Retention of communications metadata—information about Internet and mobile phone usage—is a controversial area, and not just with digital rights and privacy groups. In April last year, the Court of Justice of the European Union (CJEU), ruled that the EU's data retention directive, which sought to allow for a retention period of at least six months, was "invalid," and could not be applied in its present form (PDF). That was because the court found it represented a "particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data", and that the required data retention was not "limited to what is strictly necessary."

Surprisingly, the EU Commissioner responsible has announced that no new version of the directive would be proposed. However, that does not mean that data retention is now dead in the EU. Individual countries are still able to bring in local laws requiring metadata retention by ISPs and telecoms companies, provided they are consistent with the CJEU ruling. Many aren't. Courts have struck down national data retention laws in Austria, Bulgaria, the Netherlands and Romania. Other cases are pending—for example, in France, and in the UK, where the Data Retention and Investigatory Powers Act (DRIPA) is facing a legal challenge.

One country with a particularly fraught relationship to data retention is Germany, thanks to its history in the 20th century that saw both the Nazis and East Germany's Stasi causing great damage to the fabric of society through the use of spies and surveillance. The German government has been trying to bring in data retention requirements for a while, but a previous law introducing it was rejected by the country's constitutional court in 2010, even before the CJEU ruling, and largely on the same grounds. The German government has been working on a replacement, and Euractiv is reporting that the leading German digital rights blog netzpolitik.org has obtained a draft copy of the proposed data retention bill, due to be presented to the German parliament in the near future.

There are some significant changes from the earlier version, which required metadata to be retained for six months. The draft bill reduces that to ten weeks for telephone and Internet data, and four weeks for a mobile phone's geolocation data. One of the most interesting changes is that unlike the old law, which allowed metadata to be stored anywhere in the EU, the draft bill requires the information to remain within Germany. That may well be in part as a result of Snowden's revelations of massive US and UK spying on Germany, which has provoked a particularly strong reaction among the German public.

The localisation requirement will be a concern to US officials. They have been trying to move the EU in the opposite direction by getting it to agree to allow the free flow of Europeans' personal data across the Atlantic, for example as part of the Transatlantic Trade and Investment Partnership agreement. The US fear will be that other European nations might follow Germany's example, or that localised storage could even form part of the EU's data protection directive, currently being drawn up, and subject to massive lobbying from US Internet companies seeking to prevent precisely this outcome.