The EU is quietly moving to revive blanket data retention, forcing nearly every digital service to log who you talk to, when, and from where—for up to a year.

Officials insist they won’t read your encrypted messages. They just want the metadata.

But here’s what they’re not telling you: metadata is the map of your life.

What They’re Planning

A Council paper now circulating among EU member states outlines a surveillance scheme that would make the NSA blush. The proposal would force virtually every digital service—from WhatsApp and Signal to VPN providers, cloud platforms, payment processors, and even gaming services—to become state-mandated data warehouses.

The scope is staggering:

  • Who you contact and how often- Where you are when you make calls or send messages- What services you use and when- Your device identifiers and IP addresses- Your communication patterns across all platforms

All of it stored. All of it accessible. For up to a year, possibly longer.

The “Just Metadata” Lie

When government officials say they only want metadata, not content, they’re technically correct. They won’t read your encrypted Signal messages. They won’t see your WhatsApp chats.

But they don’t need to.

Metadata reveals:

  • Everyone in your social network- Your daily routines and habits- Where you go and when- Who you meet and how often- Your interests, relationships, and associations- Patterns that can predict your behavior

Former NSA General Counsel Stewart Baker put it bluntly: “Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”

Think about what your metadata reveals: The fact that you called a divorce lawyer three times last month. That you visited a cancer treatment center. That you messaged a journalist late at night. That you attended a protest. That you’re searching for a new job while employed.

The content of those communications is private. But the pattern—the who, when, and where—tells the whole story.

Why This Is Illegal (And They Know It)

Here’s the thing: European courts have already declared this exact type of surveillance illegal.

In 2014, the Court of Justice of the European Union (CJEU) struck down the original Data Retention Directive. The court called it a “serious interference with fundamental rights” that failed to provide adequate protections.

The ruling was unambiguous: collecting everyone’s data “without differentiation, restriction or exception” violates EU law. Any retention must be narrowly targeted and proportionate.

Since then, the CJEU has issued multiple rulings reinforcing this principle:

  • 2016 (Tele2 Sverige): General and indiscriminate retention violates EU law- 2020 (La Quadrature du Net I): Reaffirmed strict limits on bulk collection- 2024 (La Quadrature du Net II): Even with some loosening, mass surveillance remains restricted

The Council’s own documentation acknowledges that previous laws were struck down for treating every person as a potential suspect.

So what’s their solution? Ignore the courts and try again.

Instead of adapting their proposals to comply with legal requirements, member states want to “reassess the necessity and proportionality” of retention—in other words, reinterpret the legal boundaries rather than respect them.

The Expansion, Not Narrowing

Despite knowing their previous attempts were illegal, EU governments aren’t scaling back. They’re doubling down.

The new proposal expands the dragnet to cover:

  • Encrypted messengers like Signal and WhatsApp- VPN providers (undermining the entire point of VPNs)- Cloud hosting services- Cryptocurrency platforms- Gaming and ridesharing apps- E-commerce platforms- Payment processors- Telegram and other messaging services

Basically, if you connect to it online, they want it logged.

And the retention period? The old directive allowed six months. The new plan demands a minimum of one year, with member states free to keep data even longer.

Germany’s Federal Criminal Police Office has stated that “a storage commitment of two to three weeks would be sufficient on a regular basis” for most investigations. The EU is proposing 26 to 52 times that amount.

Location Tracking: Everywhere You Go

Mobile networks continuously record which cell towers your phone connects to, creating a near-real-time map of your movements. The proposal explicitly calls for retaining this location data.

Government officials claim this could help locate missing persons. But the document admits “not all cases of missing persons constitute a potential offense.”

Translation: they want to track everyone’s movements, all the time, just in case it might someday prove useful.

Your morning commute. Your lunch spot. The gym you visit. The friend you meet. The clinic you attend. The protest you join. All mapped, all stored, all accessible.

The “Serious Crime” Loophole

The proposal allows each member state to define what constitutes a “serious crime” warranting access to this data.

This means surveillance infrastructure built for terrorism and organized crime can—and will—be used for routine policing.

We’ve seen this mission creep before. France’s state of emergency powers, declared after the 2015 terrorist attacks, were used to surveil and arrest climate activists. When France’s Conseil d’État later issued its decision on mass telecom surveillance, it expanded the definition of “national security” to include economic espionage, drug trafficking, and “the organisation of undeclared demonstrations.”

Once the data exists, the temptation to use it expands infinitely.

Countries will define “serious crime” to include copyright infringement, online harassment, “hate speech,” misinformation, or whatever the political flavor of the month demands. The infrastructure for mass surveillance doesn’t discriminate—it collects everything and waits for justifications to catch up.

What Happens Next

The timeline is already in motion:

  • Early 2026: European Commission publishes impact assessment- Mid-2026: Legislative proposal expected- 2026-2027: Debate and potential passage

The Commission frames this as necessary because “often the necessary data is no longer available when the investigation is conducted.” But law enforcement’s own assessments contradict this. When data is actually needed, it’s typically recent—days or weeks old, not months.

Privacy advocates and civil society organizations are sounding alarms. The Electronic Frontier Foundation has called out the dangerous proposals of the secretive “High Level Group on Access to Data for Effective Law Enforcement”—often referred to as the “Going Dark” group based on the false narrative that police are left “in the dark” due to lack of data.

The reality? There’s more surveillance data available today than at any point in human history. The advertising-driven business model of most online services means companies already collect massive amounts of behavioral data. Law enforcement isn’t going dark—they’re drowning in light.

Why This Matters to You

Even if you’re not European, this should concern you.

First, many of the services you use operate globally. If they’re required to log metadata for EU users, they’ll likely implement the same systems everywhere. It’s cheaper and simpler than maintaining separate infrastructure.

Second, surveillance regimes are contagious. When the EU implements mass data retention, other countries will cite it as precedent. The UK has already attempted similar measures. The US maintains its own metadata collection programs. Australia has mandatory data retention laws.

Third, the normalization of mass surveillance erodes privacy expectations globally. When major democratic powers treat everyone as a suspect worthy of monitoring, it becomes easier for authoritarian regimes to justify even more invasive surveillance.

What You Can Do

If you’re in the EU:

  • Contact your MEPs (Members of European Parliament) and make your opposition known- Support digital rights organizations fighting this proposal (EDRi, Digital Rights Ireland, La Quadrature du Net, EFF)- Use the upcoming public consultation period to submit comments- Share information about this proposal—most people don’t know it’s happening- Learn from the successful resistance to Chat Control for organizing tactics

Regardless of location:

  • Use end-to-end encrypted messaging (Signal, not WhatsApp owned by Meta)- Consider VPN services, though acknowledge their limitations under these proposals- Support organizations fighting mass surveillance legally and politically- Practice good operational security and minimize your metadata footprint where possible- Push back against the normalization of surveillance- Review comprehensive privacy protection strategies for your digital life

For organizations and service providers:

  • Object to these requirements publicly and loudly- Implement data minimization practices now—don’t collect what you don’t need- Consider legal challenges if this becomes law- Be transparent with users about what you’re forced to retain- Review GDPR compliance requirements that may conflict with retention mandates- Understand global data protection frameworks and their implications

The Bigger Picture: Europe’s Surveillance Infrastructure

This data retention revival doesn’t exist in a vacuum. It’s part of a broader pattern of EU surveillance expansion:

The Chat Control saga attempted to mandate client-side scanning of all encrypted messages. After three failed attempts and massive public opposition, it was blocked—but the fight continues.

Data retention is the perfect complement to Chat Control. Even if they can’t read your encrypted messages, they want to know:

  • Who you messaged- When you messaged them- Where you were when you messaged- What platform you used- How often you communicate

Combined, these proposals create a comprehensive surveillance state that tracks both the content of communications (Chat Control) and the patterns of communications (data retention).

The fact that Chat Control failed three times shows that public resistance works. The same energy that defeated client-side scanning must now be directed at stopping mass metadata retention.

The Bottom Line

This isn’t about fighting crime. It’s about control.

If it were about crime, they’d follow their own police assessments that show weeks of data retention is sufficient. If it were about proportionality, they’d narrow the scope instead of expanding it. If it were about respecting rights, they’d comply with court rulings instead of trying to circumvent them.

The officials pushing this proposal want comprehensive, permanent surveillance infrastructure in place. They want to know everyone you talk to, everywhere you go, everything you do online. Not because you’re suspected of a crime. Not because there’s any evidence against you. But because you exist and they want to know.

Metadata is not “just” metadata.

It’s the shape of your life, your relationships, your movements, your interests, and your associations. It’s everything about you except the exact words you say.

And they want all of it.

The fight over data retention is far from over. The EU had a chance to lead the world in protecting digital rights. Instead, it’s choosing to lead the race to the bottom.

Don’t let them do it quietly.

Resources:

Timeline to Watch:

  • Q1 2026: Impact assessment publication- Q2 2026: Proposed legislation- 2026-2027: Legislative process and potential adoption

Stay informed. Stay vocal. Stay private.

Encrypted Messaging & EU Surveillance:

Privacy & Metadata Protection:

GDPR & Compliance:

🎧 Related Podcast Episode