A blanket data retention rule was introduced after the Twin Towers’ tragedy and the subsequent attacks in Madrid and London. This was aimed at combating terrorism. Despite much criticism, the European Union (EU) adopted the Data Retention Directive (DRD) in 2006. The DRD has been regarded as the most controversial piece of counter-terrorism legislation and the most privacy-invasive instrument ever adopted. The EU only managed to keep this data retention law in place for less than a decade. The Court of Justice of the European Union (CJEU) in 2014 declared it invalid. As a result, several courts in the EU had declared invalid their national legislations. The UK Government also reacted and redesigned its data retention law which, however, seems to have gone a step further. The Data Retention and Investigatory Powers Act (DRIPA) was enacted in 2014. This article examines ’the slow death’ of the DRD and the short-lived DRIPA. We argue that the UK Government should have learned the lessons from the CJEU decision on the DRD in 2014. More importantly, the CJEU’s 2016 decision striking down DRIPA is a caution and guidance to all EU Member States.