The EU prepares ground for wider data retention and VPN providers are among the targets
Date:
Mon, 15 Dec 2025 19:01:37 +0000
Description:
With the Chat Control bill entering its final stage, the EU Council has been busy thinking about what a new data retention framework could look like.
FULL STORY
EU governments are pushing to widen data retention obligations for apps that citizens use every day and the best VPN apps are among those targeted.
A new internal document dated November 27 (first published by Netzpolitik ) provides important insights into the current thinking of the Danish
Presidency of the EU Council. It shows that member states largely agree on
the need for a new framework on data retention, presenting an important overview of lawmakers main position on the matter.
The topic has been debated since April, when the EU Commission first unveiled
" ProtectEU ," a strategy aiming to create a roadmap for "lawful and
effective access to data for law enforcement." The Commission then presented the Roadmap in June, which outlined an intent to decrypt citizens' private
data by 2030 .
Crucially, the document reveals that EU governments see metadata
specifically traffic and location history as the most vital tool for law enforcement.
Most member states argue that simply knowing who owns an account isn't
enough. Instead, they want a new legal baseline where companies are forced to log exactly when and where a user was online, as well as the IP addresses
they used to connect.
The document notes that member states are aware of the legal hurdles of gathering this data and emphasize that any new system must include robust safeguards and strict proportionality to satisfy the courts.
However, privacy experts and technologists have long warned that such 'safeguards' are not enough, arguing that you cannot weaken encryption or retain this data without fundamentally compromising user security.
Besides virtual private network (VPN) companies, other online services
targeted include messaging apps, hosting providers, file sharing services, cloud storage apps, and other over-the-top (OTT) services.
An impact assessment is due in early 2026. Lawmakers are waiting for the outcome before presenting a legislative proposal, which is expected around
June next year.
What's next for EU citizens privacy?
Greater data retention obligations would clash directly with the core architecture of privacy-preserving technology.
Take no-log VPNs , for example. These services are designed specifically not
to log user activity, and their security promise relies on the fact that the data simply does not exist.
That model appears to be incompatible with the retention requirements EU
member states are now demanding. If the Council's vision becomes law, a "no-log" service could effectively be illegal in Europe.
As AdGuard VPN 's Chief Product Officer, Denis Vyazovoy, told TechRadar back
in April : "A legal framework that forces VPNs to retain user metadata potentially for a prolonged period could make such services untenable,
leading to the withdrawal of VPN providers from the EU."
Similarly, NordVPN spokesperson told TechRadar that collecting more user data would threaten people's security.
We have approached other major providers for their reaction to the Council's latest document and will update this page when we hear back.
While the final legislation is still being drafted and ProtectEU's future is uncertain, European governments seem determined to grant law enforcement ever more access to our data, regardless of the technical or privacy
contradictions.
======================================================================
Link to news story:
https://www.techradar.com/vpn/vpn-privacy-security/the-eu-prepares-ground-for- wider-data-retention-and-vpn-providers-are-among-the-targets
$$
--- SBBSecho 3.28-Linux
* Origin: Capitol City Online (1:2320/105)