Brussels is preparing to reopen one of the EU’s most fraught digital battles: data retention. After years of legal uncertainty and court defeats, Commission is finalising plans to reintroduce EU-wide rules on storing citizens’ metadata for criminal investigations. After months of consultation, the move could reignite the long-running clash between privacy and security in Europe.
The initiative stems from the absence of a common EU framework. At present, there is no EU-wide legal requirement for service providers to retain metadata for a defined period for criminal proceedings, which means such data may no longer exist by the time authorities request it.
Brussels presents the exercise as a balance between privacy and law enforcement. However, civil society organisations warn that it puts users’ privacy at risk.
Chloé Berthélémy, Senior Policy Advisor at EDRi (European Digital Rights), said the plan is “fundamentally incompatible with the idea of a free, democratic society”. The underlying assumption, she said, is that police “need access to people’s data easily and at any time they want”.
You might be interested
Return to an old legal minefield
The issue of data retention has a long and troubled history in the EU. As MEP João Cotrim de Figueiredo (Renew, PRT) reminded the Commission of the Digital Rights Ireland judgment of 2014, the Court of Justice struck down the original Data Retention Directive for violating the rights to privacy and data protection. Subsequent rulings, including Tele2 Sverige, Prokuratuur and La Quadrature du Net, reaffirmed that the general and indiscriminate retention of communication data cannot be justified under EU law.
The Commission insists that no decision has yet been taken. It maintains that the impact assessment is still in progress and that discussions remain at the technical level. Replying to the MEP, Commissioner for Internal Affairs and Migration Magnus Brunner said the assessment aims at identifying policy options of both regulatory and non-regulatory nature. He added that “a decision as to a legislative proposal will be taken following the completion of the impact assessment”.
Mr Brunner also confirmed that the long-delayed ePrivacy Regulation would be withdrawn from the 2025 work programme. The Commission, he said, is “currently assessing the different options for any future action concerning rules on the privacy of communications data”.
Commission’s proposal may disclose habits, sexual orientations, political or religious beliefs, affiliations, social graphs, health status, etc. – Chloé Berthélémy, Senior Policy Advisor at EDRi
However, civil groups see the risks as real. Ms Berthélémy added that the type of data retained and potentially accessed by law enforcement authorities may reveal sensitive data. Such a proposal, she said, might expose “very sensitive, intimate details about us”, including “habits, sexual orientations, political or religious beliefs, affiliations, social graphs, health status.”
Going Dark Group calls for harmonization…
The push for data retention is not happening in isolation. It came weeks before the “Chat Control” proposal was on the EU agenda. Also framed with the need for law enforcement access to data. In that case, it would require mandatory scanning of all digital communications to detect child sexual abuse material,
For Ms Berthélémy, this is part of a bigger European agenda where law is used to justify access to data. The Chat Control proposal and data retention are part of a broader EU surveillance agenda aimed at increasing “law enforcement access to data”, she said.
Central to this agenda is the High-Level Group on Access to Data for Effective Law Enforcement, also known as “Going Dark”. This body launched in 2023 and is co-chaired by the Commission and the rotating Council presidency. Its purpose is to explore ’any challenges that law enforcement practitioners in the Union face in their daily work in connection to access to data and potential solutions to overcome them’ and propose solutions to ensure the availability of ’effective law enforcement tools to fight crime and enhance public security in the digital age’.
The outcome of this working group reflects the deeply flawed political orientation of the whole initiative. – Chloé Berthélémy, Senior Policy Advisor at EDRi
The group, composed mainly of national law enforcement representatives, produced 42 recommendations. The “Going Dark” report called for a harmonised EU regime on data retention, new enforcement powers, and what it described as ’lawful access by design’. They argued that divergent national rules create uncertainty for service providers and hinder cross-border investigations. Moreover, the High-Level Group proposed that service providers, including over-the-top platforms (OTT), retain enough data to clearly identify every user, such as IP addresses and port numbers.
…others criticize excessive surveillance
But critics see it differently. “The outcome of this working group reflects the deeply flawed political orientation of the whole initiative”, Ms Berthélémy said. “It included law enforcement interests only and refused to meet EU standards for balanced interests representation, transparency and accountability”.
In the past year, a coalition of 55 civil society and professional organisations sent an open letter to EU ministers. They warned that the group’s proposals promote “maximal access possible to personal data” and “risks of mass surveillance as well as substantial security and privacy threats”.
SIM card registration: another sticking point
While Brussels weighs the next steps, member states are already pushing for additional surveillance measures. Earlier this year, the Polish Presidency of the Council revived the idea of mandatory SIM-card registration. This would require users to present identification when purchasing or activating a phone number.
Ms Berthélémy confirmed that “it is a possibility that this requirement is included in the future data retention proposal. Although the choice of legal basis (and the need for a different legislative vehicle) might be a question here”. She warned that such a measure could endanger journalists, activists and vulnerable communities.
Past studies cast doubt on its effectiveness. The mobile industry group GSMA, in global surveys from 2013 and 2016, found ’no empirical evidence that a mandatory SIM registration policy directly leads to a reduction in crime’. Nevertheless, 19 member states require mobile providers to register the personal details of prepaid customers.
The Commission will publish the final version of its impact assessment in early 2026. If it leads to legislation, the debate is likely to build divisions between privacy groups and law enforcement.
