- EU Council shares preliminary views on new data retention framework
- VPN services, messaging apps and cloud storage are among the targets.
- A legislative proposal is expected at the end of the first half of 2026
EU governments are pushing to expand data retention obligations for apps citizens use every day, and the best VPN apps are among those targeted.
A new internal document dated November 27 (first published by Netzpolitik) provides important information on the current thinking of the Danish presidency of the EU Council. It shows that Member States largely agree on the need for a new framework on data retention, presenting an important overview of the main position of legislators on the matter.
The issue has been debated since April, when the EU Commission first presented “ProtectEU”, a strategy that aims to create a roadmap for “legal and effective access to data for law enforcement agencies.” The Commission then presented the Roadmap in June, which outlined the intention to decrypt citizens’ private data by 2030.
Crucially, the document reveals that EU governments view metadata – specifically traffic and location history – as the most vital tool for law enforcement.
Most Member States maintain that it is not enough to know who owns an account. Instead, they want a new legal basis where companies are forced to record exactly when and where a user was online, as well as the IP addresses they used to connect.
The document notes that Member States are aware of the legal obstacles involved in collecting this data and emphasizes that any new system must include strong safeguards and strict proportionality to satisfy the courts.
However, privacy experts and technologists have long warned that such “protections” are not enough, arguing that you cannot weaken encryption or retain this data without fundamentally compromising user security.
In addition to virtual private network (VPN) companies, other targeted online services include messaging apps, hosting providers, file-sharing services, cloud storage apps, and other over-the-top (OTT) services.
An impact assessment is planned to be carried out in early 2026. Lawmakers are waiting for the result before presenting a legislative proposal, which is expected in June next year.
What’s next for the privacy of EU citizens?
Increased data retention obligations would directly clash with the core architecture of privacy-preserving technology.
Take no-logs VPNs for example. These services are specifically designed not to record user activity, and their promise of security is based on the fact that the data simply does not exist.
That model appears to be incompatible with the retention requirements now required by EU member states. If the Council’s vision becomes law, a “log-free” service could be effectively illegal in Europe.
As AdGuard VPN product director Denis Vyazovoy told TechRadar in April: “A legal framework that forces VPNs to retain user metadata, potentially for an extended period, could make such services unsustainable, leading to the withdrawal of VPN providers from the EU.”
Similarly, NordVPN’s spokesperson told TechRadar that collecting more user data would threaten people’s safety.
We have contacted other major suppliers for their reaction to the Council’s latest document and will update this page when we hear back.
While final legislation is still being drafted and the future of ProtectEU is uncertain, European governments seem determined to grant law enforcement more and more access to our data, regardless of technical or privacy inconsistencies.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
