Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
There is currently no EU-wide legal framework governing data retention by service providers for criminal proceedings. Some member states do not have legislation and those that do have diverging regimes. According to the IAPP Privacy Governance Report 2024, data retention remains a fairly manual task, with less than 50% of surveyed organizations having fully or semiautomated processes in place. Data retention goes well beyond law enforcement considerations for many organizations, but this statistic partly reflects implementation hurdles.
The European Commission is considering how to bring clarity to this area by early 2026, possibly through legislative action — though the particular means of action is still to be determined.
The past decade has been paved with decisions by the European Court of Justice challenging the data retention regime in Europe, leaving member states and operators to face legal uncertainty and complexity. In 2014, the court declared the EU Data Retention Directive invalid, for in its eyes, the directive entailed a wide-ranging and particularly serious interference with fundamental rights — with that interference not being limited to what is "strictly necessary." Subsequent judgments in 2016 and 2020 confirmed the decision pattern at the EU court level, leaving a vacuum filled with divergence of regimes across member states.
The Commission is now consulting stakeholders on three main aspects of action.
First, quantifying the effect of several factors explaining why most (online) crimes cannot be successfully investigated and prosecuted in the EU — for instance, lack of available digital evidence, lack of legal obligations or rules, lack of human resources, skills, training, etc. — as well as ranking concerns an EU data retention initiative could raise.
Second, on fundamental rights the Commission is assessing the level of intrusiveness of investigative methods that require prior authorization by a judge or independent administrative authority — that is, accessing metadata of a communication service stored by the service provider for all users, live interception of communications of targeted users, a house search of suspects, extraction of data from seized devices of suspects, and covert and/or undercover surveillance measures of suspects.
Lastly, the Commission also seeks views on outstanding questions regarding scope, to whom a data retention instrument should apply and to which type of crimes.
This data retention initiative falls under a wider roadmap for effective and lawful access to data for law enforcement presented by the European Commission in late June, which noted that 85% of criminal investigations now rely on electronic evidence.
A noteworthy key area beyond data retention is the Commission's intent to support the development of new decryption technologies for Europol from 2030, raising questions and concerns across industry and civil society alike. The roadmap announces action in four other areas: cross-border cooperation for lawful interception, technical solutions to support digital forensics, standardization and artificial intelligence tools for law enforcement. Home Affairs Ministers plan to discuss the roadmap in late July.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.