- The EU Council shares preliminary views on new data retention framework
- VPN services, messaging apps, and cloud storage are among the targets
- A legislative proposal is expected at the end of the first half of 2026
EU governments are pushing to widen data retention obligations for apps that citizens use every day – and the best VPN apps are among those targeted.
A new internal document dated November 27 (first published by Netzpolitik) provides important insights into the current thinking of the Danish Presidency of the EU Council. It shows that member states largely agree on the need for a new framework on data retention, presenting an important overview of lawmakers main position on the matter.
The topic has been debated since April, when the EU Commission first unveiled "ProtectEU," a strategy aiming to create a roadmap for "lawful and effective access to data for law enforcement." The Commission then presented the Roadmap in June, which outlined an intent to decrypt citizens' private data by 2030.
Crucially, the document reveals that EU governments see metadata – specifically traffic and location history – as the most vital tool for law enforcement.
Most member states argue that simply knowing who owns an account isn't enough. Instead, they want a new legal baseline where companies are forced to log exactly when and where a user was online, as well as the IP addresses they used to connect.
The document notes that member states are aware of the legal hurdles of gathering this data and emphasize that any new system must include robust safeguards and strict proportionality to satisfy the courts.
However, privacy experts and technologists have long warned that such 'safeguards' are not enough, arguing that you cannot weaken encryption or retain this data without fundamentally compromising user security.
Besides virtual private network (VPN) companies, other online services targeted include messaging apps, hosting providers, file sharing services, cloud storage apps, and other over-the-top (OTT) services.
An impact assessment is due in early 2026. Lawmakers are waiting for the outcome before presenting a legislative proposal, which is expected around June next year.
What's next for EU citizens privacy?
Greater data retention obligations would clash directly with the core architecture of privacy-preserving technology.
Take no-log VPNs, for example. These services are designed specifically not to log user activity, and their security promise relies on the fact that the data simply does not exist.
That model appears to be incompatible with the retention requirements EU member states are now demanding. If the Council's vision becomes law, a "no-log" service could effectively be illegal in Europe.
As AdGuard VPN's Chief Product Officer, Denis Vyazovoy, told TechRadar back in April: "A legal framework that forces VPNs to retain user metadata – potentially for a prolonged period – could make such services untenable, leading to the withdrawal of VPN providers from the EU."
Similarly, NordVPN spokesperson told TechRadar that collecting more user data would threaten people's security.
We have approached other major providers for their reaction to the Council's latest document and will update this page when we hear back.
While the final legislation is still being drafted and ProtectEU's future is uncertain, European governments seem determined to grant law enforcement ever more access to our data, regardless of the technical or privacy contradictions.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.