European governments are preparing to revisit one of the EU’s most controversial surveillance ideas: forcing online services to retain vast amounts of user data for up to a year.

A Council paper now circulating (via Netzpolitik) among member states outlines a plan that would apply not only to telecom operators but to nearly every major digital service, including cloud platforms, domain hosts, payment processors, and even end-to-end encrypted messengers such as WhatsApp and Signal.

Officials insist they do not intend to compromise encryption or read private messages. What they want is the so-called metadata: who contacted whom, from where, at what time, and through which service.

This form of tracking, while technically outside the message content, can still provide a detailed picture of someone’s social network, movements, and daily behavior.

The push represents a sharp departure from existing limits.

Previous EU and German laws, both struck down by the Court of Justice of the European Union (CJEU) and national courts, had already been judged unlawful for collecting everyone’s data “without differentiation, restriction or exception.”

Those rulings required that any retention be narrowly targeted and proportionate. Despite that, the new draft takes the opposite path, proposing to widen the net instead of narrowing it.

Germany’s government has been exploring a shorter-term model, keeping IP addresses and port numbers for a few months, but the Council paper shows that most EU states are lobbying for a far more comprehensive scheme.

More: Germany Turns Its Back on Decades‑Old Privacy Protections with Sweeping Surveillance Bill

They are asking for “the widest possible coverage” across internet services, explicitly naming VPN providers, hosting companies, cryptocurrency traders, gaming and ridesharing platforms, and e-commerce intermediaries.

In effect, any business that connects people online could become a state-mandated data warehouse.

Although some officials claim the retention would focus on subscriber details like IP addresses, several states want to go much further. Their proposals call for recording the serial numbers of internet devices and collecting “communication connection data” that reveals who interacts with whom, when, and how.

That language mirrors the now-defunct 2006 EU Data Retention Directive, which required telecom companies to log every phone call, email, and text message for potential use by investigators.

The document also shows interest in location tracking. Mobile networks continuously record where a phone connects, which allows near-real-time mapping of a person’s movements.

Proponents suggest using this data to locate missing persons, though the paper concedes that “not all cases of missing persons constitute a potential offense.”

Even so, several states want the power to retain these records for everyone, not just for targeted investigations.

Earlier EU and national frameworks limited storage to about six months. The current proposal nearly doubles that. Most governments are pressing for a one-year minimum, with some arguing that Brussels should only set the floor, not the ceiling, so national authorities can keep data even longer.

Law enforcement agencies have previously said that data older than a few weeks rarely plays a critical role. Germany’s Federal Criminal Police Office, for example, has stated that “a storage commitment of two to three weeks would be sufficient on a regular basis.” The new plan disregards that assessment entirely.

Each member state would be allowed to decide what counts as a “serious” crime, effectively opening the door for the same surveillance data to be used in routine investigations of online harassment or “hate speech,” and other pro-censorship buzzwords.

That flexibility means a system built for exceptional threats could easily become the foundation for day-to-day policing. Once the data exists, the temptation to expand access is constant.

The Council itself acknowledges that previous laws were struck down because they treated every person as a potential suspect.

Yet the new plan offers no clear explanation of how it would comply with those rulings. Instead, some member states propose to “reassess the necessity and proportionality” of retention in light of “technological developments and changing ways of committing crimes.”

In simpler terms, they want to reinterpret the legal boundaries rather than adapt their proposals to them.

The European Commission has already completed preliminary surveys and a public consultation. An impact assessment is due in early 2026, followed by a legislative proposal expected “at the end of the first half of 2026.”

If the plan moves forward, Europe could see the return of broad-scale data retention under a new label. For ordinary users, that would mean their online activities, emails sent, calls made, apps used, and locations visited could be quietly stored for a year or more, accessible to state authorities whenever an investigation demands it.

The post EU Revives Plan for Year-Long Data Retention Across Digital Services, Including Encrypted Apps appeared first on Reclaim The Net.