Germany is reopening one of Europe’s most sensitive digital policy debates: how far should governments be allowed to go in storing connection data before crime has even been committed by a specific suspect?
The German cabinet has approved a proposal that would require internet access providers to store IP address assignments for three months. The government presents the measure as a targeted tool against online crime, terrorism and child abuse material, arguing that investigators often fail to identify suspects when IP data is no longer available. The plan does not cover communication content or location profiles, but it would require providers to preserve the link between users and IP addresses for later access by authorities under defined conditions.
The controversy is not new. Germany has repeatedly struggled to introduce data retention rules that survive constitutional and European legal scrutiny. This time, the government is focusing more narrowly on IP addresses, partly because recent EU case law has left more room for the retention of IP-related identity data than for broader traffic and location data. The Court of Justice of the European Union ruled in 2024 that general retention of IP addresses can be permissible under strict conditions, particularly when the data is stored separately and cannot be used to build detailed profiles of individuals.
But the European picture remains fragmented. France has long maintained broad connection-data retention obligations, with electronic communications providers required to retain certain connection data for up to one year. Spain also operates with a 12-month retention model, with possible adjustments between six months and two years depending on the legal framework and authorization. Italy has historically required 12 months for internet metadata and longer periods for other communications categories. By contrast, the Netherlands currently lacks a general national data retention obligation after earlier rules were suspended following EU case law.
This makes Germany’s three-month model look moderate compared with some European neighbours, but still highly controversial domestically. Internet industry association eco warns that three months of mandatory IP and port-number storage could create legal and operational risks, especially in modern network environments where persistent connections and carrier-grade NAT can make technical implementation more complex.
For Darkgate, the strategic issue is bigger than one German law. IP addresses have become a battlefield between law enforcement, privacy, telecom infrastructure and cybercrime response. Investigators need attribution. Providers face cost and complexity. Citizens fear permanent suspicion. And attackers increasingly use VPNs, proxies, compromised infrastructure and anonymization layers that may reduce the practical value of domestic IP retention.
The real question is therefore not whether IP data can help investigations. It often can. The harder question is whether Europe can build a system that is technically useful, legally durable and trusted by the public. Germany is now testing exactly that line.
