Data Retention: Commission to present proposal by mid-2026

Contents

While the black-red coalition agreement provides for the mandatory introduction of several months of storage of IP address assignments and, if necessary for identification, port numbers, the EU is thinking much bigger. This is shown by a document from the Danish Council Presidency, which heise online has access to. Several member states of the European Union are therefore also considering obliging WhatsApp, Telegram, Signal, Threema and Co. And that's not the end of the Christmas wish list.

It is considered an open secret in Brussels that the Directorate-General for Home Affairs (DG Home) of the EU Commission will propose a new attempt at data retention in the course of next year. With the official end of the E-Privacy Regulation and the planned abolition of the current E-Privacy Directive and its partial integration into other legal acts, the way seems clear to tackle data retention anew. Especially after the European Court of Justice, according to the interpretation of both the EU Commission and most member states, reopened the door for data retention in 2024, this is now considered promising.

But what exactly would have a chance of being adopted in such a proposal by both the necessary majority in the Council of Member States and in the European Parliament has been unclear so far. However, the Danish Council Presidency, whose term ends in December, has asked for the position of the respective member states within the COPEN working group by the end of November. This document is an extensive wish list. From the perspective of civil rights advocates, it is more likely to be a list of potential grounds for legal action.

One year of data retention

For one year, according to the wish of most member states, data should be stored. In any case, it must be at least six months, and states should be able to go beyond that, the paper states. The responsible Council working group apparently no longer discusses IP address assignment data retention in any great detail. From the perspective of most member states, this seems to be the minimum of necessary legislation.

And because the storage of communication relationships is so important anyway, but only three percent of all digital messages are sent via SMS or MMS, the paper states: "Most member states expressed their fundamental support for future legislation to have the broadest possible scope, including the possibility to adapt the list for future technological and market developments."

And in this context, it means: OTT services such as WhatsApp, Signal, Threema or Telegram should also store communication metadata. Content should continue not to be stored - but the fact that law enforcement agencies cannot subsequently trace who exchanged messages with whom and when seems to be a problem for some EU member states. While some states also warn of the possible consequences. However, not for civil rights, but for the business models of the providers, which is why these costs would also have to be taken into account.

Find-my-Citizen function as justification

Metadata such as location and traffic data should also be stored, according to the opinion of most states. Some EU states are also in favor of storing data on the destination of communication processes and the recipient service equipment - "to enable the location of the mobile communication device," the paper states.

Another point is also mentioned as particularly uncontroversial: only with location data retention is it possible to find missing persons, some states therefore consider the indiscriminate and untargeted storage to be justifiable.

The paper also explains why member states use such "positive scenarios" beyond criminal prosecution: Targeted, for example geographically restricted, data retention is difficult to implement, according to member state representatives. Moreover, criminals could choose their location accordingly. And the idea of only storing data for account holders with a criminal record is also unsuitable because first-time offenders would be excluded. Which is why arguments are now apparently being sought to convince the European Court of Justice that it makes no sense without indiscriminate and mass storage.

Every straw seems to count

In this vein, the Danish Presidency summarizes the arguments, some of which are certainly understandable from an investigator's perspective, for example regarding otherwise untraceable offenses, and others that appear rather arbitrary.

After all, a conflict of objectives is clearly addressed on the VDS wish list: Even today, law enforcement agencies often have extensive, Europe-wide access to existing data under the E-Evidence regime. With the regulation that came into force in 2023, law enforcement agencies from all EU states can already issue preservation and disclosure orders against service providers throughout the EU. For this purpose, they can approach VPN providers in Europe, hosting providers, and many other - very broadly understood - "information society services" and demand data or its preservation.

Precisely here, for the friends of data retention, there seems to be a political problem. Because on the one hand, they want to create a storage obligation that is as uniform as possible and covers many variants of data - but at the same time, this apparently harbors the risk that storage regulations could displace the real, hitherto sometimes even relatively easy, availability of data.

In fact, the Council Presidency's document, dated the end of November, contains above all one thing: many wishes - and also concerns. Because designing legally sound data retention that will also stand up in court does not seem to be easy at all.

Federal Government does not want to wait for EU

At the federal level, the European plans for 2026 are not a reason to change their own ideas. Currently, the Federal Ministry of Justice under Stefanie Hubig (SPD), the Ministry of Digital Affairs under Karsten Wildberger (CDU) and the Ministry of the Interior under Alexander Dobrindt (CSU) are discussing a draft for German data retention. "With great interest," says a spokesman for the Ministry of the Interior, the BMI is following the considerations for harmonization at the EU level. "The introduction of a storage obligation for IP addresses and port numbers in implementation of the coalition agreement does not contradict this and is an important undertaking to strengthen the powers of security authorities."

Apparently, this remains difficult in Germany too: Justice Minister Hubig had actually announced in September that she wanted to present the draft law "promptly." However, there is nothing to be seen of this in the current, albeit non-binding, cabinet timetable - not even the usual preliminary stage, the so-called "Referentenentwurf" (draft by a government official), has been reached so far. Nevertheless, it is likely that in 2026, 20 years after the first and later EU data retention round, which was found to be unlawful under European law, such a measure will once again be decided.

(mho)