According to TechRadar, an internal EU Council document from November 27 reveals member states are pushing to force a wide range of online services—including VPNs, messaging apps, and cloud storage—to log user metadata. The data targeted includes traffic history, location data, and IP addresses, going far beyond simple account ownership. This effort is part of the “ProtectEU” strategy, first unveiled in April, which aims to create a framework for law enforcement access to data, with an intent to decrypt private data by 2030. An impact assessment is due in early 2026, with a formal legislative proposal expected around June of that year. Privacy experts and VPN providers like AdGuard and NordVPN warn that such mandates would undermine core security promises and could force services to withdraw from the EU. The document, first published by Netzpolitik, shows member states acknowledge legal hurdles but are determined to establish a new legal baseline for data retention.
The End of No-Log VPNs?
Here’s the thing: this proposal directly attacks the foundational promise of privacy tech. A “no-log” VPN’s entire value proposition is that it doesn’t store your activity data. The security model is simple: if the data doesn’t exist, it can’t be leaked or seized. What the EU governments are describing would make that business model illegal. As Denis Vyazovoy from AdGuard VPN said, it could become “untenable.” So we’re talking about a fundamental clash, not a minor regulatory tweak. Would any serious privacy-focused company even operate under these rules? Probably not. They’d likely just block EU users or shut down entirely.
Safeguards Are a Technical Fantasy
The document mentions the need for “robust safeguards” and “strict proportionality.” But let’s be real. Technologists have argued for years that you can’t safely retain this kind of sensitive metadata. Creating a massive, centralized trove of everyone’s connection logs is a hacker’s dream and a privacy nightmare. The “safeguards” always seem to fail or get quietly expanded later. And think about the scope—they’re not just talking about telecoms anymore. They want this from messaging apps, file-sharing services, the whole digital ecosystem. It’s a staggering level of proposed surveillance, all in the name of lawful access. But can you have both bulk data retention and true security? I don’t think so.
The Broader Trajectory and What’s Next
Now, this isn’t law yet. The impact assessment in early 2026 is the next big step, and that’s where the technical and economic arguments will really get heated. But the direction is clear. European governments are systematically working to reverse the tide of strong encryption and anonymity that has defined the last decade of the internet. The “ProtectEU” roadmap, aiming for decryption capabilities by 2030, is the overarching goal. This data retention push is just one tactical move within that larger strategy. It sets a concerning precedent. If this passes in the EU, how long before other regions try to copy it? The fight over this legislation in 2026 will be a major bellwether for the future of digital privacy globally. Companies that rely on providing secure, private infrastructure—from VPNs to secure hosting—need to pay very close attention.
