate cross-border investigations, while reducing the risk that criminals exploit shorter retention periods in certain Member States. Most Member States support retention periods of around one year and, in any event, no less than six months. Some favour longer periods for complex investigations or serious crimes, while others prefer to set only a minimum mandatory period. There is also openness towards establishing an EU framework setting a range of minimum and maximum retention periods, providing flexibility for national needs, 'taking into account the type of data, their relevance to specific crime areas, the technical capabilities of service providers, and the practical needs of law enforcement'.
The Commission's 2020 study suggested that law enforcement authorities most frequently request data that is up to one year old in Member States with mandatory retention regimes, and data three to six months old in those without such regimes. Statistics disaggregated by age of data requested were only available for Estonia and Germany. Despite very different data retention frameworks, the figures indicate that most requests in these countries concern non-content data that are up to six months old (calculated from the moment the data are generated and retained by electronic communications service providers, e.g. when the communication took place, up to the point that the data are requested by law enforcement authorities). Some law enforcement authorities support longer data retention periods for certain crimes, such as cybercrime, child sexual abuse material offences, and fraud, because these crimes are often detected only much later. In its call for evidence, the Commission suggested that 'different legislative solutions might be designed depending on the non-content data to be retained in conjunction with the crime to be pursued'.
The 2011 evaluation of the former Data Retention Directive drew similar conclusions: the Commission signalled it would consider different periods for different categories of data and different categories of serious crimes in possible reform efforts, but these were superseded by the CJEU's invalidation of the directive. At the time, quantitative data from Member States suggested that when law enforcement first requests access, around 90 % of the retained data are six months old or less, and around 70 % are three months old or less.
| Data retention periods | Quick freeze periods | |
|---|---|---|
| DE | Service term and an additional one year after termination for subscriber data.7 Other data retention obligations have been disapplied.* | N/A*, but some argue that general criminal procedural rules could be leveraged |
| EE | 12 months* for specified subscriber, traffic, and location data8 | Unspecified9 |
| IE | 1 year retention of communications data by default, with up to 2 years allowed for some categories by ministerial decision, while telephony and internet metadata is capped at 12 months and can only be imposed under a High Court national security order.10 | 90 days for an ordinary preservation order and an emergency preservation mechanisms of 72 hours (extendable to 96 hours in exceptional circumstances) for telephony and internet metadata pending authorisation11 |
| ES | 12 months for specified subscriber, traffic, and location data. The retention period can be extended to 2 years or reduced to 6 months through an implementing regulation12 | 90 days, with a maximum extension of an additional 90 days13 |
| FR | 1 to 5 years, depending on the type of data, with the applicable period commencing upon different triggering events14 | Unspecified, but limited to what is necessary.15 |
| IT | 24 and 12 months for, respectively, telephone and telematic traffic data, and 30 days for unanswered calls.16 De facto 72 months (6 years) for telephone and telematic traffic data, when investigating organised crime and terrorism offences.17 | 90 days for traffic data, extendable up to a maximum of 6 months18 |
| AT | N/A19 | 12 months for specified traffic, access and location data20 |
| PL | 12 months for specified subscriber, traffic, and location data21 | 90 days for computer data held by telecommunication and electronic service providers22 |
| PT | 1 year for basic identity data and IP addresses. Traffic and location data may only be retained for what is strictly necessary and with prior judicial authorisation23 | 3 months, renewable up to 1 year, for computer data, including traffic data24 |
| SI | N/A | 30 days, extendable once to 60 days, for electronically stored data (including traffic data), and ends earlier if a court order is received25 |
Source: Authors' own elaboration. For additional information, see M. Mattera, National data retention laws, Cullen International, 15 April 2026 and the domestic equivalents to Article 16 of the Budapest Convention in the CoE Country Wiki. For the state of play in 2020, see the Milieu, Study on the retention of electronic communications non-content data for law enforcement purposes, European Commission, September 2020, p. 52.
Note: * The German Federal Government tabled a proposal including a 3-month retention period for source IP addresses and certain port numbers as well as a quick freeze mechanism for up to 3 months concerning certain traffic and location data. Reportedly, Estonia is preparing a reform of its general data retention provision in response to Supreme Court rulings.
Conditions and safeguards for accessing retained data
The CJEU has ruled that the subsequent law enforcement authority access to data retained by providers presents a separate interference with fundamental rights from that of the retention itself. Consequently, such access must be subject to specific, access-related safeguards, which vary depending on whether traffic and location data or subscriber data are accessed.
The national framework for accessing non-content data varies among Member States, with a vast majority requiring (prior) judicial review for accessing traffic and location data. Many Member States limit their security authorities' access to traffic and location data held by electronic communications service providers to the purposes of combating serious crime, qualified threats to public security, or ICT-facilitated crimes. By contrast, basic subscriber data can usually be accessed for investigating ordinary crimes.
There is no uniform definition of 'serious crime' across Member States. Instead, they operationalise this threshold through different legal mechanisms, for instance by prescribing minimum custodial sentences and by limiting access to an enumerated catalogue of offences classified as serious. In some cases, the restriction also arises indirectly from the security authority's limited mandate, which covers only specific offences or security threats. The types of subscriber, traffic, and location data retained and accessible to authorities vary across jurisdictions. In Austria, authorities exercising security police functions are exempt from the serious crime threshold for accessing certain traffic and location data in specifically defined cases. Poland does not provide for a serious crime threshold, but suggested it would consider reforms. Other relevant access conditions include the degree of suspicion and proportionality requirements.
| MS | Types of crime |
|---|---|
| DE | Serious crime threshold and/or telecommunications-facilitated crime for accessing traffic and location data, but not for accessing subscriber data.* However, the domestic obligation to generally retain traffic data is disapplied in light of CJEU case-law and no quick freeze mechanism exists, so seeking access is limited to what is processed for commercial purposes.26 |
| EE | Fixed catalogue of largely serious offences and dynamic proportionality threshold for accessing retained data, but not for accessing basic identity data.27 |
| IE | State security threshold for accessing user, traffic, and location data ('Schedule 2 data'); serious crime threshold for accessing internet source data (including dynamic and static IP addresses); ordinary crime threshold for accessing user data.28 |
| ES | Serious crime threshold for accessing retained subscriber, traffic, and location data.29 It is suggested that subscriber identifying-data that is not retained under Data Retention Law 25/2007 can be accessed for ordinary crimes.30 While identification and location data that are linked to IP addresses and that are not retained under Data Retention Law can be accessed to investigate crimes committed on the internet, it remains uncertain whether the investigation of ICT-facilitated crimes can justify access to traffic data.31 The logic of the Data Retention Law seems to apply to access by the National Intelligence Centre.32 |
| FR | Serious crime threshold for access to traffic and location data (with a lower custodial threshold of one year for communications network-facilitated crime). Access to civil identity data and to contract, payment and account data by criminal justice authorities under the Code of Criminal Procedure is not subject to such a threshold. Access by customs, tax, and intelligence officers to retained data depends on the investigation of enumerated offences or on the service's remit.33 |
| IT | Serious crime threshold for accessing telephone and telematic traffic data and data relating to unanswered calls retained under the data retention provision, but not for subscriber data.34 Uncertainty remains as to whether authorities may access traffic data under the (apparently) more permissive seizure regime, especially where the data are not processed in compliance with a retention obligation but for other purposes such as commercial purposes. |
| AT | Serious crime threshold for accessing traffic and location data (with a lower custodial threshold of 6 months where the owner/user of a device that received or transmitted content approves the disclosure by the provider). Authorities exercising security police functions are, subject to specific conditions, exempt from these requirements for accessing certain traffic and location data. No crime threshold for accessing subscriber data.35 Absent data retention obligations, access is limited to commercially processed data and data preserved in accordance with quick freeze orders. |
| PL | No serious crime threshold*36 |
| PT | Serious or telephone-facilitated crime threshold for access by law enforcement authorities to subscriber, traffic, and location data retained under the data retention obligation. By contrast, non-traffic computer metadata that is not processed pursuant to those obligations, including where processed for purely commercial purposes, may be accessed for the investigation of ordinary offences under the cybercrime regime.37 |
| SI | Catalogue of largely serious crimes for accessing retained and future traffic data, but not for access to subscriber data.38 Absent data retention scheme, this concerns data processed for commercial reasons or in response to a quick freeze order.39 |
Source: Authors' own elaboration. For the state of play in 2020, see Milieu, Study on the retention of electronic communications non-content data for law enforcement purposes, European Commission, September 2020, p. 72, for a detailed overview, see Table 20 in Annex III, pp. 164-166. For convenience, the legal bases for accessing retained data by non-law enforcement authorities such as administrative authorities responsible for investigating market abuse are included in the footnotes.
Note: *The German Federal Government has tabled a draft proposal that would reduce the threshold for accessing retrograde location data to serious crimes and permit access to IP addresses where authorities already have knowledge of the incriminating content associated with the service use. Poland suggested it would consider reforms.
In relation to a possible EU intervention, some Member States favour minimum harmonisation of access requirements, while a majority consider that the EU system should include robust access safeguards. Some Member States suggest that an EU data retention framework should not literally codify CJEU case law, because it related to specific factual contexts, but should rather be based on a proportionality assessment in line with the CJEU's general guidelines. The high-level group discussed the need to 'design access rules which differ depending on e.g. the type and seriousness of the crime, the degree of threat posed to the victims by the offence, the purpose of access and the authorities competent to access the data'.
Member States diverge on whether access conditions should borrow from the e-Evidence Regulation and include elements such as standardised request formats, deadlines, and secure communications channels. Several Member States support this approach, whereas others consider that there is no need to introduce standardised formats and communication channels. They argue that these are domestic matters between law enforcement authorities and electronic communications service providers within a single Member State, and that cross-border cooperation is already governed by the e-Evidence Regulation.
Certain forms of quick freeze mechanism raise additional concerns.For instance, the French quick-freeze and access mechanism appears to allow data originally retained on national security grounds to be subject to a targeted preservation order and subsequently accessed for the investigation of (serious) crime.40 However the CJEU has ruled that access to retained data can only be accessed for the purposes for which the data were originally retained or for objectives of greater importance. The 2023 report by the French Senate's Committee of Laws highlighted legal uncertainty in this regard. In the same vein, the conditions governing the issuance of quick-freeze orders and subsequent access to the preserved data may become a subject of discussion at the EU level.
Besides this, the high-level group experts supported establishing stronger voluntary cooperation mechanisms between the public and private sector, including through memoranda of understanding and fuller use of existing EU networks such as SIRIUS, the European Judicial Network (EJN) and the European Judicial Cybercrime Network. They also highlighted the need for standardised data retention and transmission formats, as inconsistent application of existing standards and the absence of common formats for internet-based communications service providers increase complexity for law enforcement data analysis. The Commission's data access roadmap and its call for evidence also suggest that it is committed to strengthening cooperation between public authorities and service providers.
Box 2 – Cross-border access procedures
In 2020, law enforcement authorities and electronic communications service providers signalled that cross-border procedures for gaining access to non-content data retained by electronic communications service providers based in other Member States were excessively complex, lengthy and ineffective in practice. At the time of the survey, law enforcement authorities could not directly order electronic communications service providers established in another Member State to provide access to data and instead had to rely on their counterpart law enforcement authority in that Member State to facilitate access. However, a 2025 Europol and Eurojust report suggests that some of these issues may be mitigated through the e-Evidence Regulation, which will become applicable as of 18 August 2026. The e-Evidence Regulation enables authorities designated by Member States – such as LEAs – to order a service provider operating in another Member State to produce or preserve electronic evidence. The high-level group indicated that the effectiveness of the e-Evidence framework presupposes the availability of data that can be preserved, and that its effective operation in the data retention domain would therefore depend on the existence of (sufficiently broad) data retention rules. EDRi considers that the combination of commercially retained data and e-Evidence instruments already provides sufficient tools for effective law enforcement, making additional data retention unnecessary.
Automated analysis of retained data
As more electronic intelligence is made available, authorities increasingly rely on automated analysis to process data efficiently. The Commission even committed to fostering the uptake of AI solutions among Member States' law enforcement solutions in its roadmap.
In its first case on automated analysis in the context of data retention, the CJEU held that a legislative measure empowering authorities to instruct providers to carry out an automated analysis of all retained traffic and location data is permissible only for national security purposes and in compliance with specific safeguards (see below). Against this backdrop, legislators may consider a range of possible approaches in relation to automated analysis, including:
-
leaving the automated processing of personal data in the data retention context to be governed by existing EU laws such as the e-Privacy Directive, GDPR, LED, AI Act, and Charter;
-
regulating common safeguards for the automated processing of personal data in an EU data retention framework and clarifying the relationship with the general EU data protection and privacy laws; or
-
deregulating the automated processing for national security purposes by introducing national security scope exceptions in the general EU data protection and privacy laws and limiting the scope of an EU data retention framework accordingly (see section on 'Managing divergent notions of national security').
Taking as an example the rationale behind the former Data Retention Directive, the Law Enforcement Directive, and the Passenger Name Record Directive, a case could be made that specific data protection and privacy standards for automated analysis of retained data should be regulated at EU level. Common standards would create a level playing-field for communications services operators, deliver consistent protection for end-users across the EU, and strengthen cross-border law enforcement. Following a rationale similar to that which could underpin a future data retention scheme, data protection rules – depending on their design – could enhance the robustness of analysis outcomes, contribute to meeting admissibility criteria, facilitate cross-border sharing of analysis results by increasing trust in equivalent standards, and simplify the handling of outputs from multiple jurisdictions within a single investigation.
The CJEU clarified necessary conditions and safeguards for certain types of analysis in LQDN I. It ruled that a legislative measure requiring providers to implement measures allowing the automated analysis of all traffic and location data retained is only permissible for national security purposes and insofar as the following conditions are met: (i) the analysis is limited in time; (ii) the competent authority publishes general information about the analysis; (iii) an effective review of the authorising decision is guaranteed; (iv) the pre-established (as opposed to self-learning) models and analysis criteria are specific, reliable, non-discriminatory, not based solely on sensitive data, and subject to regular re-examination; (v) and positive results are reviewed individually by non-automated means. These standards could be further refined based on CJEU's case law on passenger information and supplemented with additional clarification. In particular, a future framework could also address the permissibility and treatment of self-learning algorithms; effective measures to counter indirect discrimination; standards for human review that would avoid risks of human bias and effectively mitigate the base-rate fallacy; and qualified measures for auditing algorithms.
Extending data retention rules to internet-based communications service providers
The high-level group, certain Member States, and the EU Counter-Terrorism Coordinator favour extending data retention rules to additional services, including internet-based communications services providers (OTT), given their central role in providing electronic communications. This would level the playing field among traditional and modern communications service providers. Given that some OTT providers do not collect non-content data voluntarily and are not obliged to do so under national law, it would ensure the availability of non-content data necessary for effective law enforcement. Some Member States noted that the potential impact of such an extension on OTT business models, as well as the associated costs, should be taken into consideration. Telecom and online-service providers warn that general long-term obligations on data retention would be costly and that a new regulation should provide for a cost compensation mechanism.
The high-level group experts suggest obliging electronic communications service providers to supply data in an intelligible format. In its written input to the group, EDRi highlights that some communication services (such as Signal) apply concepts such as 'sealed sender' that render it technically impossible to retain metadata as would be obliged under a potential framework. This would be comparable to a backdoor requirement that allows access, bypassing normal security controls.41 Here the tension between decryption for law enforcement purposes and general communication privacy and security resurfaces.
Outlook: Legislative process
The European Parliament has continuously advocated a high level of data protection in legislative and non-legislative procedures. In 2018, Parliament urged the Commission to assess new data retention legislation, and in 2020 it called for action against Member States that had not repealed laws implementing the invalidated Data Retention Directive, aiming to bring them into line with CJEU case law.
While the European Commission has already consulted Member States during the pre-initiative phase, contact with Parliament has been sparse. If the Commission tables a proposal, it will be transmitted to the Parliament and the Council, so the co-legislators can develop their respective positions and enter into negotiations.
Further reading
- H. Mildebrath and S. González Vidal, Mapping CJEU limits on data retention frameworks, Briefing, EPRS, July 2025.
- S. González Vidal and H. Mildebrath, Towards new rules on data retention, Briefing, EPRS, July 2026.
Endnotes
Statement on the use of AI
Any AI-generated content in this text has been reviewed by the authors. ChatGPT and Claude were used to improve the readability of the text.
Disclaimer
This document is prepared for, and addressed to, the Members and staff of the European Parliament as background material to assist them in their parliamentary work. The content of the document is the sole responsibility of its author(s) and any opinions expressed herein should not be taken to represent an official position of the Parliament.
Copyright
© European Union.
The reuse of this document is authorised under a Creative Commons Attribution 4.0 International (CC-BY 4.0) licence.
https://creativecommons.org/licenses/by/4.0/deed.en
To use or reproduce elements that are not owned by the European Union, permission may need to be sought directly from the respective rightsholders.