The present contribution aims to critically reflect on the future direction of data retention at the EU and the national levels by discussing the lessons arising from two seminal Court of Justice of the EU (CJEU) decisions: Privacy International and Quadrature du Net. The article addresses four main themes: (1) the broad reach of EU data privacy law, (2) the detailed typology of permissible data retention models and the conditions applicable to these, (3) the evolving interaction between the CJEU and the European Court of Human Rights (ECtHR) in cases of bulk surveillance, and (4) the relevant legislative developments regarding data retention enshrined in the proposed ePrivacy Regulation. It advances four main lines of criticism. The first concerns the Court’s reasoning regarding the expansive scope of application of EU data protection law that – while anticipated – appears unconvincing. The second regards the shortcomings and weaknesses in the CJEU’s analysis laying down a taxonomy of permissible data retention systems. The third line of criticism is broader and concerns the progressive re-legitimisation of bulk as well as other surveillance models that seems to be the path undertaken by both the CJEU and ECtHR. Finally, we criticize the ways the EU legislature is trying to ‘circumvent’ the CJEU’s data retention rulings.