EU’s pushing for backdoors in VPNs to allow for law enforcement access — this is bad

When it comes to privacy, the EU is often hailed as a leader that sets an example for the rest of the world. With the enactment of the landmark GDPR privacy legislation in 2018, which is considered a standard for the protection of personal data, the praise is not entirely misplaced.

However, in recent years, various groups within the EU have been proposing initiatives that threaten to undermine another fundamental digital right that is closely intertwined with the protection of personal data — the right to privacy. Until recently, the biggest threat was the so-called ‘chat control’ proposal, which could have led to end-to-end encrypted messaging apps being forced to scan all the photos, videos, and URLs you share with others. That proposal has not gone anywhere (yet) after facing pushback from countries concerned about its potential far-reaching implications for people’s privacy.

VPNs as a ‘key challenge’ to law enforcement

This time, the threat stems from a newly-published report by the High-Level Group (HLG). The group was tasked with “exploring any challenges” that law enforcement in the EU face in connection to “access to data and potential solutions to overcome that” in June 2023. In March 2025, the group published a final version of its report, in which it names VPNs one of the key challenges the law enforcement is met with in doing their work.

Encrypted devices and apps, new communications operators, Virtual Private Networks (VPNs), etc. are designed to protect the privacy of legitimate users. But they also provide criminals with effective means to hide their identities, market their criminal products and services, channel payments and conceal their activities and communications, effectively avoiding detection, investigation and prosecution.

This marks the first time that VPNs have been explicitly identified as a challenge to law enforcement operations by the EU. The designation is concerning, as perceiving something as a challenge implies a desire to overcome it, right?

To be fair, throughout the report, the group mentions that the need for access to the information should be balanced out with privacy rights and security. The report then cites “some law enforcement experts” that “indicated” that in certain cases, encryption technology has been designed in a way that balances both security and the need for scanning of content.

However, we don’t see it that way. While the authors of the report try to tread carefully and talk about finding a compromise between privacy and law enforcement access, the truth is these two things just can’t coexist. Giving law enforcement access only weakens encryption and privacy, which are crucial for keeping people’s data safe.

With the EU Commission introducing a new initiative called ProtectEU — a revamped Internal Security Strategy for Europe — there’s growing concern that digital rights may be sidelined in favor of stronger law enforcement powers. One of the core elements of this strategy is about equipping law enforcement with “the right tools to be effective,” which specifically includes “lawful access to data.” Digging into the details, the Commission mentions plans to develop a roadmap on encryption and conduct an impact assessment with a view to updating the EU’s data retention rules. While it all sounds fairly neutral, we have good reason to believe this is just carefully worded language paving the way for mandated backdoors into encryption.

There’s no middle ground in this debate

The European Union’s recent focus on VPN services, alongside end-to-end encrypted messaging apps, highlights an important issue: the push for greater data access comes at the expense of personal freedoms. While it’s understandable that law enforcement needs tools to investigate crime, there is no middle ground in this debate and a critical choice must be made. You either choose security and anonymity, or agree to build in mechanisms that allow for collecting user data. And once you enable that collection, you step onto a slippery slope, risking the erosion of privacy rights for millions of innocent people.

The HLG has placed VPN services in the crosshairs of this debate, categorizing them as a “key challenge” to investigations. VPNs anonymize users’ online activities by masking their IP addresses, making it more difficult for authorities to gather metadata that could help identify suspects. This is seen as an obstacle to investigations, especially when you consider that metadata—information such as who is communicating, when, and where — can be just as valuable as the content itself. What is especially concerning is that the recommendations in the report suggest that all services will be required to retain and provide metadata to law enforcement under the threat of sanctions.

Many VPN services, especially those adhering to a no-logs policy, are built to prioritize user anonymity and data security. It means that unless some crucial changes are made into their design, they are unable to provide the information the law enforcement is asking for. And it’s not even because they don’t want to, it is also because they can't as in they don’t have it. A legal framework that forces VPNs to retain user metadata — potentially for a prolonged period — could make such services untenable, leading to the withdrawal of VPN providers from the EU. This wouldn't be a first; something similar occurred in India in 2022 when a law required VPN providers to retain extensive user data, including names, for long periods, sparking an exodus of VPNs from the country.

We can also recall the case of Telegram, which came under significant pressure after French authorities arrested the platform’s founder, Pavel Durov. Telegram, once a stronghold of privacy, began handing over more user data — such as IP addresses and phone numbers — afterwards.

If the EU requests VPNs to collect and share data, it will be driving privacy-focused services away and weakening the digital rights of individuals. The questions are: Is it truly worth compromising the privacy of tens of millions for the sake of (potentially) catching a few criminals? Is this level of surveillance truly necessary? It’s our belief that we must not lose sight of the bigger picture — preserving privacy in a digital world.