Mass surveillance of telecommunications document pool
In the law enforcement context, “data retention” refers to the mandatory retention by providers of electronic communications services (email, private messaging, internet access providers, etc.) of metadata of all their users only for law enforcement purposes. Because it is applied to everyone indiscriminately, it constitutes a mass surveillance measure. After the former Data Retention Directive was struck down by the CJEU in 2014 as it violated fundamental rights, the Commission is seeking to adopt new rules at EU level, posing a clear threat to everyone’s digital rights.
Extract
In the law enforcement context, “data retention” refers to the mandatory retention by providers of electronic communications services (email, private messaging, internet access providers, etc.) of metadata of all their users only for law enforcement purposes. Because it is applied to everyone indiscriminately, it constitutes a mass surveillance measure. After the former Data Retention Directive was struck down by the CJEU in 2014 as it violated fundamental rights, the Commission is seeking to adopt new rules at EU level, posing a clear threat to everyone’s digital rights.
Contents
- Introduction
- Key legislative information and dates
- EDRi blogs and latest news
- EDRi position on data retention
- Official opinions
- Evolution of CJEU jurisprudence
- Terminology
- Contact us
Introduction
In the law enforcement context, data retention is a requirement obliging providers of electronic communications services (email, private messaging, internet access providers like telecom companies, etc.) – we call them ‘service providers’ (SPs) – to retain certain types of data related to their users beyond what is necessary for the provision of their services and only for law enforcement purposes.
The types of data retained are mainly traffic and location data. Traffic data is metadata about your online activities.
Whenever a device accesses a communications network, small packets of data related to that device’s activities are processed on the systems of the operator responsible for the network.
It is possible to learn A LOT about an individual’s movements, interests and social network from analysing metadata – even without ever accessing the actual content of their communications. It is well established that metadata can reveal information that is no less sensitive than the actual contents of communications.
In 2014, the Court of Justice of the European Union (CJEU) invalidated the old EU Data Retention Directive because it required a mass and indiscriminate retention of all traffic and location data, which was considered in violation of the Charter of Fundamental Rights. Unfortunately, since then, the vast majority of Member States have ignored the CJEU ruling(s) and maintained illegal national data retention laws.
A new legislative proposal has the potential to legalise (again) mass surveillance at the EU level and to undermine online privacy and other fundamental rights depending on it (freedom of assembly and association, of expression, etc.). Moreover it creates very serious cybersecurity risks as all the data retained is vulnerable to (increasing) cyberattacks.
Key legislative information and dates
Commission President’s political guidelines
In her 2024-2029 political guidelines, the President of the Commission, Ursula von der Leyen, has announced that she wants “to provide law enforcement with adequate and up-to-date tools for lawful access to digital information, while safeguarding fundamental rights”. More specifically, in her mission letter to the candidate for the Home Affairs portfolio, Magnus Brunner, she indicated two objectives:
- an ‘update’ of law enforcement’s tools for access to digital data and
- ‘rules on data retention’.
Commission’s ProtectEU Internal Security strategy and Roadmap for effective and lawful access to data for law enforcement
- In April 2025, the European Commission published its new Internal Security Strategy called “ProtectEU” in which it informed that it would “prepare an impact assessment in 2025 with a view to updating rules on data retention at EU level, as appropriate”.
- On 24 June, the Commission presented a “Roadmap setting out the way forward to ensure law enforcement authorities in the EU have effective and lawful access to data”, repeating the same commitment regarding data retention as in the ProtectEU strategy.
Commission’s consultation
- The lead European Commission department, DG HOME (Directorate-General for Migration and Home Affairs), launched a consultation process in May 2025.
- [closed] Call for evidence – Feedback period: 21 May 2025 – 18 June 2025 (midnight Brussels time)
- Feedback received
- Public consultation – Consultation period: 20 June 2025 – 12 September 2025 (midnight Brussels time)
- EDRi’s answering guide
- According to the Commission’s webpage, the proposal(s) (whether legislative or non-legislative) will be released in the first quarter of 2026.
EDRi blogs and latest news
- Joint civil society response to the Commission’s call for evidence: Impact assessment on data retention by service providers for criminal proceedings
- ‘ProtectEU’ security strategy: a step further towards a digital dystopian future
- The blanket collection of metadata on communications in the Czech Republic is illegal. Iuridicum Remedium wins data retention dispute
- Panoptykon Foundation challenges the data retention regime in Poland: Telecom companies requested to delete activists’ data
- CJEU saved the HADOPI: what implications for the future of data retention in the EU?
- Policing by design: the latest EU surveillance plan
- New Data Retention ruling is a victory for civil society
EDRi position on data retention
- Joint civil society response to the Commission’s call for evidence for an impact assessment on retention of data by service providers for criminal proceedings – PDF
- Open letter: Mass surveillance and undermining encryption still on table in EU Council
- Data retention revisited – PDF
- Shadow evaluation report on the Data Retention Directive (2006/24/EC) – PDF
Official opinions
- Eurojust, The effect of Court of Justice of the European Union case-law on national data retention regimes and judicial cooperation in the EU, 13 November 2024
- Commission’s non-paper on the way forward on data retention, 10 June 2021
- Study on the retention of electronic communications non-content data for law enforcement purposes commissioned by the Commission and written by consultancy “Milieu”, September 2020
- Documents obtained by Statewatch on seven Member States position on data retention: EU: Communications data retention: Commission seeks member state views on the way forward, 15 July 2021
Evolution of CJEU jurisprudence
| 2014, Digital Rights Ireland | CJEU declares the EU Data Retention invalid because it infringed the fundamental rights to privacy and data protection and failed to outline substantive and procedural conditions for access by law enforcement. |
| 2016, Tele2/Watson | CJEU confirms that national legislation establishing mass data retention is contrary to EU law. Access to retained data must be restricted to fighting serious crime, with prior review by a court or an independent administrative authority. |
| 2020, Privacy International and La Quadrature du Net I |
|
| 2022, SpaceNet | CJEU confirms its previous case-law and declares mass data retention contrary to EU law even for short retention periods (4 or 10 weeks) |
| 2024, La Quadrature du Net II (HADOPI) | CJEU accepts that the retention of IP addresses is no longer a serious interference with fundamental rights by default. Therefore it accepts their general retention even for petty offences and police access without prior independent review in certain cases. |
Terminology
Metadata
This includes all other information about a communication other than the communications content, such as the communication’s origin (who sent it?), the destination (who is the recipient?), the route, the time, the date, the size (of the message), the duration (of the activity), or the type of underlying service. Metadata can be compared to the information outside an envelope (address, weight, format, stamps, etc.), while the communications content corresponds to the message inside the envelope.
CJEU
The Court of Justice of the European Union was asked multiple times by national courts to interpret the
Contact us
Chloé Berthélémy (She/Her)
Senior Policy Advisor
E-Mail: firstname [dot] lastname [at] edri [dot] org
Mastodon: @