Data retention, VPN logging and internet surveillance in Europe -

Data retention, VPN logging and internet surveillance in Europe

Douglas Crawford

Douglas Crawford

May 7, 2013

Update 06 November 2014: In April this year the European Court of Justice (ECJ), the highest court in the EU, declared the EU-wide Data Retention Directive invalid on the grounds that,

By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and  to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.

However, not one country has repealed local implementation of the DRD, and the UK has even gone so far as to defy the ECJ and pass new mandatory data retention legislation.


The European Union is well known for its extensive and highly controversial mass surveillance legislation, the mandatory Data Retention Directive (DRD), adopted in March 2006. This requires all ISPs and communications providers to keep data for at least 12 months, and which must include enough information to:

  • trace and identify the source of a communication
  • trace and identify the destination of a communication
  • identify the date, time and duration of a communication
  • identify the type of communication
  • identify the communication device
  • identify the location of mobile communication equipment

In practice this means that logs are kept of all telephone calls, SMS messages and emails made and received, and all websites visited, and all EU citizens are subject to this massive invasion of privacy, regardless of whether or not they are suspected of any crime.

The details of who can access this information varies by country (for example in the UK a large number of organisations have been granted access with very little judicial oversight), but in general it must be available to ‘competent’ national authorities in specific cases, ‘for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law’.

The position of VPN providers depends on how each country has transposed the directive into national legislation (where they have). While many countries do include VPN providers in the legislation and require them to keep logs (see list), a number of counties (discussed below) either do not require VPN providers to keep logs, or have rejected the legislation outright.

Counties in full compliance with the EU DRD (including VPN services in the legislation) include:

Denmark, Estonia, Finland, Greece, Hungary, Ireland, Latvia, Lichtenstein, Lithuania, Malta, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Switzerland and the UK.

Opposition to the Data Retention Directive

As noted at the beginning, the DRD represents a massive invasion of every EU citizen’s civil liberties (on a par with the likes of China and Iran). It consequently remains highly controversial and has faced intense criticism, with many legal fights against its incorporation into national law remaining on-going (although many countries which initially put up a fight have now given and accepted the legislation) .

In April 2011 the European Commission published a report evaluating the directive, concluding that it was valuable tool for ensuring criminal justice and public protection, but that it suffered from inconsistences in how different member countries implemented it. This report was promptly attacked by the European Data Protection Supervisor (EDPS), who stated that the directive ‘does not meet the requirements imposed by the fundamental rights to privacy and data protection’. The EDPS also criticised the Commission’s report on the grounds that it had failed to demonstrate that the DRD was necessary or proportionate, both of which are required to make it lawful under the EU Charter of Fundamental Rights. Anadditional criticism was that there was far too much leeway in how individual countries chose to implement the DRD, and who was allowed access to the data.

Currently opponents such as the European Digital Rights (EDRIi), the Electronic Frontier Foundation (EFF) and AK Vorrat are campaigning for the European Commission to prove that the DRD is necessary to the investigation of serious crime, for a system to allow citizens to monitor the impact of the directive on their privacy, and for the complete repeal of the DRD in favour of a targeted system of data collection r(ather than blanket coverage of the EU’s 500 million innocent citizens).

Countries which have not implemented the DRD

Belgium – the DRD remains highly contentious, and has not been implemented (yet). However, Belgium does have strict laws (especially targeted at copyright infringement) and some internet censorship.

Cyprus – in February 2011 the Cyprus High Court ruled the DRD unconstitutional. There is however some very limited implementation of it, but with only a 6 months data retention period, in which data can only be accessed ‘in cases of convicted and unconvicted prisoners and business correspondence and communication of bankrupts during the bankruptcy administration’.

Czech Republic – in July 2012 the DRD was rejected by the High Court on the basis that it was unconstitutional and that it infringed on people’s right to privacy. However, a new data retention law was passed in July 2012, and only awaits the President’s signature before becoming law.

Germany – constitutional challenges have stalled implementation of the directive, although it has been ruled by the courts that the DRD could be acceptable if amended. In April 2012 the EU Commission warned against this however, and threatened to fine Germany if the DRD is not fully brought into law. It should be noted that although the DRD has not yet been implemented, internet surveillance and server raids are common in Germany.

Countries where the DRD does not apply to VPN

Most of the following countries resisted the DRD, often faced putting up stiff opposition on constitutional grounds. Although they have now brought into alignment with the directive, implementation is generally less than enthusiastic, and VPN providers are excluded from the legislation:

Bulgaria, Luxemburg, Netherlands, Romania and Sweden.

The DRD is also not applicable VPN providers in France and Italy, but these countries have other internet surveillance issues and strongly enforced copyright enforcement laws.

Non EU European Countries

Iceland and Serbia are not subject to the DRD but have adopted their own data retention policies. However (as far as we understand it), these do not apply to VPN services.

Other data logging, internet surveillance and copyright laws in Europe

In addition to the European Union’s Data Retention Directive, most counties have their own legislation regarding logging, on-line spying and anti-piracy, exploration of which is far beyond the scope of this article.  To give an idea just how complex the picture is, and to what extent law-abiding citizens civil liberties are under attack, you may wish to look at our in depth article on Data Retention in the UK, which paints a truly chilling picture.

Good European countries for VPN

To summarise the above information, good countries for European VPN providers to be based in are:

  • Bulgaria
  • Cyprus
  • Czech Republic (for now)
  • Iceland
  • Luxembourg
  • Netherlands
  • Romania
  • Serbia
  • Sweden

To take a look at a list of the best VPN services in our opinion, read this.


The EU wide Data Retention Directive is an incredibly sinister and draconian piece of legislation pushed through by powerful US and UK government interests in the wake of 9/11 and the 7/7 London bombings. Outside of extremely restrictive countries controlled by militaristic regimes (such as China and Iran), it is the most far ranging intrusion into the personal lives of law abiding citizens to date (although numerous international and national pieces of legislation such as ACTA and the recently abandoned CISPA (US) and CCDP (UK) have come close).

The threat to internet users’ civil liberties is on-going and omnipresent. Governments’ desire to monitor and store every single piece of information about their citizens (all the better to control them with), combined with the insane lobbying power of an entertainment industry that is determined to preserve its massive profits at any cost, has led to an unprecedented attack on our most fundamental freedoms.

This is a threat that is not just not going away, but will almost increase over coming years as the rich and the powerful try to wrest control of the internet into their own hands. One of the most powerful tools in the fight against this, and for our individual freedoms, is VPN. However, VPN only truly works when no records are kept that can be traced back to individual users. Government and copyright enforcers are well aware of this fact, hence the sweeping powers enshrined in the DRD which aim to remove internet users anonymity.

Fortunately, in Europe some countries have resisted the full implementation of the directive, and provide safe havens (for the being) for VPN users. The future of VPN, and who controls the internet itself is, deeply uncertain but as long as technologies such as VPN can keep one step ahead, the ordinary internet users still stands a chance at retaining their online liberty and autonomy.

Update: We made an error including Switzerland in the DRD. Switzerland is not an EU-member so the DRD does not apply there. It does have its own very strict Data Retention Laws, but these do not apply to VPNs, so it should be included on the list of ‘Good European countries for VPN’, For more details on the situation in Switzerland, see here.

Update 30 June 2014: On 8 April 2014 the European Court of Justice declared the EU Data Retention Directive invalid, on the grounds that,

By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and  to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.

See our article here for more details. Unfortunately, Denmark is the only country we are aware of to make any effort at removing local implementation of the DRD from national laws. In most counties, therefore, despite the ECJ ruling, the Data Retention Directive stands (we have an article on the situation in the UK, for example).


Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

13 responses to “Data retention, VPN logging and internet surveillance in Europe

  1. An interesting new article: (see last paragraph):
    “On 8 April 2014, the Court of Justice of the European Union declared the Data Retention Directive invalid (joined Cases C-293/12 and C-594/12). The Court took the view that the Directive does not meet the principle of proportionality and should have provided more safeguards to protect the fundamental rights to respect for private life and to the protection of personal data. The Court also considered that data retention serves, under clear and precise conditions, a legitimate and general interest, namely the fight against serious crime and the protection of public security.”

    1. Hi Fly,

      Another great link! It will be interesting to see how the European Commission and national European governments deal with the ECJ ruling…

  2. No link provided in last sentence of the post.
    (‘For more details on the situation in Switzerland, see here.’)

    1. Hi Elena,

      Sorry about that – I’ve put in the link. Please note our new update however – the European Court of Justice has struck down the DRD.

  3. @iceland The case of the Silk Road shows that Iceland does retain and give up the data to whomever asks.

    Any proof/link that says so?

  4. Hi,

    If I understand correctly VPN providers fall within the scope of the DRD. How a country such as Luxembourg managed to keep VPNs outside the scope of its data retention legislation ?

    Kind regards.

    1. Hi Vince,

      As we understand it, VPNs are not explicitly covered by the DRD, although most countries assume they are covered by the somewhat grey wording, and explicitly include them when implementing the DRD into national legislation. Some counties have however chosen to take the opposite position (perhaps because they are less than than enthusiastic about the DRD the first place). This is a murky area of law that is less than well documented. We have spent a great deal of time researching it, and the that fact that some EU counties do not apply the DRD to VPNs is reported by multiple sources (some more reliable than others, but hard facts are difficult to obtain on this subject). We are not lawyers or experts in international law, so please take the above piece for what it is – an extensively researched article that tries to bring the disparate and often somewhat sketchy information available on the internet into a useful and accurate as we can make it form that we hope will be useful to our readers. If any readers have any additional information on this (or any other) subject, we would welcome their comments.

  5. Hi M,

    We have just published an article on the subject ( The relevant passage (with references in the article) is:

    “The changes were due to come into effect in April 2012, although we have been unable to determine whether this has in fact happened (Wikipedia reports that the changes will not come into effect until 1 January 2015, but we are unable to confirm this).”

    If you are able to furnish more information than we have been able to find, we would love to hear it!

  6. “Counties in full compliance with the EU DRD (including VPN services in the legislation) include: […], Norway, […]”

    That is not true. Norway has not yet implemented the EU DRD.

Leave a Reply

Your email address will not be published. Required fields are marked *