In early 2026, one new law and one far‑reaching legislative initiative are expected to seriously affect digital freedoms in the EU. The first allows police to collect biometric data and target individuals; the second aims to put all metadata into one box and then use AI to run investigations. Naturally, both laws were adopted under the mantra of protecting democratic values, rights, and freedoms. Xeovo has examined the sprawling regulatory texts and explains what exactly Members of the European Parliament are aiming at.
Data in the hands of police
Starting in early 2026, a law granting Europol expanded powers over migrants’ data will enter into force. It was adopted by all participating Member States; Denmark, which has an opt‑out in this area, is not covered by the regulation (Denmark has an opt out from EU migration policy and police cooperation. One might envy such accession terms. At the same time, Denmark is actively encouraging other countries to give up on privacy rights.)
The first part of the law outlines concrete steps to grant Europol the following powers:
-
require national immigration authorities to use the SIENA system, managed by Europol, to share information on migrant smuggling and human trafficking;
-
use and exchange biometric data effectively, and develop specific tools for that;
-
transfer personal data to third countries for the purpose of combating migrant smuggling, etc.
This sounds like an attempt to give a single centralized structure control over highly sensitive information. And so far, we are still only talking about regulating irregular migration. The second part of the law, however, expands the scope of law enforcement much further.
Against the backdrop of rhetoric about the importance of joint action against crime, the document stresses the need to exchange information on any cross-border offences. It also refers to individuals who pose a high risk to security. In practice, this category can include almost anyone — from actual migrant smugglers to political activists. “… conduct joint <…> criminal intelligence exchange activities, which include exchanging criminal intelligence, the discovery of links and conducting analyses and investigations, notably of criminal networks and groups, as well as of individual criminal actors who constitute a high risk for security”
The document mentions the creation of operational task forces and describes them as a temporary form of cooperation. At the same time, it explicitly requires these task forces to become integrated within the European Multidisciplinary Platform Against Criminal Threats — a structure that is clearly not designed to be created ad hoc each time.
Then comes one more layer of specificity. Another category of crime said to affect a common interest covered by Union policy and is becoming increasingly prevalent is the violation of EU sanctions. Therefore, Europol needs powers to support member states in fighting criminal assets owned by individuals and legal entities subject to Union sanctions, as well as for investigations into the circumvention of trade and economic sanctions. These powers, predictably, include data analysis, tracking financial flows, and coordinating actions between countries.
Fighting sanctions circumvention is undoubtedly important — and deeply politicized. In the context of a law formally aimed at combating migrant smuggling, this raises a reasonable suspicion that migrants from sanctioned countries may be treated as potential influence agents, with their data subjected to particularly close scrutiny by security services.
Civil society groups have criticized the law. They argue that Europol is incapable of effectively controlling migrant smuggling and has instead chosen to expand its digital surveillance capabilities. The law is also technically problematic.
Security services are not particularly fond of external oversight, often operate in secrecy, and in practice their activities are weakly scrutinised by national courts. How exactly they will implement the law in practice remains opaque to the public. Forcing the use of SIENA creates a single point of failure, which is extremely risky in the event of a cyberattack — whether by foreign intelligence services or criminal groups. Biometric data, unlike passwords, cannot be changed.
More broadly, it is unclear how collecting extensive data on victims (irregular migrants) actually helps combat migrant smuggling or other cross-border crimes. This is not pickpocketing at a metro station. Smuggling is a complex, highly profitable network, with organizers often based in third countries that may have little incentive to cooperate with Europe.
Data retention
The Data Retention legislative proposal is going to be introduced in the first half of 2026. The background is as follows: the EU has no unified data retention policy, and the Court of Justice of the European Union considers indiscriminate retention unlawful and places strong emphasis on the right to privacy.
The proposal is therefore framed as an attempt to harmonize rules on the retention of personal data. The formal justification is the investigation and prosecution of serious crime. What qualifies as serious crime will be defined by each member state individually, but in general it includes all crimes committed in cyberspace or using information and communication technology. This includes not only financial and cyber-enabled crime, but also corruption, child exploitation, terrorism, and homicide.
Member States are pushing for retention obligations to cover almost all internet services, from hosting and VPN providers to cryptocurrency traders and food‑delivery platforms. So what data exactly must they store, where, and for how long?
This is where legal sophistry — and open contradiction with the CJEU — begins. First and foremost, the proposal targets subscriber data and IP addresses, as well as metadata associated with communications (traffic and location data). The content of communications will not be retained. At the same time, “data held by service providers for purely business purposes” is deemed insufficient to enable effective investigations — although service providers are hardly minimalistic in the data they already collect.
The proposed retention period ranges from six months to one year. Some member states have suggested setting only a minimum retention period, leaving the maximum effectively open-ended.
Targeted data retention is declared “insufficient to achieve a good outcome for the investigations, since law enforcement authorities will not always know in advance by whom, when, and where a crime is going to be committed”. In other words, since police and security services do not employ clairvoyants, the solution is to collect data on everyone they can possibly reach. Not only EU citizens, either — because “retention based on geographical or personal criteria could be easily circumvented».
Although access to retained data is supposed to be granted only upon prior authorisation by a court or independent administrative body and only for a specific purpose, data security raises serious concerns. The reason lies in two initiatives outlined in the European Commission’s roadmap published several months before the data retention proposal itself.
The first is the intention to develop tools for decrypting communications:
“…increase funding to support innovation on access to data, support the research and development of new decryption capacities to ensure that Europol is well equipped after 2030”. At present, end-to-end encryption cannot always be broken even with active cooperation from the platforms that deploy it.
The second is the development and use of AI. Europol understands that if it wants to collect as much data as possible, it will need the capacity to process terabytes of it. However, the roadmap proposes using AI not only for data filtering and pattern detection — tasks that already require training models on highly sensitive data with a high cost of error.
The proposal also states that AI is essential for “getting access to encrypted data” and “for law enforcement authorities to prevent crime”. The fact that AI systems are prone to false positives isn’t even mentioned, as well as other associated risks. At the same time, the EU AI Act explicitly prohibits the use of AI systems that predict an individual’s risk of committing a crime when this is based solely on profiling or personality traits. This leaves very little room for distinguishing permitted “risk assessment” and “prohibited profiling.”
*Clarification on anonymizing and no-logs services
The authors of the data retention proposal claim that only metadata will be collected. However, metadata today can be just as effective for deanonymizing users as content itself — timestamps and traffic correlation are often enough. That said, some services collect little to no metadata at all, particularly privacy-preserving solutions such as VPNs.
From a technical standpoint, it is impossible to violate the principles of privacy by design or strong encryption without compromising the entire service architecture and user security. If all services operating in the EU are required to retain data, providers that are technically unable — or unwilling — to log user activity will effectively become illegal. Many reputable VPN providers operate servers in Europe, and they will be forced either to abandon their no-logs policies or to exit the EU market altogether — increasing costs both for providers and for users.
In theory, providers may attempt workarounds, such as shared IP addresses or other mitigation techniques. In practice, however, the biggest players have rarely proven to be champions of resistance. After Russia began blocking VPN protocols and banned VPN advertising, major providers such as Surfshark and NordVPN left the market. More importantly, this proposal will have virtually no impact on actual criminals — they rarely rely on standard commercial VPNs in the first place.
Europol is clearly eager to break end-to-end encryption — or, at the very least, to gain access to metadata for as many people as possible. Building police-controlled architectures for data collection and analysis puts at risk everyone whose data ends up in these systems. More importantly, it enables the scope of such laws to be expanded to virtually any sector and any group of people. Previously adopted privacy safeguards and strict limits on general data retention no longer appear immutable.
Silence censorship. Protect your privacy and bypass restrictions with Xeovo VPN. Use code «HBR-10«.
ссылка на оригинал статьи https://habr.com/ru/articles/1035586/