Germany's Federal Ministry of Justice circulated a draft bill in December 2025 that would require all internet service providers (ISPs) to retain user IP addresses for a minimum of three months. Proposed under Chancellor Friedrich Merz's CDU/CSU-SPD coalition government, the legislation is aimed at strengthening digital crime investigations — but has drawn sharp criticism from the internet industry and privacy advocates alike.
What Does the Draft Bill Propose?
Under the proposed law, telecommunications companies and ISPs operating in Germany would be legally required to log and store connection data — specifically IP addresses and connection timestamps — for a period of 90 days. The bill is explicitly targeted at combating organised cybercrime and is more narrowly scoped than earlier attempts at blanket data retention that were previously struck down by the European Court of Justice (ECJ).
Industry and Civil Society Push Back
In February 2026, eco — Germany's leading internet industry association — publicly condemned the proposal, arguing that it violates ECJ rulings on mass data retention and undermines Germany's position as a digital business hub. Civil society organisations across Europe echoed these concerns, warning that even targeted metadata retention sets a dangerous precedent.
The Impact on Everyday Internet Users
If passed, the law would require your ISP to record and store the IP address linked to your internet connection for 90 days. While the stated intent is narrow — cybercrime investigations — stored IP addresses can be cross-referenced with browsing activity through other legal channels. For privacy-conscious users, this is a clear argument for masking their real IP address using a VPN.
Germany has historically been considered a strong advocate for digital privacy within the EU, so this proposal has attracted particular attention. The outcome of the Bundestag vote is expected to set a precedent for similar legislation across Europe.
Why This Matters Beyond Germany
As the EU's largest economy, Germany's legislative decisions often influence other member states. If this bill passes, it could embolden other governments to push through similar IP retention laws — gradually eroding the privacy protections guaranteed under GDPR across the bloc.
