Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document Ares(2025)4081079

Impact assessment on the mandatory retention of metadata by service providers for the purpose of criminal proceedings

CALL FOR EVIDENCE

FOR AN IMPACT ASSESSMENT

Title of the initiative

Impact assessment on retention of data by service providers for criminal proceedings

Lead DG (responsible unit)

HOME.D4

Likely type of initiative

Indicative timetable

Q1 2026

Additional information

Cybercrime - European Commission; High-Level Group (HLG) on access to data for effective law enforcement - European Commission

   A. Political context, problem definition and subsidiarity check

Political context

To effectively fight and prosecute crimes, police and judicial authorities may need access to certain non-content data processed by electronic communication service providers. In the absence of specific obligations requiring those providers to retain data for a reasonable and limited period of time, data may be deleted by the time authorities request them for the purpose of criminal proceedings . At present, no EU-wide legal framework exists in this area. While most EU Member States rely on national laws that diverge across the EU, other Member States do not have rules in place. The lack of harmonised data retention rules for key categories of data was identified by the police, prosecution services and judicial authorities as a substantial challenge for national criminal proceedings in crimes happening both online and offline and hampers cross-border cooperation across the EU. The topic was of focal importance in the High-Level Group on Access to Data, where experts recommended the adoption of an EU framework on the retention of data for law enforcement purposes, covering also access safeguards. Commission President von der Leyen (1) (2) and EU Member States in Council Conclusions on Access to Data for Effective Law Enforcement and on Strengthening Joint Counterterrorism Efforts recently underscored the need for measures to ensure lawful and effective access to data for law enforcement purposes. In the Communication ProtectEU: a European Internal Security Strategy, the Commission committed to present in 2025 a Roadmap setting out the way forward on lawful and effective access to data for law enforcement and to prioritise an assessment of the impact of data retention rules at EU level.

Problem the initiative aims to tackle

In a digital society, electronic evidence is critical in most criminal investigations and prosecutions. Non-content data (such as subscriber information, the source and destination of a message, the location of the device, date, time, duration, size, or another type of interaction that does not include the content of the communications) could be decisive in identifying or locating suspects and/or accused persons, victims, and in shedding light in general on the commission of an offence. Electronic communication service providers store non-content data of communication going through their systems. Since these non-content data can be personal in nature and provide information about the private life of the persons to whom they relate, pursuant to fundamental rights (in particular Articles 7, 8 and 11 of the Charter) and EU privacy and data protection laws, service providers have to delete them when they are no longer necessary for legitimate business purposes. Storing data for longer periods of time is possible only if there are specific legal obligations requiring so. Following the decision of the Court of Justice of the European Union to declare invalid the EU Data Retention Directive on the grounds of a serious interference with fundamental rights and a lack of specific access safeguards, since 2014, EU law does not provide for obligations on service providers to retain data for law enforcement purposes any more. While these obligations exist in many EU Member States, there are substantial discrepancies among their legislations as regards the requirements regulating the retention. As a result, police and prosecutors face obstacles in conducting their work, as often the necessary data is not or no longer available when the investigation is conducted. In the current scenario, some crimes – in particular those happening exclusively online, cannot be investigated and prosecuted efficiently.

Electronic ccommunication service providers also face higher costs and obstacles in offering their services across the EU, due to the fact that they have to comply with different legal requirements in the various Member States and as a consequence of the frequent changes to national legislations as a result of judgements and national and/or EU level. 1  Moreover, most national data retention laws only apply to traditional telecommunication platforms, and do not cover communication providers offering their services via the internet, which constitute currently the most used communication services. Diverging national laws also affect citizens, given that by the time criminal investigations are carried out, the necessary non-content data have already been deleted. Authorities might then not be able to adequately protect and deliver justice to citizens. These divergencies among national laws are likely to continue increasing with the advent of new digital communication technologies and services that will be developed in the future.

The causes of the current situation can be identified in the lack of harmonised requirements and safeguards for the providers of electronic communication services, both number-dependent and number independent, to retain data beyond the time required for their specific business needs, so that the data can be available longer for law enforcement purposes.

Basis for EU action (legal basis and subsidiarity check)

Legal basis

The legal basis is to be decided and depends on the result of the impact assessment.

Practical need for EU action

The challenges identified cannot satisfactorily be dealt with by individual Member States alone. In the absence of an action at the EU level, Member States are expected to continue updating their national laws to implement requirements from the case law of the Court of Justice of the EU, the European Court of Human Rights and national courts. They will also need to respond to new and emerging technologies, entailing the risk that rules will further diverge. This will compound negative effects on EU citizens, criminal investigations, electronic communication service providers and other relevant stakeholders. At the same time, there is need to ensure that the interference with fundamental rights of the users through data retention and access obligations is proportionate, as set out by the caselaw of the Court of Justice of the European Union. Data retention laws touch on a variety of policy areas, including security, justice, fundamental rights, the economy and affect different stakeholders (e.g. authorities, companies, citizens). Given the impact on the EU internal market and the EU area of freedom, security and justice, action at EU level to address the identified problems could be considered the most appropriate way forward. The main aim of EU action could be to ensure a harmonised application of data retention obligations for service providers, including safeguards on access by the police and judicial authorities, to ensure legal certainty for relevant stakeholders and a level-playing field for service providers offering their services within the EU.

B. Objectives and policy options

The overall objective of the initiative is to ensure the availability of certain categories of non-content data for the purpose of carrying out successful criminal investigations and prosecutions, while respecting and safeguarding EU standards for the protection of fundamental rights, preserving cybersecurity and the integrity of the EU Market.

To achieve this, the Commission will consider and assess different options. These include:

- soft law measures to enhance cooperation between public authorities and electronic communication service providers, both number dependent and number independent, such as common standards at EU level for data categorisation, forms for requesting and providing data, guidelines on minimum retention periods on subscribers’ and IP addresses/w timestamp, voluntary cooperation;

- legislative measures setting mandatory requirements for all service providers covered by the European Electronic Communication Code 2 for the retention of and access to non-content data in compliance with existing case law of the Court of Justice of the European Union. Different legislative solutions might be designed depending on the non-content data to be retained in conjunction with the crime to be pursued.

The most appropriate option will be identified during the impact assessment, based on the evidence collected, the consultation of stakeholders and after comparing the different options.

C. Likely impacts

This initiative is expected to have impacts on several domains:

Societal impacts: Availability of non-content data would help public authorities to detect, investigate and prosecute crime more effectively, thus ensuring a safer society, both online and offline, for EU citizens. Positive impacts are expected to affect both national criminal proceedings and cross-border cooperation to fight crime.

Economic impacts: electronic communication service providers will avoid additional compliance costs and legal uncertainty resulting from different legal and technical requirements, depending on the EU Member State(s) where they are established or operate in. The initiative will assess ways to reduce obstacles to the provision of services within the EU internal market. At the same time, it will increase the costs for retaining data in Member States in which no data retention obligation for law enforcement purposes exists.

Fundamental rights impacts: The non-content data retained and accessed could provide information to authorities about the private life of persons to whom these data relate and thus interfere with the fundamental rights protecting their privacy (Art. 7 of the Charter of Fundamental Rights of the European Union), their personal data (Art. 8) and their freedom of expression (Art. 11). Enhancing public authorities’ capacity to retrieve non-content data and obtain evidence in criminal proceedings, would serve the public interest of more effective detection and prosecution of crimes, the freedom to provide services within the EU internal market, and could translate in more justice for victims, suspects and accused persons. Where the options considered in the impact assessment should limit fundamental rights, these will be weighed against the interference with such rights, and full consideration will be given to providing adequate safeguards to ensure their necessity and proportionality for achieving the intended objective.

D. Better regulation instruments

Impact assessment

The Commission will carry out an impact assessment with a view to updating rules on data retention at EU level, as appropriate. A Public Consultation will be published in Q2/Q3 2025 pursuant to the Commission Better Regulation Policy. The Commission will conduct a thorough collection of evidence from different sources, including the general public through different means, such as this public call for evidence, and surveys targeted to relevant stakeholders.

Consultation strategy

The Commission plans several consultation activities to support this initiative. Their aim is to collect evidence and views from a broad range of stakeholders. The main consultation activities will include:

-feedback on this Call for Evidence;

-feedback on a public consultation that will be published in all EU official languages on the Commission’s “Have your say” website for a period of 12 weeks; 

-targeted consultations with relevant stakeholders in the form of interviews and surveys to collect also quantitative and qualitative evidence on the necessity and proportionality of these measures.

In line with the European Commission’s Better regulation policy to develop initiatives informed by the best available knowledge, we also invite scientific researchers, as well as academic organisations, learned societies, and scientific associations with expertise in the technical and policy fields linked to initiative, to submit relevant published and pre-print scientific research, analyses and data. The Commission is particularly interested in submissions that synthesise the current state of knowledge in relevant field(s).

The Commission will publish a factual summary report with the contributions to the public consultation. It will also analyse the feedback to this call for evidence and the results of the subsequent consultations in a synopsis report, annexed to the Impact Assessment (Staff Working Document).

Why we are consulting?

The objective of the consultation is to ensure that the Impact Assessment relies upon extensive quantitative and qualitative evidence and expertise, and to allow stakeholders (including citizens and those who would be directly affected by this initiative) to provide their views and input on the possible options for the way forward.

Target audience

The main categories of stakeholders that the Commission plans to consult include the following: general public; practitioners operating in public security sectors (justice, home affairs and digital policies); the police and judicial authorities; cybersecurity experts, data protection and privacy authorities; professional lawyers associations, academia, researchers and think tanks; civil society organisations working on digital rights victims' rights, or more broadly on fundamental rights; industry.

(1)  The recent analysis by Eurojust and the European Judicial Cybercrime Network - EJCN “ The effect of Court of Justice of the European Union case-law on national data retention regimes and judicial cooperation in the EU ” reports that twelve Member States (BE, DK, EE, IE, FR, HR, IT, LV, LT, PT, SK, SE) made key changes to their legislation between 2018 and 2022 as a direct result of CJEU Case C-746/18, Prokuratuur, and Joined Cases C-511/18, C-512/18 and C-520/18, La Quadrature du Net and Others; four Member States do not have in place anymore mandatory data retention rules for the purpose of criminal investigations (DE, NL, RO, SI), p. 6
(2)  Art. 2(4) Directive (EU) 2018/1972: ‘electronic communications service’ means a service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services:(a) ‘internet access service’ as defined in point (2) of the second paragraph of Article 2 of Regulation (EU) 2015/2120;(b) interpersonal communications service; and(c) services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting;
Top