Mass surveillance of telecommunications Document Pool
In the law enforcement context, “data retention” refers to the mandatory retention by providers of electronic communications services (email, private messaging, internet access providers, etc.) of metadata of all their users only for law enforcement purposes. Because it is applied to everyone indiscriminately, it constitutes a mass surveillance measure. After the former Data Retention Directive was struck down by the CJEU in 2014 as it violated fundamental rights, the Commission is seeking to adopt new rules at EU level, posing a clear threat to everyone’s digital rights.
In the law enforcement context, “data retention” refers to the mandatory retention by providers of electronic communications services (email, private messaging, internet access providers, etc.) of metadata of all their users only for law enforcement purposes. Because it is applied to everyone indiscriminately, it constitutes a mass surveillance measure. After the former Data Retention Directive was struck down by the CJEU in 2014 as it violated fundamental rights, the Commission is seeking to adopt new rules at EU level, posing a clear threat to everyone’s digital rights.
Contents
Introduction
In the law enforcement context, data retention is a requirement obliging providers of electronic communications services (email, private messaging, internet access providers like telecom companies, etc.) – we call them ‘service providers’ (SPs) – to retain certain types of data related to their users beyond what is necessary for the provision of their services and only for law enforcement purposes.
The types of data retained are mainly traffic and location data. Traffic data is metadata about your online activities.
Whenever a device accesses a communications network, small packets of data related to that device’s activities are processed on the systems of the operator responsible for the network.
It is possible to learn A LOT about an individual’s movements, interests and social network from analysing metadata – even without ever accessing the actual content of their communications. It is well established that metadata can reveal information that is no less sensitive than the actual contents of communications.
In 2014, the Court of Justice of the European Union (CJEU) invalidated the old EU Data Retention Directive because it required a mass and indiscriminate retention of all traffic and location data, which was considered in violation of the Charter of Fundamental Rights. Unfortunately, since then, the vast majority of Member States have ignored the CJEU ruling(s) and maintained illegal national data retention laws.
A new legislative proposal has the potential to legalise (again) mass surveillance at the EU level and to undermine online privacy and other fundamental rights depending on it (freedom of assembly and association, of expression, etc.). Moreover it creates very serious cybersecurity risks as all the data retained is vulnerable to (increasing) cyberattacks.
Key legislative information and dates
In her 2024-2029 political guidelines, the President of the Commission, Ursula von der Leyen, has announced that she wants “to provide law enforcement with adequate and up-to-date tools for lawful access to digital information, while safeguarding fundamental rights”. More specifically, in her mission letter to the candidate for the Home Affairs portfolio, Magnus Brunner, she indicated two objectives:
- an ‘update’ of law enforcement’s tools for access to digital data and
- ‘rules on data retention’.
- In April 2025, the European Commission published its new Internal Security Strategy called “ProtectEU” in which it informed that it would “prepare an impact assessment in 2025 with a view to updating rules on data retention at EU level, as appropriate”.
- On 24 June, the Commission presented a “Roadmap setting out the way forward to ensure law enforcement authorities in the EU have effective and lawful access to data”, repeating the same commitment regarding data retention as in the ProtectEU strategy.
- The lead European Commission department, DG HOME (Directorate-General for Migration and Home Affairs), launched a consultation process in May 2025.
- [closed] Call for evidence – Feedback period: 21 May 2025 – 18 June 2025 (midnight Brussels time)
- [closed] Public consultation – Consultation period: 20 June 2025 – 12 September 2025 (midnight Brussels time)
- According to the Commission’s webpage, the proposal(s) (whether legislative or non-legislative) will be released in the first quarter of 2026.
EDRi blogs and latest news
-
Joint civil society response to the Commission’s call for evidence: Impact assessment on data retention by service providers for criminal proceedings
Last week, the EDRi network expressed shared concerns about the introduction of new rules at EU level on the retention of data by service providers for law enforcement purposes.
Read more
-
‘ProtectEU’ security strategy: a step further towards a digital dystopian future
The European Commission presented an internal security strategy that would undermine digital rights and even increase security threats. We unpack what ‘ProtectEU’ means for the EU’s future digital policy, including on encryption, data retention, and border surveillance.
Read more
-
The blanket collection of metadata on communications in the Czech Republic is illegal. Iuridicum Remedium wins data retention dispute.
The Municipal Court in Prague ruled in a dispute that lasted more than four years. EDRi member IuRe represented journalist Jan Cibulka in the case. He demanded an apology from the state for the Czech state collecting information about his whereabouts or with whom he calls and writes under the data retention regulation.
Read more
-
Panoptykon Foundation challenges the data retention regime in Poland: Telecom companies requested to delete activists’ data
EDRi member Panoptykon Foundation supports activists and attorney-at-law Artur Kula to demand that the four biggest telecom companies in Poland delete data stored for the purpose of law enforcement in the 12 months prior. They want to challenge the current unlawful data retention regime in Poland.
Read more
-
CJEU saved the HADOPI: what implications for the future of data retention in the EU?
The Court of Justice of the European Union judgement on the HADOPI case (C-470/21) is significant for the ongoing debate on mandatory retention of metadata, such as traffic and location data. EDRi provides key takeaways and what they mean for the upcoming data retention legislation by the European Commission.
Read more
-
Policing by design: the latest EU surveillance plan
The EU should reintroduce mass telecommunications surveillance and create backdoors to encrypted data, a new plan drafted in secret by police and security officials says. To do so, close coordination between the state and industry would be required, to ensure what the plan calls “lawful access by design.” The plan repeats demands made many times over the years by officials, and may find a warm reception from the incoming European Commission.
Read more
EDRi position on data retention
- Open letter: Mass surveillance and undermining encryption still on table in EU Council
- Data retention revisited – PDF
- Shadow evaluation report on the Data Retention Directive (2006/24/EC) – PDF
Official opinions and documents
- European Parliamentary Research Service (EPRS), Mapping CJEU limits on data retention frameworks, Briefing, October 2025
- Eurojust, The effect of Court of Justice of the European Union case-law on national data retention regimes and judicial cooperation in the EU, 13 November 2024
- Commission’s non-paper on the way forward on data retention, 10 June 2021
- Study on the retention of electronic communications non-content data for law enforcement purposes commissioned by the Commission and written by consultancy “Milieu”, September 2020
- Documents obtained by Statewatch on seven Member States position on data retention: EU: Communications data retention: Commission seeks member state views on the way forward, 15 July 2021
Evolution of CJEU jurisprudence
Evolution of CJEU jurisprudence
2014, Digital Rights Ireland
CJEU declares the EU Data Retention invalid because it infringed the fundamental rights to privacy and data protection and failed to outline substantive and procedural conditions for access by law enforcement.
2016, Tele2/Watson
CJEU confirms that national legislation establishing mass data retention is contrary to EU law. Access to retained data must be restricted to fighting serious crime, with prior review by a court or an independent administrative authority.
2020, Privacy International and La Quadrature du Net I
- Mass data retention is possible if there is a genuine, present or foreseeable threat to national security.
- Targeted retention is possible if limited to specific groups of individuals or geographic areas.
- General retention of IP addresses is possible solely for the fight against serious crimes.
- These processing activities must be limited in time to what is necessary.
2022, SpaceNet
CJEU confirms its previous case-law and declares mass data retention contrary to EU law even for short retention periods (4 or 10 weeks)
2024, La Quadrature du Net II (HADOPI)
CJEU accepts that the retention of IP addresses is no longer a serious interference with fundamental rights by default. Therefore it accepts their general retention even for petty offences and police access without prior independent review in certain cases.
CJEU
The Court of Justice of the European Union (CJEU) was asked multiple times by national courts to interpret EU law with regards to the retention of telecommunications data for law enforcement purposes.
DRD – Data Retention Directive
Directive 2006/24/EC, the “Data Retention Directive”, was adopted in 2006 in spite of massive mobilisations across Europe against the mass surveillance regime it put in place. It was invalided in 2014 by the CJEU, a case brought by EDRi member Digital Rights Ireland. The Court declared that the general and indiscriminate retention of personal data permitted by the directive constituted a disproportionate interference with the fundamental rights to data protection and privacy.
General and indiscriminate
Contrary to targeted investigative measures, general and indiscriminate surveillance applies to everybody without making any distinction among individuals. Also referred to as “mass”.
HADOPI
The French HADOPI system, named after the administrative authority that oversees it, consists of identifying and sanctioning internet subscribers whose connection has been used to share copyrighted material on peer-to-peer networks. Upon receiving complaints from right-holders or their representatives, the HADOPI authority sends automated requests to internet service providers (ISPs) to provide civil identity data, email and postal addresses for the user of the IP addresses implicated in infringement(s). The ISP identifies the user by querying a large database of previously assigned source IP addresses linked to user identity. This database is only available because of the French data retention law. The HADOPI system is labelled as a “graduated response” system because the authority first sends two formal warnings to individuals engaged in infringements before resorting to legal action upon detecting a third violation.
Metadata
This includes all other information about a communication other than the communications content, such as the communication’s origin (who sent it?), the destination (who is the recipient?), the route, the time, the date, the size (of the message), the duration (of the activity), or the type of underlying service. Metadata can be compared to the information outside an envelope (address, weight, format, stamps, etc.), while the communications content corresponds to the message inside the envelope.
Chloé Berthélémy (She/Her)
Senior Policy Advisor
E-Mail: firstname [dot] lastname [at] edri [dot] org
Mastodon: @