Skip to main content
European Commission logo
enen
Live, work, travel in the EU
Migration and Home Affairs

Data retention

Access to electronic data enables police and public prosecutors to investigate crimes: those committed online or enabled by using internet or telecommunication networks, as well as crimes committed in the physical world. Non-content data (such as subscribers’ information, IP addresses, the location of a device, the time and duration of a communication) might be decisive in conducting investigations, as they could allow for the identification or location of suspects and/or accused persons, victims, and in shedding light in general on the commission of an offence.  Access to (non-content) data in turn depends on its availability and retention by communication service providers.  

In line with EU privacy and data protection laws, electronic communications service providers may only store non-content communication data that are going through their systems for as long as it is necessary for specified, explicit and legitimate business purposes. However, legal obligations can require them to keep (or ‘retain’) this data for other purposes, for example if they are needed for the prevention, investigation, detection and prosecution of criminal offences. 

Today, no EU-wide legal framework exists in this area. While most EU Member States rely on national laws that diverge across the EU, other Member States do not have rules in place.  

The lack of harmonised data retention rules for key categories of data has been identified by the police, prosecution services and judicial authorities as a substantial challenge for national criminal proceedings in crimes happening both online and offline and hampering cross-border cooperation across the EU.  

In the High-Level Group on Access to Data, experts recommended the adoption of an EU framework on the retention of data for law enforcement purposes, covering also access safeguards.  

President von der Leyen’ Political Guidance referred to the need to “update law enforcement’s tools for access to digital information and rules on data retention, while safeguarding fundamental rights“.  

In the ProtectEU: a European Internal Security Strategy, and the Roadmap for lawful and effective access to data for law enforcement, the Commission committed to prioritise the preparation of an impact assessment to update EU rules on data retention as appropriate. 

In May 2025, the Commission launched the process to prepare an Impact Assessment on Retention of data by service providers for criminal proceedings. The Commission has initiated consultations to obtain stakeholder views as well as facts and figures to: 

  • Examine the scope and magnitude of the obstacles resulting from the currently diverse legal provisions on data retention in Member States
  • Identify policy responses for possible future action at EU level: non-regulatory and regulatory measures
  • Assess the impact of different policy measures in terms of security of citizens, functional market for electronic communication services and effective protection of fundamental rights 

The Commission will consider and assess different options, both non-regulatory and regulatory measures.