This is crass: EU countries are calling for a new law to Data retention, It goes far beyond anything we've ever known. An internal EU draft document shows: Practical all Internet services should store data of their users without cause Messengers like WhatsApp and Signal. The storage period? At least one year!
Why is this a big problem?
The eventless retention of data has already been carried out several times by Federal Constitutional Court and of European Court of Justice (ECJ) as disproportionate and illegal tilted. The rationale was clear: All people and all means of communication are covered, without differentiation, limitation or exception.
Now the EU member states are trying a new start and this time it should be even more comprehensive.
What is in the internal EU document?
The Presidency document (published by netzpolitik.org) shows frightening details:
Virtually all Internet services affected
In Germany, most of the time, only IP addresses of Internet access providers In other words, the EU countries go much further. Most states require one. “as wide a scope as possible” for Internet services.
The list of affected services is long:
- Messenger such as WhatsApp and Signal (explicitly referred to as ‘over-the-top services’)
- Domain registrars
- Hosting provider
- File sharing and cloud storage services
- Payment service providers
- VPN services
- Cryptocurrency traders
- E-commerce and financial platforms
- Taxi and food delivery services
- Gaming platforms
- Automobile manufacturers
Reasons for Messenger: Only 3 more% of mobile messages are sent via SMS, 97% It's about messengers. Therefore, this data should also be stored.
What data should be stored?
While German proponents always stress that it is "only about IP addresses", the EU states demand much more:
Minimum data category:
- Data to identify a user
- Participant data and IP addresses
- Port numbers
- Serial numbers of Internet devices
Communication connection data: Some states want to capture, "who communicated with whom, when, where and how" for every call, every text message, every e-mail and every Internet call.
Location data: Some EU countries are calling for an ‘general and indiscriminate retention’ of location data. Mobile networks always know where your smartphone is! This data is extremely meaningful and sensitive.
Biometric data: The listing also mentions face, fingerprint, DNA, and iris patterns.
Metadata from photos: IP addresses and metadata from electronically submitted photos will also be collected.
Storage period: At least one year
The old laws had a storage period of six months. The Federal Criminal Police said, "two to three weeks would be sufficient on a regular basis". Nevertheless, the new German law is to prescribe three months.
The EU member states want much longer:
- Most states demand ‘a period of one year and in any case not less than six months’
- Some states are still advocating ‘longer retention periods for complex investigations or very serious criminal offences’
- Some people just want deadlines. Minimum period (not as a maximum period) so that states can store even longer if necessary
Not just for serious crimes
Initially, data retention after 9/11 was based on the fight against international terrorism. In the meantime, sexual abuse of children is often cited as a justification.
But: EU countries emphasise that: “that metadata could be relevant for the investigation of virtually all criminal offences”.
Specifically, the following are mentioned:
- Serious crimes (definition to be in the hands of the nation-states)
- All crimes committed in cyberspace or using IT
- Offences that are mainly committed online, such as: Stalking or hate crimes, Even if the penalty is moderate
- Aspects of national security (without EU control)
How is this supposed to work legally?
The Council document itself summarises why the old data retention was unlawful: It covered all persons and all electronic means of communication as well as all traffic data without distinction, limitation or exception.
The new data retention system is intended to: more providers store more data longer, the investigators for more purposes allowed to use. How this should be done in accordance with the law remains open.
The solution of some states: Reinterpreting the jurisprudence. They want to “reassess the necessity and proportionality in the light of technological developments and changing ways of committing criminal offences”.
In other words: The courts have overturned the old data retention, but this time we're making it even more comprehensive and hopefully the courts will wave it through anyway.
What about ‘quick freeze’ as an alternative?
Quick Freeze is a less invasive alternative: Instead of storing all data of all people without cause, data is only secured when there is a concrete suspicion.
But EU countries find it Not enough. Explanatory memorandum: The tool is reactive, not preventive. The crime must have already taken place. Without a general storage obligation, the data are often already deleted at the request.
Quick Freeze is supposed to store data supplement, not replace.
Timetable: Legislative proposal 2026
The EU Commission is already working on the new law:
Since June 2025: Examination completed
Since September 2025: Consultation closed
Until Q1 2026: Impact assessment
End H1 2026: Possible legislative proposal
This means: In a few months, the proposal could be on the table.
Who's behind it?
The document shows contributions from 15 EU member states and the EU Counter-Terrorism Coordinator. The Most EU countries support a new EU law on data retention.
At the same time, Germany is working on its own data retention. According to the coalition agreement, internet access providers are to store ‘IP addresses and port numbers’ for three months.
What does this mean for you?
If these plans are implemented:
Your complete digital communication is recorded
- Who communicated with whom when?
- Where were you? (location data)
- What services did you use?
Non-aligned mass monitoring
- There is no suspicion against you
- Nevertheless, your data will be stored for one year
- Access to "virtually all crimes"
Encrypted messengers are also affected.
- WhatsApp, Signal & Co. would have to store
- Not the content, but metadata (who with whom)
- VPN services also affected
Even car manufacturers
- Modern cars are rolling computers
- Their data could also be collected
What can you do?
- Inform yourself on development
- Contacted Your Members and Concerns
- Supported Data protection organisations such as netzpolitik.org, Digitalcourage or the Electronic Frontier Foundation
- Divides this information, many do not know what is planned
TL:DR
The planned data retention is the most comprehensive mass surveillance in the EU to date. While previous laws have been overturned by the ECJ as illegal, the EU states are now simply trying to do even more monitoring.
The argument ‘we need to reassess the case law’ is a thin fig leaf for mass surveillance. Stay vigilant, this affects all of us!
EN 
DE 
ES 
FR 
IT