In the wake of terrorist attacks on EU soil, EU Member States negotiated the Data Retention Directive (Directive 2006/24/EC) to provide law enforcement authorities with a useful tool to prevent and repress serious crime, including terrorism. The implementation exercise has turned out to be complex and coupled with several controversial national judgements concerning the instrument’s failure to comply with the rights to privacy and protection of personal data. Invalidating the Directive, the 2014 Court of Justice of the European Union (CJEU) ruling in Digital Rights Ireland, requires both national and EU policymakers to rethink the entire data retention framework. This article seeks to identify factors that are likely to influence negotiations on this framework. It does so by first providing an overview of the development of data retention provisions within the EU and then exploring the impact of the CJEU ruling on national provisions in selected EU Member States. Taking into account the interplay with other files under discussion where security concerns and fundamental rights are to be balanced, further potential developments at the EU level are subsequently eventually assessed with a view that harmonisation could be a desirable policy option.