The European Commission has just launched a call for citizen participation regarding the future EU regulation on data retention by electronic service providers, a topic that brings to the forefront the delicate balance between the fight against crime and the protection of fundamental rights in the digital age.
Why now? The political and legal context
Currently, there is no common framework at the European level that requires electronic communications service providers (from telephone companies to online messaging services) to retain certain data for use in criminal investigations and proceedings. Each member state applies its own regulations, which creates significant divergences and challenges for both law enforcement and the technology companies that must operate across different countries.
This legal fragmentation constitutes, according to the Commission’s document, a serious obstacle in the fight against serious crime and in cross-border judicial cooperation, as frequently key data has been deleted before authorities can request them, hindering or preventing many investigations, especially in crimes committed entirely online.
What data is at stake?
The proposal focuses only on “non-content” data:
- subscriber information,
- origin and destination of messages,
- device location,
- date, time, duration, and size of communications,
but it does not include the actual content of the communications.
This data is essential for identifying suspects, locating victims, or reconstructing events, but it is also highly sensitive, as it allows for the mapping of life patterns and personal relationships.
The legal challenge: fundamental rights and privacy
The protection of privacy, personal data, and freedom of expression—enshrined in the EU Charter of Fundamental Rights—is at the heart of the debate. Since 2014, following a landmark ruling from the Court of Justice of the European Union (CJEU), the EU cannot impose general and indiscriminate data retention except under strict safeguards and for limited periods. This has forced member states to adapt—and often limit—their national legislations, creating the current regulatory mosaic.
Options under consideration and next steps
The European Commission is exploring several alternatives, including:
- Recommendations and soft cooperation measures: such as common standards for categorizing data, unified request forms, or recommendations on minimum retention periods.
- New legislative obligations: that establish mandatory and harmonized requirements for the retention and access to certain non-content data, in line with the CJEU jurisprudence.
- Safeguard mechanisms: strict guarantees of proportionality, judicial oversight, and protection of fundamental rights.
The goal is to ensure that data retention occurs only to the extent that it is necessary and proportionate, and that there are clear safeguards against abuse or excessive use.
Anticipated impacts
- Society: Greater effectiveness in prosecuting crimes and protecting victims.
- Economy: Reduced legal uncertainty and costs for companies operating in multiple countries, although it is acknowledged that in countries without prior obligations, the burden may increase.
- Fundamental rights: Any measure must be carefully weighed to avoid unjustified negative impacts on privacy, data protection, and freedom of expression.
Participatory process and public consultation
The Commission has opened a public consultation phase, where any citizen, company, public agency, digital rights organization, academic, or expert can share their opinions, concerns, and proposals. This consultation will serve as the basis for the impact assessment and the design of the legislative proposal, scheduled for the first quarter of 2026.
Additionally, there will be surveys, interviews, and forums aimed at various stakeholder groups: law enforcement, tech sector, privacy advocates, victims, legal experts, and others.
The European initiative on data retention is a key step in seeking a balance between security and privacy in the digital environment. The coming weeks and months will be decisive in defining to what extent authorities will be able to access electronic data and under what conditions, with the active participation of society.
More information and access to the public consultation:
European Commission’s “Have your say” portal