The blanket data retention regime envisaged by the draft Framework Decision and now reflected in Member State laws represent a significant violation of the privacy rights of every user of European-based communications services. Even the obligations imposed under the Council of Europe Convention on Cybercrime do not go so far in constraining the right of an individual to privacy. These obligations limit data retention to those cases where there is a real reason to suspect relevance to national security or a criminal investigation. This approach would not only avoid the needless violation of privacy rights on a massive scale, it would also be more consistent with the EU’s traditional concern for data protection. The vigorous opposition to mandatory data retention from such diverse groups as data protection officials, civil liberties groups and industry, is a powerful indication of the practical difficulties with blanket data retention requirements. The indiscriminate nature of mandatory data retention offends basic principles of the rule of law and democratic governance, and is contrary to established notions of privacy and human rights found in the European Convention on Human Rights.