EU Prepares Wider Data Retention Rules, VPN Providers Could Be Affected
Published on December 16, 2025
- Expanded Data Collection: EU data retention may require logging users’ online activity, IP addresses, and locations.
- VPN Impact: No-log VPNs could become illegal if forced to store user metadata for authorities.
- Legislative Timeline: Proposal expected mid-2026 after impact assessment, targeting multiple online services including cloud and messaging apps.
The European Union is moving toward expanding data retention requirements, targeting apps and services that millions of citizens use daily, including popular VPN providers. A legislative proposal is expected in the first half of 2026.
EU Governments Push for New Data Retention Framework
An internal EU Council document, dated November 27 and first published by Netzpolitik, sheds light on the current discussions led by the Danish Presidency. The document shows that most EU member states agree on the need for a new framework for data retention.
The discussion follows the EU Commission’s "ProtectEU" strategy, introduced in April, which aims to create a roadmap for "lawful and effective access to data for law enforcement." The Commission’s roadmap, presented in June, includes a plan to decrypt citizens’ private data by 2030.
The document highlights that EU governments consider metadata – particularly traffic and location history – as critical for law enforcement. Officials argue that merely knowing the account owner is insufficient. They want companies to log details such as when users were online, their locations, and IP addresses.
Privacy Concerns and Targeted Services
While EU governments stress that any new system should include safeguards and proportionality to comply with courts, privacy experts warn that such measures may not be enough. Weakening encryption or storing this type of data could undermine user security.
Besides VPNs, other affected services could include messaging apps, cloud storage platforms, hosting providers, file sharing services, and other over-the-top (OTT) services.
Take no-log VPNs, for example. These services are designed not to store user activity, and their security relies on this principle. Under the EU’s proposed framework, no-log VPNs might become illegal in Europe.
Next Steps for EU Legislation
An impact assessment is expected in early 2026. Lawmakers plan to review the findings before introducing a formal legislative proposal, likely around June next year.
While the final legislation is still in progress and the future of ProtectEU remains uncertain, European governments appear determined to increase law enforcement access to user data, despite potential conflicts with privacy technology.
What EU Data Retention Would Mean for Users
- VPN users may lose no-log services: Some VPNs could stop operating in Europe if forced to retain user metadata.
- Increased tracking: Apps and online services may have to store more data about your online activity and location.
- Privacy risks: Even with safeguards, storing metadata can make users more vulnerable to hacks or misuse.
- Law enforcement access: Governments could access more detailed data for criminal investigations.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular