Since the 2014 invalidation of the EU Data Retention Directive, the legal framework across Member States is fragmented, creating uncertainty for service providers and operational challenges for law enforcement. The CJEU and ECtHR have set strict requirements: data-retention rules must be necessary, proportionate, and include robust safeguards, with general indiscriminate retention only potentially justified for national security and targeted retention allowable for public security or important public-interest goals.
Access to retained data must be restricted to the purpose collected (or a more important objective) and protected by safeguards akin to those for secret surveillance. Stakeholders are split: law enforcement wants EU harmonisation but fears overly restrictive rules; providers want a CJEU-compliant regime with cost compensation; civil society opposes new rules and urges enforcement of existing case law. This briefing is one of four publications on the roadmap for lawful data access.
Key points
- Post-2014 fragmentation: Member States’ approaches vary, producing legal uncertainty and enforcement issues.
- CJEU/ECtHR standards: retention regimes must be proportionate, necessary, targeted where possible, and include robust safeguards; indiscriminate retention only defensible for national security.
- Access limits: use of retained data must be purpose-limited and subject to strong procedural and technical safeguards similar to those for secret surveillance.
- Stakeholder split: law enforcement favors harmonisation; providers want clarity and compensation; civil society prefers enforcement of current rulings over new EU legislation.
- Context: This is part of a four-piece series covering the roadmap and briefings on lawful interception, data retention and digital forensics.